Zer0Luck
aboutposts

Hello,
|
Hacker Zer0Luck.

thumbnail
Damn Vulnerable DeFi Wargame Challenge9 โ€” PuppetV2 Contract Analysis ๐Ÿ˜

Wargame Provider:ย @tinchoabbate Challenge #9 - Puppet v2 The developers of the last lending pool are saying that theyโ€™ve learned the lesson. And just released a new version! Now theyโ€™re using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries. That should be enough. You start with 20 ETH and 10000 DVT tokens in balance. The new lending pool has a million DVT tokens in balance. You know what to do ;) See the contracts Complete the challenge Code Audit Transactiโ€ฆ

August 10, 2022
Blockchain
Damn Vulnerable DeFi Wargame Challenge8 โ€” Puppet Contract Analysis ๐Ÿฆ

Wargame Provider:ย @tinchoabbate Challenge #8 - Puppet Thereโ€™s a huge lending pool borrowing Damn Valuable Tokens (DVTs), where you first need to deposit twice the borrow amount in ETH as collateral. The pool currently has 100000 DVTs in liquidity. Thereโ€™s a DVT market opened in an Uniswap v1 exchange, currently with 10 ETH and 10 DVT in liquidity. Starting with 25 ETH and 1000 DVTs in balance, you must steal all tokens from the lending pool. See the contracts Complete the challenge Code Audit Tโ€ฆ

August 05, 2022
Blockchain
UniswapV2 Smart Contract Subgraph event query

SubGraph Decentralized protocol for indexing and querying data on the blockchain, starting with Ethereum Possible to inquire data that is difficult to inquire directly Uniswap complex smart contracts When it is difficult to read anything other than the underlying data directly from the blockchain, such as projects such as the Bored Ape Yacht Club NFT initiative Bored Ape Yacht Club Get the owner of a specific Ape Perform basic read operations on contracts such as getting Ape content URI or totaโ€ฆ

August 04, 2022
Blockchain
UniswapV2 Smart Contract

Overview How it works at the uniswap code level uniswap code structure method uniswap contract Core Contract: Pair Core Contract: Factory Periphery Contract: Router Core Contract SingleTone Factory, consists of several pairs where Factory is responsible for creation and indexing. Contracts with a smaller surface area are easier to reason about, more prone to bugs, and functionally better. This means that many desired properties of the system can be asserted directly in code, leaving little roomโ€ฆ

August 03, 2022
Blockchain
Damn Vulnerable DeFi Wargame Challenge6 โ€” Selfie Contract Analysis โš”๏ธ

Wargame Provider: @tinchoabbate Challenge #6 โ€” Selfie A new cool lending pool has launched! Itโ€™s now offering flash loans of DVT tokens. Wow, and it even includes a really fancy governance mechanism to control it. What could go wrong, right ? You start with no DVT tokens in balance, and the pool has 1.5 million. Your objective: take them all. See the contracts Complete the challenge Code Audit SelfiePool.sol Dependency The @Openzeppelin external library contract is dependent on ReentrancyGuardโ€ฆ

August 02, 2022
Blockchain
Damn Vulnerable DeFi Wargame Challenge7 โ€” Compromised Contract Analysis ๐Ÿ˜ถโ€๐ŸŒซ๏ธ

Wargame Provider: @tinchoabbate Challenge #7 โ€” Compromised While poking around a web service of one of the most popular DeFi projects in the space, you get a somewhat strange response from their server. This is a snippet: A related on-chain exchange is selling (absurdly overpriced) collectibles called โ€œDVNFTโ€, now at 999 ETH each This price is fetched from an on-chain oracle, and is based on three trusted re porters: . Starting with only 0.1 ETH in balance, you must steal all ETH available iโ€ฆ

August 02, 2022
Blockchain
Solana Chain analysis Program && Web3 API

Solana analysis: Program && Web3 API 3party JSON RPC connections (web3 provider) โ†’ netowkr object instance to getNodeURL โ‡’ url parser @figment-solana/lib โ†’ Connection input url โ† solana-core @solana/web3.js generate key pair Ed25519 Crypto Alg use pubKey, PrivKey SOL balance (mainnet, testnet) network provider name โ‡’ token name diffirent Air Drop Account Provider to Balance โ‡’ Air drop Arid Drop reques PublicKey(secretkey) โ‡’ pub key generate Connection.requestAirdrop(pubkey, LAMPORTS_PER_SOL) Lโ€ฆ

August 01, 2022
Solana
Damn Vulnerable DeFi Wargame Challenge5 โ€” The Rewarder Contract Analysis ๐Ÿ’

Wargame Provider: @tinchoabbate Challenge #5 โ€” The rewarder Thereโ€™s a pool offering rewards in tokens every 5 days for those who deposit their DVT tokens into it. Alice, Bob, Charlie and David have already deposited some DVT tokens, and have won their rewards! You donโ€™t have any DVT tokens. But in the upcoming round, you must claim most rewards for yourself. Oh, by the way, rumours say a new pool has just landed on mainnet. Isnโ€™t it offering DVT tokens in flash loans? See the contracts Completeโ€ฆ

August 01, 2022
Blockchain
Ovice.in XSS based unsafe token theft and elevated authority 0-day Vulnerability Report

Attack Type XSS Weak algorithm Hardcoded credentials Attack Effect Security Check Bypass Privilege Escalation Found Location It is a related page that proceeds with token management when logging in to the initial account. It can be seen that data of the App object, which is a window object sub-attribute, is managed. The object deals with the data type, which is used as a branch to conduct socket communication suitable for the authority. Authority management for the user is performed, and theโ€ฆ

August 01, 2022
0-day
Ovice.in Picket Static Object XSS 0-day Vulnerability Report

Attack Type XSS Weak algorithm. Attack Effect Security Check Bypass Privilege Escalation Found Location Users of administrative authority have the authority to create static objects. A exists in a Statistic Object. provide a variety of contents using the editor function. api is called when installing a static object. When clicking on the installed static object, api is called. When modifying the installed static object, the api is called. Attack Point If you have a user account who has peโ€ฆ

August 01, 2022
0-day
Solana Chain analysis Transactions

Transactions A client can call a program by submitting a transaction to the cluster. A single transaction can contain multiple instructions, each targeting its own program. Can contain multiple commands, each targeting its own program. When a transaction is submitted, Solana Runtime commands are processed atomically in sequence. If any part of the command fails, the entire transaction fails. Multiple commands can be bundled into a single transaction. Commands are processed atomically in order Iโ€ฆ

July 31, 2022
Solana
Solana Chain analysis Accounts

Account state is used to store data Essential building blocks for development in Solana Each account has a unique address The maximum size of the account is 10MB The maximum size of PDA Account is 10KB. PDA Account is used to sign on behalf of the program Account Size is fixed at creation time, but can be adjusted using realloc. Account Data Storage is paid as rent. The default account holder is the system program. Account Model 3 types of accounts Data Account (Data storage purpose) Program Acโ€ฆ

July 31, 2022
Solana
Solana Chain analysis Program Derived Address

Program Derived Address PDA is the home of an account designed to be controlled by a specific program. A PDA allows a program to sign a specific address programmatically without the need for a private key. Serves as the basis for cross-program calls, which allows Solana apps to configure with each other. A 32-byte string that looks like a public key, but doesnโ€™t have a corresponding private key Deterministically derive the PDA from findProgramAddress programID, Seed(collections of bytes). bump(โ€ฆ

July 31, 2022
Solana
Solana Chain analysis Programs

Programs Developers can write and deploy programs on the Solana blockchain. Program (referred to as Smart Contract in Ethereum Protocol) The basic role of on-chain Horadong that supports everything such as Defi, NFT, Social Media, etc. The program handles the commands of the end user and other programs All programs are stateless, all data they interact with is stored in a separate account passed through commands The program itself is stored in an account marked as executable All programs are owโ€ฆ

July 31, 2022
Solana
Damn Vulnerable DeFi Wargame Challenge4 โ€” Side entrance Contract Analysis๐Ÿค”

Wargame Provider: @tinchoabbate Challenge #4 โ€” Side entrance A surprisingly simple lending pool allows anyone to deposit ETH, and withdraw it at any point in time. This very simple lending pool has 1000 ETH in balance already, and is offering free flash loans using the deposited ETH to promote their system. You must take all ETH from the lending pool. Code Audit SideEntranceLenderPool.sol Dependency The address contract of the openzeppelin library is used as a dependency. State Variable It is โ€ฆ

July 30, 2022
Blockchain
Damn Vulnerable DeFi Wargame Challenge3 โ€” Truster Contract Analysis๐Ÿค”

Wargame Provider: @tinchoabbate Challenge #3 โ€” Truster More and more lending pools are offering flash loans. In this case, a new pool has launched that is offering flash loans of DVT tokens for free. Currently the pool has 1 million DVT tokens in balance. And you have nothing. But donโ€™t worry, you might be able to take them all from the pool. In a single transaction. Code Audit TrusterLenderPool.sol Dependency We are using the Address contract of the openzeppelin library as a dependency. Stateโ€ฆ

July 29, 2022
Blockchain
Damn Vulnerable DeFi Wargame Challenge2 โ€” Naive receiver Contract Analysis

Wargame Provider: @tinchoabbate Challenge #2 โ€” Naive receiver Thereโ€™s a lending pool offering quite expensive flash loans of Ether, which has 1000 ETH in balance. You also see that a user has deployed a contract with 10 ETH in balance, capable of interacting with the lending pool and receiveing flash loans of ETH. Drain all ETH funds from the userโ€™s contract. Doing it in a single transaction is a big plus ;) Code Audit NaiveReceiverLenderPool.sol Dependency We are using the Address contract ofโ€ฆ

July 29, 2022
Blockchain
Damn Vulnerable DeFi Wargame Challenge1 โ€” Unstoppable Contract Analysis๐Ÿ˜Ž

Wargame Provider: @tinchoabbate Challenge #1 โ€” Unstoppable Thereโ€™s a lending pool with a million DVT tokens in balance, offering flash loans for free. If only there was a way to attack and stop the pool from offering flash loans โ€ฆ You start with 100 DVT tokens in balance. Code Audit UnstoppableLender.sol Quick Security Check By using the ReentrancyGuardcontract, nonReentrant Modifier is applied to the internal functions of the main contract to prevent reentrancy calls from occurring. State Varโ€ฆ

July 20, 2022
Blockchain
Spatial.io Application Level DOS attack based on Pro Feature 0-day vulnerability report

Attack Type Client Side Code Injection Application-Level Denial-of-Service (DoS) App Crash Malformed Android Intents Attack Effect Application Level DOS Due to the Application Level DoS attack, normal functions operate the service abnormally, resulting in financial losses and time value investment, while reducing the reliability of the company. Vulnerability Detected Location index.android.bundle Congregate Around Actor feature Respawn Other In Host spots feature iL2cpp.so SessionRPC Attack Poiโ€ฆ

July 12, 2022
0-day
Spatial.io Commercial Service Feature Bypass 0-day Vulnerability Report

Overview During last yearโ€™s research, we conducted vulnerability analysis targeting metaverse-based commercial platforms. Among them, we would like to share some of the vulnerabilities that have been reported to the target company and have passed over time. When you think of the real metaverse as a category, you can see that all technologies are gathered in one place and are harmonious. Among them, based on mobile and VR equipment, you will feel closer to the three major elements of the metaverโ€ฆ

July 10, 2022
0-day
Gather.town Portal feature SandBox Escape RCE 0-day Vulnerability Report

Overview During last yearโ€™s research, we conducted vulnerability analysis targeting metaverse-based commercial platforms. Among them, we would like to share some of the vulnerabilities that have been reported to the target company and have passed over time. When you think of the real metaverse as a category, you can see that all technologies are gathered in one place and are harmonious. Among them, based on mobile and VR equipment, you will feel closer to the three major elements of the metaverโ€ฆ

July 01, 2022
0-day
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 8 (CloudGoat: codebuild_secrets)

ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 8 [Scenario 7]: codebuild_secrets ์‹œ๋‚˜๋ฆฌ์˜ค ๊ฐœ์š” ์ž์› CodeBuild Project Lambda Function VPC(RDS, EC2) IAM Users ์ทจ์•ฝ์  IAM User Solo SSM ํŒŒ๋ผ๋ฏธํ„ฐ ๋ฐ์ดํ„ฐ ํƒ์ƒ‰ํ›„ Security Database์—์„œ ํ•˜๋“œ์ฝ”๋”ฉ๋œ SSH ํ‚ค๊ฐ€ ์ €์žฅ IMDS ์ทจ์•ฝ์  ๋ชฉํ‘œ RDS Database Storage์•ˆ์— ํ•œ ์Œ์˜ Secret Strings์„ ์ฐพ์•„๋ณด์ž Solo IAM ์‚ฌ์šฉ์ž๋ฅผ ์ด์šฉํ•˜์—ฌ ๊ณต๊ฒฉ์ž๋Š” ๋จผ์ € CodeBuild ํ”„๋กœ์ ํŠธ์— ๋Œ€ํ•ด ์—ด๊ฑฐ๋ฅผ ์‹œ์ž‘ํ•ฉ๋‹ˆ๋‹ค. IAM ์‚ฌ์šฉ์ž ์— ๋Œ€ํ•œ ๋ณด์•ˆ์ด ๋˜์ง€ ์•Š์€ IAM ํ‚ค๋ฅผ ์ฐพ์•„ ๋ƒ…๋‹ˆ๋‹ค. ๊ณต๊ฒฉ์ž๋Š” ์œผ๋กœ ์ž‘๋™ํ•˜์—ฌ RDS ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค๋ฅผ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค. ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์˜ ๋‚ด์šฉ์— ์ง์ ‘ ์ ‘๊ทผํ•  ์ˆ˜ ์—ˆ๋Š” ๊ณต๊ฒฉ์ž๋Š” RDS ์Šค๋ƒ…์ƒท ๊ธฐ๋Šฅ์„ ์ด์šฉํ•˜์—ฌ secret string์„ ํš๋“ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‘ ๋ฒˆ์งธ๋กœ๋Š” ๊ณต๊ฒฉ์ž๊ฐ€ ๋งค๊ฐœ ๋ณ€์ˆ˜๋ฅผ ๋ถ„์„ํ•˜์—ฌ EC2 ์ธ์Šคํ„ด์Šค์— ๋Œ€ํ•œ SSHํ‚ค๋ฅผ โ€ฆ

December 31, 2021
CLOUD
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 7 (CloudGoat: RCE Web APP)

ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 7 [Scenario 6]: RCE Web APP ์‹œ๋‚˜๋ฆฌ์˜ค ๊ฐœ์š” ์ž์› VPC (ELB, EC2, S3*3, RDS) IAM user * 2 ์ทจ์•ฝ์  IAM User (Lara) IAM User (McDuck) RCE์ทจ์•ฝ์ ์ด ๋ฐœ์ƒํ•˜๋Š” ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ ์›๊ฒฉ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜๊ณ  VPC ๋‚ด๋ถ€์—์„œ root EC2 ์•ก์„ธ์Šค ๊ถŒํ•œ ํš๋“ ๊ถŒํ•œ ์ƒ์Šน์ด ๊ฐ€๋Šฅํ•œ ์ •์ฑ…์ด ์‚ฌ์šฉ๊ฐ€๋Šฅํ•œ Instance profile์— ์ •์˜ ๋ชฉํ‘œ RDS ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์—์„œ ๋น„๋ฐ€ ์ €์žฅ์†Œ๋ฅผ ์ฐพ์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค. IAM User Lara๋กœ ์‹œ์ž‘ํ•ด์„œ AWS ํ™˜๊ฒฝ์„ ๋ถ„์„์„ ํ•˜๋Š” ์ค‘์— ๋กœ๋“œ ๋ฐธ๋žœ์„œ, S3 Bucket์„ ๋ถ„์„ํ•˜๋ฉด์„œ ์ทจ์•ฝํ•œ ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์— ๋Œ€ํ•œ RCE Exploit์„ ์‹œ๋„ํ•ฉ๋‹ˆ๋‹ค. RCE๋ฅผ ํ†ตํ•ด์„œ RDS ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ์ ‘๊ทผํ•ฉ๋‹ˆ๋‹ค. ๋‘ ๋ฒˆ์งธ IAM ์‚ฌ์šฉ์ž McDuck์œผ๋กœ ์‹œ์ž‘ํ•ด์„œ S3 Bucket์„ ์—ด๊ฑฐํ•œ ๊ฒฐ๊ณผ EC2 ์„œ๋ฒ„์™€ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ๋Œ€ํ•ด ์ง์ ‘์ ์ธ ์•ก์„ธ์Šค ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•˜๋Š” SSHํ‚ค๋ฅผ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. โ€ฆ

December 31, 2021
CLOUD
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 5 (CloudGoat: IAM Privilege Escalation By Attachment)

ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 5 [Scenario 4]: IAM Privilege Escalation By Attachment ์‹œ๋‚˜๋ฆฌ์˜ค ๊ฐœ์š” ์ž์› vpc (EC2) 1 IAM User ์ทจ์•ฝ์  IAM User โ€œKerriganโ€ ๊ถŒํ•œ์ด ์žˆ๋Š” ๊ณต๊ฒฉ์ž๋Š” ์•ก์„ธ์Šค ๊ถŒํ•œ์ด ์žˆ๋Š” ์‚ฌ์šฉ์ž์—๊ฒŒ ์ •์ฑ…์„ ์—ฐ๊ฒฐํ•˜๊ณ  ํ•ด๋‹น ์ •์ฑ…์— ๋Œ€ํ•œ ๊ถŒํ•œ์„ ๊ณต๊ฒฉ์ž์—๊ฒŒ ์ถ”๊ฐ€ํ•˜์—ฌ ๊ถŒํ•œ์„ ์ƒ์Šน์‹œํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ชฉํ‘œ EC2 instance โ€œcg-super-critical-security-server.โ€๋ฅผ ์‚ญ์ œํ•˜๋Š” ๊ฒƒ! ์ ‘๊ทผ ๊ถŒํ•œ ๊ตฌ์„ฑ์ด ๊ฐ–์ณ์ ธ ์žˆ๋Š” ํ™˜๊ฒฝ์—์„œ ๊ณต๊ฒฉ์ž๋Š” ๊ถŒํ•œ์„ ํ™œ์šฉํ•˜์—ฌ ํ˜„์žฌ ๊ถŒํ•œ์ด ์•„๋‹Œ ๋†’์€ ๊ถŒํ•œ์œผ๋กœ ์ƒˆ๋กœ์šด EC2 ์ธ์Šคํ„ด์Šค๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ƒˆ๋กœ์šด EC2 ์ธ์Šคํ„ด์Šค์—์„œ ์•ก์„ธ์Šค๋ฅผ ํ†ตํ•ด ๊ณต๊ฒฉ์ž๋Š” ๋Œ€์ƒ ๊ณ„์ • ๋‚ด์—์„œ ๋ชจ๋“  ๊ด€๋ฆฌ ๊ถŒํ•œ์„ ํš๋“ํ•ฉ๋‹ˆ๋‹ค. ๋ฅผ ์‚ญ์ œ๋ฅผ ํ•ฉ๋‹ˆ๋‹ค. exploit ํ๋ฆ„๋„ ์‹œ๋‚˜๋ฆฌ์˜ค ํ™˜๊ฒฝ์„ค์ • exploit ์‹œ๋‚˜๋ฆฌ์˜ค ํ๋ฆ„๋„ ๊ณต๊ฒฉ์ž๋Š” IAM ์‚ฌ์šฉ์ž โ€œKerriganโ€์œผ๋กœ ์‹œ์ž‘ํ•˜์—ฌ ๋†’์€ ์ˆ˜์ค€์˜ โ€ฆ

December 31, 2021
CLOUD
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 3 (CloudGoat: lambda_privesc)

ํด๋ผ์šฐ์Šค ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 3 [Scenario 2]: lambda_privesc ์‹œ๋‚˜๋ฆฌ์˜ค ๊ฐœ์š” ์ž์› IAM User IAM Roles ์ทจ์•ฝ์  IAM User Chris IAM USER: chris ์—๊ฒŒ ์ด ๋ถ€์—ฌ๋˜์–ด ์žˆ๋Š” ์ƒํ™ฉ IAM Rule์—๋Š” Lambda ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด์„œ ๋” ๋†’์€ ๊ถŒํ•œ์„ ๊ฐ–์ผ ์ˆ˜ ์žˆ๋Š” ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ๋ชฉํ‘œ Full-Privileges ํš๋“ exploit ํ๋ฆ„๋„ ์‹œ๋‚˜๋ฆฌ์˜ค ํ™˜๊ฒฝ์„ค์ • exploit ์‹œ๋‚˜๋ฆฌ์˜ค ํ๋ฆ„๋„ IAM ์‚ฌ์šฉ์ž โ€œChrisโ€์˜ ์ •๋ณด๋ฅผ ํ† ๋Œ€๋กœ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๊ถŒํ•œ์„ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค. AWS Credential ์„ ํ™•์ธํ•œ ๊ฒฐ๊ณผ lambdaManager๋กœ ๋ชจ๋“  lambda ๋ฅผ ๊ด€๋ฆฌํ•˜๊ณ  ์ „๋‹ฌํ•  Rule ๊ถŒํ•œ์ด ์žˆ๋Š” ๊ฒƒ์„ ํ™•์ธํ•˜์˜€๊ณ  debug Rule์— ๊ถŒํ•œ์ด ์žˆ๋Š” ๊ฒƒ์„ ํ™•์ธํ–ˆ์Šต๋‹ˆ๋‹ค. ๊ณต๊ฒฉ์ž๋Š” lambdaManager Rule์„ ํ™œ์šฉํ•˜์—ฌ Lambda ํ•จ์ˆ˜๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๊ถŒํ•œ ์ƒ์Šน์„ ์ˆ˜ํ–‰ํ•ฉ๋‹ˆ๋‹ค. ๊ณต๊ฒฉ์ž๋Š” ๊ด€๋ฆฌ์ž ์ •์ฑ…์„ IAM ์‚ฌ์šฉ์ž โ€œChrisโ€์— ์—ฐ๊ฒฐํ•  ์ˆ˜ ์žˆ๋„โ€ฆ

December 31, 2021
CLOUD
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 2 (CloudGoat: IAM Privilege Escalation By Rollback)

ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 2 [Scenario 1]: IAM Privilege Escalation By Rollback ์‹œ๋‚˜๋ฆฌ์˜ค ๊ฐœ์š” ์ž์› ํ•œ ๋ช…์˜ IAM User (5 ์ •์ฑ… ๋ฒ„์ „) ์ทจ์•ฝ์  IAM User: Raynor ์„ ํ†ตํ•œ ์ด์ „ ๋ฒ„์ „์œผ๋กœ rollback ํ•˜๋Š” ๊ธฐ๋Šฅ์„ ์ด์šฉํ•˜์—ฌ ๊ถŒํ•œ ์ƒ์Šน์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๋ชฉํ‘œ ๊ณต๊ฒฉ์ž๋Š” highly-limited IAM ์‚ฌ์šฉ์ž ๋ถ€ํ„ฐ ์‹œ์ž‘ํ•ด์„œ ์ด์ „ IAM ์ •์ฑ… ๋ฒ„์ „์„ ๊ฒ€ํ† ํ•˜๊ณ  ์ „์ฒด ๊ด€๋ฆฌ์ž ๊ถŒํ•œ์„ ํ—ˆ์šฉํ•˜๋Š” ๋ฒ„์ „์„ ๋ณต์›ํ•ด์„œ ๊ถŒํ•œ ์ƒ์Šน ์ทจ์•ฝ์ ์„ ์ด์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. IAM ์‚ฌ์šฉ์ž security credentials ์‹œ๋‚˜๋ฆฌ์˜ค ํ™˜๊ฒฝ ์„ค์ • Exploit ํ๋ฆ„๋„ exploit ์‹œ๋‚˜๋ฆฌ์˜ค ํ๋ฆ„๋„ IAM ์‚ฌ์šฉ์ž โ€œRaynorโ€ ๋กœ ์‹œ์ž‘ํ•ด์„œ ๊ณต๊ฒฉ์ž๋Š” ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๊ถŒํ•œ์ด ๋ช‡ ๊ฐœ ๋ฐ–์— ์—†์Šต๋‹ˆ๋‹ค. ๊ณต๊ฒฉ์ž๋Š” Raynor์˜ ๊ถŒํ•œ์„ ๋ถ„์„ํ•˜๊ณ  SetDefaultPolicyVersion ๊ถŒํ•œ์„ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค. ์ด์ „์˜ ๋ฒ„์ „์„ ๊ธฐ๋ณธ๊ฐ’์œผ๋กœ ์„ค์ •ํ•˜์—ฌ ์ •์ฑ…์˜ ๋‹ค๋ฅธ 4๊ฐœ ๋ฒ„์ „์— ๋Œ€ํ•œโ€ฆ

December 31, 2021
CLOUD
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 1 (ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ฐ ๊ณต๊ฒฉ ๋ฒกํ„ฐ)

ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 1 ๋‹ค์Œ์€ ์ฐธ์กฐ CloudGoat Github ๋งํฌ์ž…๋‹ˆ๋‹ค. https://github.com/RhinoSecurityLabs/cloudgoat ์‹ค์Šต ํ™˜๊ฒฝ ๊ตฌ์„ฑ ํ•„์ˆ˜ ์„ค์น˜ ํŒจํ‚ค์ง€ Linux or MacOS. Windows is not officially supported. Argument tab-completion requires bash 4.2+ (Linux, or OSX with some difficulty). Python3.6+ is required. Terraform >= 0.14ย installed and in your $PATH. Install Terraform | Terraform - HashiCorp Learn The AWS CLIย installed and in your $PATH, and an AWS account with sufficient privileges to create and destroy resources. jq jq ์„ค์น˜ โ€ฆ

December 31, 2021
CLOUD
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 4 (CloudGoat: Cloud Breach s3)

ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 4 [Scenario 3]: Cloud Breach s3 ์‹œ๋‚˜๋ฆฌ์˜ค ๊ฐœ์š” ์ž์› VPC (EC2, S3) ์ทจ์•ฝ์  ๊ฐœ๋ฐœ์ž์˜ ์‹ค์ˆ˜๋กœ ์ธํ•œ ReverseProxy ํ™˜๊ฒฝ ๊ตฌ์„ฑ ๋ฏธํก ์„ค์ • ๊ฐ’์ด ์ž˜๋ชป ๊ตฌ์„ฑ๋˜์–ด Reverse Proxy๋กœ ๋™์ž‘ํ•˜๋Š” EC2 ์„œ๋ฒ„์˜ IP ์ฃผ์†Œ ๋ชฉํ‘œ S3 bucket์—์„œ Confidential files์„ ๋‹ค์šด๋กœ๋“œ ํ•ฉ๋‹ˆ๋‹ค. ์•ก์„ธ์Šค ๊ถŒํ•œ์ด ์—†๋Š” ์ƒํƒœ์ธ ์™ธ๋ถ€ ์ ‘๊ทผ์ž๋กœ ์‹œ๋‚˜๋ฆฌ์˜ค๋Š” ์‹œ์ž‘ํ•ฉ๋‹ˆ๋‹ค. ์„ค์ •์ด ์ž˜๋ชป๋œ Reverse Proxy server๋ฅผ Exploitํ•˜์—ฌ EC2 MetaData Service๋ฅผ ํ†ตํ•ด ์ธ์Šคํ„ด์Šค ํ”„๋กœํ•„ ํ‚ค๋ฅผ ํš๋“ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฐ ๋‹ค์Œ ํ•ด๋‹น ํ‚ค๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ S3 Bucket์—์„œ ๊ถŒํ•œ์„ ์šฐํšŒํ•˜์—ฌ ๋ฐ์ดํ„ฐ๋ฅผ ์ถ”์ถœํ•ฉ๋‹ˆ๋‹ค. exploit ํ๋ฆ„๋„ ์‹œ๋‚˜๋ฆฌ์˜ค ํ™˜๊ฒฐ์„ค์ • exploit ์‹œ๋‚˜๋ฆฌ์˜ค ํ๋ฆ„๋„ ๊ณต๊ฒฉ์ž๊ฐ€ EC2 ์ธ์Šคํ„ด์Šค์˜ IP๋ฅผ ๋ฐœ๊ฒฌํ•˜์˜€์Šต๋‹ˆ๋‹ค. ๋‹ค์–‘ํ•œ ๋ฐฉ๋ฒ•์œผ๋กœ ๋ถ„์„์„ ๋นˆํ–‰ํ•˜๋ฉด์„œ reverse proxy ์„œ๋ฒ„ ์—ญํ™œ์„ ํ•˜๊ณ  ์žˆ์Œ์„ ์ธ์žํ•˜์˜€์Šต๋‹ˆ๋‹ค.โ€ฆ

December 31, 2021
CLOUD
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 0 (ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๊ฐœ์š”)

ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 0 ํด๋ผ์šฐ๋“œ ์ปดํ“จํŒ… ๋ณด์•ˆ ๊ธฐ์—…, ์กฐ์ง ๋‚ด์˜ ๋ฐ์ดํ„ฐ, ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜, ์›Œํฌ๋กœ๋“œ๋ฅผ ํด๋ผ์šฐ๋“œ ์ปดํ“จํŒ…์— ์ €์žฅํ•˜๊ณ  ๋‹ค์–‘ํ•œ ์„œ๋น„์Šค๋กœ ํ™œ์šฉํ•˜๋ฉฐ ์„œ๋กœ๊ฐ€ ๊ณต์œ ํ•˜๋ฉด์„œ ์ง€์†์ ์œผ๋กœ ๋ณ€ํ™”๊ฐ€ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. ์ด์™€ ๋™์‹œ์— ์ƒˆ๋กœ์šด ๋ณด์•ˆ ์œ„ํ˜‘๊ณผ ๊ณผ์ œ๋„ ์ƒ๊ฒจ๋‚˜๋ฉฐ ๋งŽ์€ ์–‘์˜ ๋ฐ์ดํ„ฐ๊ฐ€ ํผ๋ธ”๋ฆญ ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค์— ์ €์žฅ๋˜๋ฉด์„œ ํ•ด์ปค๋“ค์˜ ๊ณต๊ฒฉ ๋ชฉํ‘œ๊ฐ€ ๋์Šต๋‹ˆ๋‹ค. Public Cloud & Private Cloud Public Cloud Azure, AWS, GCP, Alibaba, NCP ๋“ฑ ๋‹ค์–‘ํ•œ ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค LasS, PasS, SaaS ๋“ฑ ๋‹ค์–‘ํ•œ ์ŠคํŽ™ํŠธ๋Ÿผ์˜ ์„œ๋น„์Šค ์ œ๊ณต Private Cloud ์กฐ์ง ๋‚ด ํด๋ผ์šฐ๋“œ, ๊ฐœ์ธ์ •๋ณด ๊ด€๋ฆฌ ๋“ฑ ์ง์ ‘ ๊ตฌ์ถ•ํ•  ์ด์œ ๊ฐ€ ์žˆ์„ ๋•Œ ์‚ฌ์šฉ Public Cloud ์‚ฌ์—…์ž ์‹œ์ž‘ ์ด์ „ ๋‹จ๊ณ„๊ฐ€ ํ•„์š”ํ•œ ๊ฒฝ์šฐ ์‚ฌ์šฉ OpenStack์„ ์ฃผ๋กœ ๋งŽ์ด ์ด์šฉ OpenStack Rackspace, NASA๊ฐ€ ๊ณต๋™๊ฐœ๋ฐœ๋กœ 2010๋…„์— Releaseํ•œ ์˜คํ”ˆ ์†Œ์Šค ํด๋ผ์šฐ๋“œ ์ปดํ“จํŒ… ํ”Œ๋žซํผ์ž…๋‹ˆ๋‹ค. ์ดโ€ฆ

December 31, 2021
CLOUD
ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 6 (CloudGoat: EC2 SSRF)

ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ์ทจ์•ฝ์  ๋ถ„์„ 6 [Scenario 5]: EC2 SSRF ์‹œ๋‚˜๋ฆฌ์˜ค ๊ฐœ์š” ์ž์› VPC (EC2) Lambda Function 1 S3 Bucket ์ทจ์•ฝ์  Solus IAM ์‚ฌ์šฉ์ž Lambda ํ•จ์ˆ˜ ์ฝ๊ธฐ ์ „์šฉ ๊ถŒํ•œ Lambda ํ™˜๊ฒฝ ๋ณ€์ˆ˜์•ˆ์— ํ•˜๋“œ์ฝ”๋”ฉ๋œ Wrex Access key ํ•˜๋“œ์ฝ”๋”ฉ๋œ ๋ฏผ๊ฐํ•œ ๋ฐ์ดํ„ฐ ์ •๋ณด ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์˜ SSRF ์ทจ์•ฝ์ ์œผ๋กœ ์ธํ•œ AWS ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ API๋ฅผ ํ†ตํ•ด์„œ ๋‹ค๋ฅธ Credential ์ ‘๊ทผ ๊ฐ€๋Šฅ ์—ฌ๋ถ€ Admin Credential ์ •๋ณด๊ฐ€ S3 Bucket ๋‚ด์— ํ•˜๋“œ ์ฝ”๋”ฉ๋˜์–ด ์ €์žฅ ๋ชฉํ‘œ ๋žŒ๋‹ค ํ•จ์ˆ˜๋ฅผ ์‹คํ–‰ํ•ฉ๋‹ˆ๋‹ค. Solus IAM ์‚ฌ์šฉ์ž๋กœ ์‹œ์ž‘ํ•ด์„œ Lambda ํ•จ์ˆ˜๋ฅผ ์ฝ์„ ์ˆ˜ ์žˆ๋Š” ๊ถŒํ•œ์„ ๋ฐœ๊ฒฌํ•˜์˜€์Šต๋‹ˆ๋‹ค. SSRF์— ์ทจ์•ฝํ•œ ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ์‹คํ–‰ํ•˜๋Š” EC2 ์ธ์Šคํ„ด์Šค๋กœ ์œ ๋„ํ•ฉ๋‹ˆ๋‹ค. ์ทจ์•ฝํ•œ ์•ฑ์„ Exploitํ•˜๊ณ  EC2 Metadata Service์—์„œ Key๋ฅผ ํš๋“ํ•œ ํ›„ ๊ณต๊ฒฉ์ž๋Š” Lambda ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•˜๊ณ  ์‹œ๋‚˜๋ฆฌ์˜ค๋ฅผ ์™„๋ฃŒํ•  ์ˆ˜ ์žˆ๋Š” Key๋ฅผ ํš๋“ํ•จโ€ฆ

December 31, 2021
CLOUD
Web Application SSRF/XXE/SSTI ์ทจ์•ฝ์  ์—ฐ๊ตฌ

SSRF Overview ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ ์š”์ฒญ์ด ๋ณด๋‚ด์งˆ ๋–„ ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์ด ์ž‘๋™ํ•˜๊ณ  ์žˆ๋Š” ์„œ๋ฒ„ ๋‚ด๋ถ€์˜ ํฌํŠธ, ์„œ๋ฒ„์™€ ์—ฐ๊ฒฐ๋œ ๋‚ด๋ถ€๋ง์— ์š”์ฒญ์„ ๋ณด๋‚ผ ์ˆ˜ ๊ฐ€ ์žˆ์ฃ  server-side์—์„œ ๋ณ€์กฐ๋œ ์š”์ฒญ, ์˜๋„ํ•˜์ง€ ์•Š์€ ์„œ๋ฒ„๋กœ ์š”์ฒญ์„ ๋ณด๋‚ด์–ด ๋ณ„๋„์˜ ์ธ์ฆ ์—†์ด ๋‚ด๋ถ€๋ฐฉ ์•ˆ์—์„œ ์š”์ฒญ๋˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ์กฐ์ž‘ํ•˜๋Š” ๊ณต๊ฒฉ ๊ธฐ๋ฒ•์ž…๋‹ˆ๋‹ค. ์ฆ‰, ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ์„œ๋ฒ„๋กœ ์š”์ฒญ์„ ๊ฐ€๊ฒŒ ํ•˜๋Š” ์ทจ์•ฝ์ ์œผ๋กœ CSRF ์™€ ์œ ์‚ฌํ•œ ํ˜•ํƒœ์ง€๋งŒ ํด๋ผ์ด์–ธํŠธ๊ฐ€ ์•„๋‹Œ ์„œ๋ฒ„์— ์ง์ ‘ ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ๋‹ค๋Š” ์ ์—์„œ ์ฐจ์ด๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋ฅธ ๊ณต๊ฒฉ ๊ธฐ๋ฒ•๊ณผ ์—ฐ๊ณ„ ๋‹ค๋ฅธ ์ทจ์•ฝ์ ๊ณผ ์—ฐ๊ณ„์—์„œ ์‚ฌ์šฉํ•  ๊ฒฝ์šฐ RCE๋กœ ์ด์–ด์งˆ ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ํŒŒ๊ธ‰๋ ฅ์ด ํฝ๋‹ˆ๋‹ค. XXE ์ทจ์•ฝ์  + SSRF ์ทจ์•ฝ์  SSRF ์ทจ์•ฝ์  + CRLF Injection ์ทจ์•ฝ์  SSRF ์ทจ์•ฝ์  + Redis-Server ์—ฐ๊ณ„ ์ทจ์•ฝ์  SSRF + MongoDB ์—ฐ๊ณ„ ์ทจ์•ฝ์  PHP SSRF Example php curl API๊ฐ€ ์„ค์ •๋œ ๋Œ€์ƒ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ํ™˜๊ฒฝ์—์„œ GET ๋ฉ”์„œ๋“œ์˜ url ์ฟผ๋ฆฌ๋ฅผ ํ†ตํ•ดโ€ฆ

December 26, 2021
Web
Web Application RCE Case

QuickStart Web Application RCE Case PHP File Inclusion, File upload, โ€ฆ NodeJS Code Injection, Unserialize, โ€ฆ Flask Server Side Template Injection, โ€ฆ RCE Case1 #PHP File Inclusion php ํ‚ค์›Œ๋“œ๋Š” ํ˜•์‹์˜ ํŒŒ์ผ์„ ์ฝ์–ด์™€ php ํŒŒ์ผ์˜ ๋‚ด์šฉ์„ ๋‹ค๋ฅธ PHP ํŒŒ์ผ์— ์‚ฝ์ž…ํ•  ์ˆ˜ ์žˆ๋‹ค. ์˜ˆ์‹œ๋กœ ๊ณต๊ฒฉ ๋Œ€์ƒ ์„œ๋ฒ„์— ๊ฐ€ ๊ฐ€๋Šฅํ•œ ๊ฒฝ์šฐ RCE๊ฐ€ ๊ฐ€๋Šฅํ•œ ํŽ˜์ด๋กœ๋“œ๋ฅผ ์—…๋กœ๋“œํ•˜์—ฌ ํ˜ธ์ถœํ•จ์œผ๋กœ ์จ ๊ณต๊ฒฉ์ด ๊ฐ€๋Šฅํ•ด์ง„๋‹ค. request payload.txt response ๊ณต๊ฒฉ์ž์˜ ๋ฐ์ดํ„ฐ๋ฅผ include ํ•˜์˜€๊ธฐ ๋•Œ๋ฌธ์— ์›ํ•˜๋Š” ๋ฐฉํ–ฅ์œผ๋กœ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” ๊ตฌ์กฐ๊ฐ€ ์ƒ๊ธด๋‹ค. File Inclusion technique ๋ง›์žˆ๋Š” ํ•  ๋Œ€์ƒ ํŒŒ์ผ : ๋ฆฌ๋ˆ…์Šค ๊ณ„์ • ๋ชฉ๋ก [Local File] : ํ”„๋กœ๊ทธ๋žจ ๋ฉ”๋ชจ๋ฆฌ ๋ฉ๋ณด [Local File] : ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” php ์ฝ”๋“œ [Loโ€ฆ

December 25, 2021
Web
[KR]Vulnerability analysis of commercial metaverse-based virtual office platform

MetaVersPloit Vulnerability analysis of commercial metaverse-based virtual office platform Author ๊น€์žฌ๊ธฐ ๋ฉ˜ํ†  (์ฃผ), ์ •๊ด‘์šด ๋ฉ˜ํ†  (๋ถ€) ๊ฐ•์šฐ์› PL ๊น€์˜์šด PM, ๊น€๋‘์˜, ๊น€์šฉ์‹, ์•ˆํฌ์„ฑ, ์กฐ์ค€ํฌ, ์ „์˜ˆ์ฐฌ Goal ๐Ÿš€ ๊ทผ ๋ฏธ๋ž˜ ๋ฉ”ํƒ€๋ฒ„์Šค๋Š” ํ˜„์žฌ์˜ ๋ชจ๋ฐ”์ผ ์‹œ์žฅ์„ ๋„˜์–ด์„œ ์‹œ๊ณต๊ฐ„ ์ œ์•ฝ ์—†์ด ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์–ด ๊ธฐ์—…, ๋ฏผ๊ฐ„, ์ •๋ถ€ ๋“ฑ ๋‹ค์–‘ํ•œ ์ธํ”„๋ผ๊ฐ€ ๊ตฌ์ถ•๋˜์–ด ์ธ๊ฐ„๊ณผ ๋ฐ€์ ‘ํ•œ ๊ด€๊ณ„์„ฑ์ด ์ƒ์„ฑ๋˜๊ธฐ ๋•Œ๋ฌธ์— ๋ฌผ๋ฆฌ์ ์ธ ์œ„ํ˜‘์ด ์•„๋‹Œ ๋ณด์•ˆ์— ๋Œ€ํ•œ ์œ„ํ˜‘์ด ์ฆ๊ฐ€ํ•˜๊ฒŒ ๋˜์–ด ์•ˆ์ •์„ฑ์ด ๋–จ์–ด์งˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฒˆ ํ”„๋กœ์ ํŠธ์˜ ๋ชฉ์ ์€ ๋ฉ”ํƒ€๋ฒ„์Šค ํ”Œ๋žซํผ์˜ ๊ธ‰๊ฒฉํ•œ ์„ฑ์žฅ ์†์— ํŒŒ๊ณ ๋“œ๋Š” ๋ณด์•ˆ ์œ„ํ˜‘์„ ์ƒˆ์‹น๋ถ€ํ„ฐ ์ž๋ฅด๊ธฐ ์œ„ํ•ด ๋ฉ”ํƒ€๋ฒ„์Šค ๊ธฐ๋ฐ˜ ๊ฐ€์ƒ์˜คํ”ผ์Šค ํ”Œ๋žซํผ ์„œ๋น„์Šค๋ฅผ ์‹œ์ž‘ํ•˜๋Š” ์Šคํƒ€ํŠธ ์—…๋ถ€ํ„ฐ ์‹œ์ž‘ํ•ด์„œ ํ˜„์žฌ Meta ํšŒ์‚ฌ ์‚ฌ๋ช…์„ ๋ฐ”๊พผ Facebook์˜ Horizon ์ทจ์•ฝ์  ์—ฐ๊ตฌ๋ฅผ ์ง„ํ–‰ํ•˜์˜€์Šต๋‹ˆ๋‹ค. ๋ฉ”ํƒ€๋ฒ„์Šค ๊ฐ€์ƒ์˜คํ”ผ์Šค ํ”Œ๋žซํผ์˜ ๊ณตํ†ต์ ์ธ ๊ธฐ๋Šฅ, ๊ณต๊ฒฉ ๋ฒกํ„ฐ๋ฅผ ์‚ฐ์ถœํ•˜๊ณ โ€ฆ

December 24, 2021
projects
๋ฒ„๊ทธ๋ฐ”์šดํ‹ฐ ํ”Œ๋žซํผ HackingZone ๋ฆฌ๋ทฐ

2020๋…„์— ์ง„ํ–‰ํ–ˆ๋˜ Hack the Challenge ๋Œ€ํšŒ์— ์ฐธ์—ฌํ•˜๋ฉด์„œ ์ทจ์•ฝ์  ์ œ๋ณด ๊ณผ์ •์„ ํ†ตํ•ด ์ ‘ํ•˜๊ฒŒ ๋˜์—ˆ์—ˆ์Šต๋‹ˆ๋‹ค. ์ €์˜ ์ƒ๊ฐ์œผ๋กœ ๊ตญ๋‚ด ๋ฒ„๊ทธ ๋ฐ”์šดํ‹ฐ ํ”„๋กœ๊ทธ๋žจ์œผ๋กœ KISA ๋ณด์•ˆ ์ทจ์•ฝ์  ์ œ๋ณด ์„œ๋น„์Šค, ๊ฐ ๋ฉ”์ด์ €ํ•œ ๊ธฐ์—…์—์„œ ํ•˜๋Š” ๊ณณ์„ ์ œ์™ธํ•˜๊ณ ๋Š” ์ฐพ์•„๋ณด๊ธด ํž˜๋“ค์—ˆ์ง€๋งŒ, ์‚ผ์„ฑ SDS ํ•ดํ‚น ์กด์„ ์ƒˆ๋กญ๊ฒŒ ์ ‘ํ•˜๊ฒŒ ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ํ•ดํ‚น์กด ๋ฒ„๊ทธ๋ฐ”์šดํ‹ฐ ํ”Œ๋žซํผ ์„œ๋น„์Šค๋Š” ํ•ด๋‹น ์‚ฌ์ง„๊ณผ ๊ฐ™์ด ์ทจ์•ฝ์  ์ ๊ฒ€์ด ํ•„์š”ํ•œ ๊ธฐ์—…๋“ค์ด ๋‚˜์—ด๋˜์–ด ์žˆ์œผ๋ฉฐ ์ทจ์•ฝ์  ์ ๊ฒ€ ์‹œ ๋ฐœ๊ฒฌํ•œ ์œ ํšจ ์ทจ์•ฝ์  ์ตœ๋Œ€ ํฌ์ƒ ๊ธˆ์•ก์ด ๋ช…์‹œ๋˜์–ด ์žˆ์–ด ํ™”์ดํŠธ ํ•ด์ปค๋“ค์ด ์‰ฝ๊ฒŒ ํŒŒ์•…ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋˜ํ•œ, ์ž์‹ ์˜ ๋ถ„์•ผ์™€ ๊ด€๋ จ๋œ ๋ถ„์„์„ ์ง„ํ–‰ํ•  ์ˆ˜ ์žˆ๋„๋ก ํƒœ๊ทธ๋กœ ๋ช…์‹œ๋˜์–ด ์žˆ์–ด ์ง์ ‘ ๋“ค์–ด๊ฐ€ ๋ณด์ง€ ์•Š์•„๋„ ๋น ๋ฅด๊ฒŒ ํŒŒ์•…ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด์ฒ˜๋Ÿผ ์‚ฌ์šฉ์ž์—๊ฒŒ ์นœ์ˆ™ํ•œ UI/UX๋ฅผ ์ œ๊ณตํ•จ์œผ๋กœ์จ ์ ‘๊ทผ์„ฑ์ด ์ข‹์•„ ๋งŒ์กฑ๋„๊ฐ€ ๋†’์Šต๋‹ˆ๋‹ค. ์œ ํšจ ์ทจ์•ฝ์ ์„ ๋ฐœ๊ฒฌํ•œ๋‹ค๋ฉด ์ •ํ•ด์ง„ ํฌ์ƒ ๊ธˆ์•ก๊ณผ ํฌ์ธํŠธ๋ฅผ ๋ฐ›๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ํฌ์ธํŠธ ์ œ๋„๋Š” ์˜†์˜ ๋ฆฌํฌํ„ฐ ์ˆœ์œ„์— ๋ช…์‹œ๋œ ๊ฒƒ์ฒ˜๋Ÿผ ์ˆœ์œ„ ์ œ๋„๋ฅผ ์šด์šฉํ•˜์—ฌ ํ™”์ดํŠธ ํ•ด์ปคโ€ฆ

July 01, 2021
Talk
์œˆ๋„์šฐ ํ•˜์ด๋ฒ„ํŒŒ์ด์ € Ubuntu 20.04 ์ „์ฒด ํ™”๋ฉด ์„ค์ • (์˜ค๋ฅ˜ ํ•ด๊ฒฐ)

์œˆ๋„์šฐ ํ•˜์ดํผ๋ฐ”์ด์ € Ubuntu 20.04 VM ์œˆ๋„์šฐ ํ•˜์ด๋ฒ„๋ฐ”์ด์ € ๊ธฐ๋Šฅ ์„ค์ • ํ›„ ์œˆ๋„์šฐ ํ•˜์ด๋ฒ„๋ฐ”์ด์ € ๊ด€๋ฆฌ์ž ํ•˜์ดํผ๊ด€๋ผ์ž ์—์„œ ์„ ํƒํ›„ ๊ฐ€์ƒ ์ปดํ“จํ„ฐ ๋งŒ๋“ค๊ธฐ ์ฐฝ์œผ๋กœ ์ด๋™ ์„ ํƒํ›„ ๊ฐ€์ƒ ์ปดํ“จํ„ฐ ๋งŒ๋“ค๊ธฐ ํด๋ฆญ ํ›„ ๋Œ€๊ธฐ ์„ค์น˜ ์™„๋ฃŒํ›„ Ubuntu ๋ถ€ํŒ… ์™„๋ฃŒ Ubuntu VM Full screen ์„ค์ • ๋ฐฉ๋ฒ• grub ์„ค์ • ํŒŒ์ผ ํŽธ์ง‘ line 10 ํŽธ์ง‘ ์„ค์ • ํŽธ์ง‘ํ›„ ์—…๋ฐ์ดํŠธ ๋ช…๋ น ์‹คํ–‰ ์žฌ๋ถ€ํŒ… ์ „์ฒด ํ™”๋ฉด ์„ค์ • ์™„๋ฃŒ ์œˆ๋„์šฐ ํ•˜์ด๋ฒ„๋ฐ”์ด์ € ๊ธฐ๋Šฅ ์„ค์ • ํ›„ ์œˆ๋„์šฐ ํ•˜์ด๋ฒ„๋ฐ”์ด์ € ๊ด€๋ฆฌ์ž Ubuntu VM Full screen ์„ค์ • ๋ฐฉ๋ฒ• ์ „์ฒด ํ™”๋ฉด ์„ค์ • ์™„๋ฃŒ

April 01, 2021
troubleshooting
์œˆ๋„์šฐ ํž™ ๊ด€๋ฆฌ์ž

Window Heap Management ๋ฉ”๋ชจ๋ฆฌ ํ• ๋‹น ๋ฐฉ์‹์ด ์ƒ์œ„์ผ๊ฒฝ์šฐ ๋” ๋†’์€ ์ˆ˜์ค€์˜ ๊ตฌํ˜„์„ ์‚ฌ์šฉํ•œ๋‹ค. Kernel-Mode Memory Manager ์šด์˜ ์ฒด์ œ์— ๋Œ€ํ•œ ๋ชจ๋“  ๋ฉ”๋ชจ๋ฆฌ ์˜ˆ์•ฝ ๋ฐ ํ• ๋‹น ๋ฉ”๋ชจ๋ฆฌ ๋งคํ•‘ ํŒŒ์ผ ๊ณต์œ  ๋ฉ”๋ชจ๋ฆฌ ์“ฐ๊ธฐ ์ž‘์—… ๋ณต์‚ฌ ์‚ฌ์šฉ์ž ๋ชจ๋“œ์—์„œ ์ง์ ‘ ์ ‘๊ทผ ๋ถˆ๊ฐ€ VirtualAlloc/VirtualFree User Mode ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๊ฐ€์žฅ ๋‚ฎ์€ ์ˆ˜์ค€์˜ API ๋ฅผ ํ˜ธ์ถœํ•˜๊ณ  ํ•ด๋‹น ๊ธฐ๋Šฅ์„ ๋ฐ”ํƒ•์œผ๋กœ ๋น ๋ฅธ SYSCALL์„ ์œผ๋กœ ํ˜ธ์ถœํ•˜์—ฌ ์ถ”๊ฐ€ ์ฒ˜๋ฆฌ๋ฅผ ์ปค๋„ ๋ฉ”๋ชจ๋ฆฌ ๊ด€๋ฆฌ์ž์— ๋‹ค์‹œ ํ• ๋‹นํ•œ๋‹ค. ๋‘ ๊ฐ€์ง€ ์ฃผ์š” ์กฐ๊ฑด ๊ฒฝ๊ณ„์— ์ •๋ ฌ๋œ ๋ฉ”๋ชจ๋ฆฌ ๋ธ”๋ก๋งŒ ํ• ๋‹นํ•  ์ˆ˜ ์žˆ๋‹ค. ์˜ ๋ฐฐ์ˆ˜์ธ ํฌ๊ธฐ์˜ ๋ฉ”๋ชจ๋ฆฌ ๋ธ”๋ก๋งŒ ํ• ๋‹นํ•  ์ˆ˜ ์žˆ๋‹ค. ์‹œ์Šคํ…œ ์„ธ๋ถ„ํ™” ์— ํ˜ธ์ถœ์‹œ ํ•ด๋‹น ์ •๋ณด๋ฅผ ๋ฐ›์„ ์ˆ˜ ์žˆ๋Š”๋ฐ ๋งค๊ฐœ ๋ณ€์ˆ˜๋กœ ๋ฐ˜ํ™˜๋œ๋‹ค. ํ•ด๋‹น ๊ฐ’์˜ ๊ตฌํ˜„(๋ฐ ํ•˜๋“œ์›จ์–ด)์— ๋”ฐ๋ผ ๋‹ฌ๋ผ์ง€์ง€๋งŒ 64bit Window System์—์„œ๋Š” 0x10000 ๋ฐ”์ดํŠธ ๋˜๋Š” 64kb๋กœ ์„ค์ •๋œ๋‹ค. ์ฆ‰, ์‹œ์Šคํ…œ ์„ธ๋ถ„ํ™”๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด 8๋ฐ”์ดํŠธ โ€ฆ

March 30, 2021
Windows
์—ฐ๊ฒฐ ๋ฆฌ์ŠคํŠธ ๊ตฌ์กฐ ๊ณต๊ฒฉ ๋ฒกํ„ฐ ์„ ์ • (Intel arch)

Linekd List Node, Element ๋ฆฌ์ŠคํŠธ์˜ ๋ฐ์ดํ„ฐ ๊ฐ๊ฐ์˜ ๋…ธ๋“œ๋Š” ๋ฐ์ดํ„ฐ์™€ ๋‹ค์Œ ๋…ธ๋“œ๋ฅผ ๊ฐ€๋ฆฌํ‚ค๋Š” ํฌ์ธํ„ฐ๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ๋‹ค. ์ฒ˜์Œ, ๋ ๋ถ€๋ถ„์€ ๊ฐ์ž๋งŒ์˜ , ๊ฐ–๋Š”๋‹ค. ํ•œ ๋…ธ๋“œ ๋ฐ”๋กœ ์•ž์— ์žˆ๋Š” ๋…ธ๋“œ๋Š” ํ•œ ๋…ธ๋“œ ๋ฐ”๋กœ ๋’ค์— ์žˆ๋Š” ๋…ธ๋“œ๋Š” ์—ฐ๊ฒฐ๋ฆฌ์ŠคํŠธ ๊ตฌ์„ฑ ๋ฐ์ดํ„ฐ๋ฅผ ์—ฐ๊ฒฐ ๋ฆฌ์ŠคํŠธ์— ์‚ฝ์ž…ํ•  ๋•Œ ๋…ธ๋“œ์šฉ ๊ฐ์ฒด๋ฅผ ๋งŒ๋“ ๋‹ค. ์‚ญ์ œํ•  ๋•Œ ๋…ธ๋“œ์šฉ ๊ฐ์ฒด๋ฅผ ์—†์• ๋ฉด ๋ฐ์ดํ„ฐ ์ถ”๊ฐ€ ์‚ญ์ œ๋ฅผ ํšจ์œจ์ ์œผ๋กœ ํ•  ์ˆ˜ ์žˆ๋‹ค. Self-referential ํ˜•(์ž๊ธฐ ์ž์‹ ๊ณผ ๊ฐ™์€ ์ž๋ฃŒํ˜•์˜ ๊ฐ์ฒด๋ฅผ ๊ฐ€๋ฆฌํฌ๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ๋Š” ์ž๋ฃŒ๊ตฌ์กฐ) Tail Node๋Š” next node๋ฅผ ๊ฐ–์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— next ๊ฐ’์€ (NULL) ๊ฐ’์„ ๋Œ€์ž…ํ•œ๋‹ค. ์†Œ์Šค ์ฝ”๋“œ nodeAlloc ํ•จ์ˆ˜ Node ํ˜• ๊ฐ์ฒด๋ฅผ ๋งŒ๋“ค๊ณ  ๋งŒ๋“  ๊ฐ์ฒด์˜ ํฌ์ธํ„ฐ๋ฅผ ๋ฐ˜ํ™˜ํ•œ๋‹ค. setNode ํ•จ์ˆ˜ ๋…ธ๋“œ์˜ ๋ฉค๋ฒ„ ๊ฐ’์„ ์„ค์ • Nodeํ˜• ๊ฐ์ฒด์˜ ๋‘ ๋ฉˆ๋ฒ (data, next)์˜ ๊ฐ’์„ ์„ค์ •ํ•˜๋Š” ํ•จ์ˆ˜ ์ฒซ ๋ฒˆ์งธ ๋งค๊ฐœ ๋ณ€์ˆ˜ n์œผ๋กœ ์ „๋‹ฌ๋ฐ›์€ ํฌ์ธํ„ฐ๊ฐ€ ๊ฐ€๋ฆฌํ‚ค๋Š” Node ํ˜• ๊ฐ์ฒด์— x๊ฐ€ ๊ฐ€๋ฆฌํ‚ค๋Š”โ€ฆ

March 01, 2021
AnalyzingBinaries
ARM Load,Store Multi Register Instruction

Load, Store ๋‹ค์ค‘ ๋ ˆ์ง€์Šคํ„ฐ ๋ช…๋ น ARM, Thumb ๋ช…๋ น์–ด ์ง‘ํ•ฉ์—๋Š” ๋ฉ”๋ชจ๋ฆฌ์—์„œ ์—ฌ๋Ÿฌ ๋ ˆ์ง€์Šคํ„ฐ๋ฅผ ๋กœ๋“œํ•˜๊ณ  ์ €์žฅํ•˜๋Š” ๋ช…๋ น์–ด ๊ฐ€ ํฌํ•จ๋˜์–ด ์žˆ๋‹ค. ๋‹ค์ค‘ ๋ ˆ์ง€์Šคํ„ฐ ์ „์†ก ๋ช…๋ น์–ด๋Š” ์—ฌ๋Ÿฌ ๋ ˆ์ง€์Šคํ„ฐ์˜ ๋‚ด์šฉ์„ ๋ฉ”๋ชจ๋ฆฌ๋กœ๋ถ€ํ„ฐ ํšจ์œจ์ ์œผ๋กœ ์ด๋™ํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์ œ๊ณตํ•œ๋‹ค. ๋ธ”๋ก ๋ณต์‚ฌ, ์„œ๋ธŒ๋ฃจํ‹ด ์ง„์ž… ๋ฐ ์ข…๋ฃŒ์‹œ ์Šคํƒ ์ž‘์—…์— ๊ฐ€์žฅ ์ž์ฃผ ์‚ฌ์šฉ๋œ๋‹ค. ์ผ๋ จ์˜ ๋‹จ์ผ ๋ฐ์ดํ„ฐ ์ „์†ก ๋ช…๋ น์–ด ๋Œ€์‹  ๋‹ค์ค‘ ๋ ˆ์ง€์Šคํ„ฐ ์ „์†ก ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์—ฌ๋Ÿฌ ์ด๋“์ด ์žˆ๋‹ค. ์ฝ”๋“œ์˜ ํฌ๊ธฐ๋ฅผ ์ž‘๊ฒŒ ํ•  ์ˆ˜ ์žˆ๋‹ค. ์—ฌ๋Ÿฌ ๋ช…๋ น fetch๊ฐ€ ์•„๋‹Œ ๋‹จ์ผ ๋ช…๋ น fetch overhead ์บ์‹œ๋˜์ง€ ์•Š์€ ARM ํ”„๋กœ์„ธ์„œ์—์„œ ๋กœ๋“œ ๋˜๋Š” ๋‹ค์ค‘ ์ €์žฅ์— ์˜ํ•ด ์ „์†ก๋˜๋Š” ์ฒซ ๋ฒˆ์งธ ์›Œ๋“œ๋Š” ํ•ญ์ƒ ๋น„ ์ˆœ์ฐจ์ž์  ๋ฉ”๋ชจ๋ฆฌ์ฃผ๊ธฐ์ด์ง€๋งŒ ์ „์†ก๋˜๋Š” ๋ชจ๋“  ํ›„์† word๋Š” ์ˆœ์ฐจ ๋ฉ”๋ชจ๋ฆฌ ์ฃผ๊ธฐ ์ผ ์ˆ˜ ์žˆ๋‹ค. ๋Œ€๋ถ€๋ถ„์˜ ์‹œ์Šคํ…œ์—์„œ ์ˆœ์ฐจ์  ๋ฉ”๋ชจ๋ฆฌ ์ฃผ๊ธฐ๊ฐ€ ๋” ๋น ๋ฅด๋‹ค. ARM LDM, STM ๋ช…๋ น ์—ฌ๋Ÿฌ ๋ช…๋ น์–ด๋ฅผ ๋กœ๋“œ, ์ €์žฅ ํ•˜๋ฉด ๋‹จ์ผ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ฉ”๋ชจ๋ฆฌ์—์„œ 16๊ฐœ์˜ ๋ฒ”์šฉ ๋ ˆ์ง€์Šคํ„ฐ์˜ ํ•˜์œ„ ์ง‘ํ•ฉ์„ ๋กœ๋“œ,โ€ฆ

February 10, 2021
ARM
ARM data Transfer (POST,Pre-index Method, STR/LDR Instruction)

Store, Load Instruction ARM ๋ฐฉ์‹์—์„œ ๋ฉ”๋ชจ๋ฆฌ๊ฐ„ ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ ๋ช…๋ น์ด ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค. ๋ ˆ์ง€์Šคํ„ฐ์™€ ๋ฉ”๋ชจ๋ฆฌ ๊ฐ„์˜ ๋ฐ์ดํ„ฐ ์ „์†ก ๋ช…๋ น์–ด ๋ฅผ ์‚ฌ์šฉํ•ด์•ผ ํ•œ๋‹ค. Load Memory โ†’ Register Store Register โ†’ Memory ๋‹จ์ผ ๋ ˆ์ง€์Šคํ„ฐ ๋ฐ์ดํ„ฐ ์ „์†ก LDR, STR, LDRB, STRB (size: WORD, BYTE) Pre, Post Index Addressing Pre-Index Method ๋ฐ์ดํ„ฐ ์ „์†ก ํ›„ Base Register์˜ ๊ฐ’์€ ๋ณ€ํ•˜์ง€ ์•Š๋Š”๋‹ค. ์—ฐ์‚ฐ์ž๋ฅผ ๋ถ™์ด๋ฉด ์ž๋™์œผ๋กœ ์ฃผ์†Œ๋ฅผ ์—…๋ฐ์ดํŠธ ํ•  ์ˆ˜ ์žˆ๋‹ค. Post-Index Method ๋ฐ์ดํ„ฐ ์ „์†ก ํ›„ Base Register์™€ Offset์˜ ๊ณ„์‚ฐ ๊ฒฐ๊ณผ๊ฐ€ Base Register์— ์ ์šฉ๋œ๋‹ค. ์—ฐ์‚ฐ ๊ฒฐ๊ณผ Base Register์ธ r1 Register์˜ ๊ฐ’์ด 0x100+0xc ์˜ ๊ฐ’์œผ๋กœ ๋ณ€๊ฒฝ๋œ๋‹ค. Store, Load Instruction Load Store ๋‹จ์ผ ๋ ˆ์ง€์Šคํ„ฐ ๋ฐ์ดํ„ฐ ์ „์†ก Pre,โ€ฆ

February 10, 2021
ARM
ARM LDR Rd, =const (constant)

LDR Rd, =const ์˜์‚ฌ ๋ช…๋ น์€ ๋‹จ์ผ ๋ช…๋ น์–ด์—์„œ 32๋น„ํŠธ ์ˆซ์ž ์ƒ์ˆ˜๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ๋‹ค. ์ด ์˜์‚ฌ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ MOV, MVN ๋ช…๋ น์–ด ๋ฒ”์œ„๋ฅผ ๋ฒ—์–ด๋‚œ ์ƒ์ˆ˜๋ฅผ ์ƒ์„ฑํ•œ๋‹ค. LDR ์˜์‚ฌ๋ช…๋ น์€ ํŠน์ • ์ƒ์ˆ˜์— ๋Œ€ํ•ด ๊ฐ€์žฅ ํšจ์œจ์ ์ธ ์ฝ”๋“œ๋ฅผ ์ƒ์„ฑํ•œ๋‹ค. MOV, MVN ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ƒ์ˆ˜๋ฅผ ์ƒ์„ฑ ํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒฝ์šฐ ์–ด์…ˆ๋ธ”๋Ÿฌ๋Š” ์ ์ ˆํ•œ ๋ช…๋ น์–ด๋ฅผ ์ƒ์„ฑํ•œ๋‹ค. MOV, MVN ๋ช…๋ น์–ด๋กœ ์ƒ์ˆ˜๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์—†๋Š” ๊ฒฝ์šฐ ์–ด์…ˆ๋ธ”๋Ÿฌ๋Š” ๋‹ค์Œ์„ ์ˆ˜ํ–‰ํ•œ๋‹ค. ๊ฐ’์„ literal pool (์ƒ์ˆ˜ ๊ฐ’์„ ์œ ์ง€ํ•˜๊ธฐ ์œ„ํ•ด ์ฝ”๋“œ์— ํฌํ•จ๋œ ๋ฉ”๋ชจ๋ฆฌ์˜ ์ผ๋ถ€์— ๋ฐฐ์น˜ํ•œ๋‹ค.) Literal pool์—์„œ ์ƒ์ˆ˜๋ฅผ ์ฝ๋Š” ํ”„๋กœ๊ทธ๋žจ ๊ธฐ์ค€ ์ฃผ์†Œ๋กœ LDR ๋ช…๋ น์–ด๋ฅผ ์ƒ์„ฑํ•œ๋‹ค. ์–ด์…ˆ๋ธ”๋Ÿฌ์—์„œ ์ƒ์„ฑํ•œ LDR ๋ช…๋ น์–ด ๋ฒ”์œ„ ๋‚ด์— ๋ฆฌํ„ฐ๋Ÿด ํ’€์ด ์žˆ๋Š”์ง€ ํ™•์ธํ•ด์•ผ ํ•œ๋‹ค. Literal pools ๋ฐฐ์น˜ ์–ด์…ˆ๋ธ”๋Ÿฌ๋Š” ๊ฐ ์„น์…˜์˜ ๋์— ๋ฆฌํ„ฐ๋Ÿด ํ’€์„ ๋ฐฐ์น˜ํ•œ๋‹ค. ์ด๋“ค์€ ๋‹ค์Œ ์„น์…˜์˜ ์‹œ์ž‘ ๋ถ€๋ถ„์— ์žˆ๋Š” AREA instruction ๋˜๋Š” ์–ด์…ˆ๋ธ”๋ฆฌ ๋์— ์žˆ๋Š” END instrucโ€ฆ

February 10, 2021
ARM
ARM Register const load

๋ ˆ์ง€์Šคํ„ฐ์— ์ƒ์ˆ˜ ๊ฐ’ ๋กœ๋“œ ๋ฉ”๋ชจ๋ฆฌ์—์„œ ๋ฐ์ดํ„ฐ ๋กœ๋“œ๋ฅผ ์ˆ˜ํ–‰ํ•˜์ง€ ์•Š๊ณ ๋Š” ๋‹จ์ผ ๋ช…๋ น์–ด์˜ ๋ ˆ์ง€์Šคํ„ฐ์— ์ž„์˜์˜ 32๋น„ํŠธ ์ƒ์ˆ˜๋ฅผ ๋กœ๋“œํ•  ์ˆ˜ ์—†๋‹ค. ARM ๋ช…๋ น์–ด์˜ ๊ธธ์ด๊ฐ€ 32 ๋น„ํŠธ์— ๋ถˆ๊ณผ ํ•˜๊ธฐ ๋•Œ๋ฌธ Thumb ๋ช…๋ น์–ด์—๋Š” ๋น„์Šทํ•œ ์ œํ•œ์ด ๊ฑธ๋ ค ์žˆ๋‹ค. ๋ฐ์ดํ„ฐ ๋กœ๋“œ์™€ ํ•จ๊ป˜ 32 ๋น„ํŠธ ๊ฐ’์„ ๋ ˆ์ง€์Šคํ„ฐ์— ๋กœ๋“œ ํ•  ์ˆ˜ ์žˆ์ง€๋งŒ ์ผ๋ฐ˜์ ์œผ๋กœ ์‚ฌ์šฉ๋˜๋Š” ๋งŽ์€ ์ƒ์ˆ˜๋ฅผ ๋กœ๋“œํ•˜๋Š” ๋ณด๋‹ค ์ง์ ‘์ ์ด๊ณ  ํšจ์œจ์ ์ธ ๋ฐฉ๋ฒ•์ด ์žˆ๋‹ค. ๋˜ํ•œ ์ผ๋ฐ˜์ ์œผ๋กœ ์‚ฌ์šฉ๋˜๋Š” ๋งŽ์€ ์ƒ์ˆ˜๋ฅผ ๋ณ„๋„์˜ ๋กœ๋“œ ์ž‘์—… ์—†์ด ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ ๋ช…๋ น์–ด ๋‚ด์—์„œ ํ”ผ์—ฐ์‚ฐ์ž๋กœ ์ง์ ‘ ํฌํ•จํ•  ์ˆ˜ ์žˆ๋‹ค. ์ง์ ‘ ๋กœ๋”ฉ MOV, MVN Instruction MOV Register MOV ๋ช…๋ น์€ ๋ชจ๋“  8 ๋น„ํŠธ ์ƒ์ˆ˜ ๊ฐ’์„ ๋กœ๋“œ ํ•˜์—ฌ 0x0 ~ 0xFF (0-255) ๋ฒ”์œ„๋ฅผ ์ œ๊ณตํ•œ๋‹ค. ๋˜ํ•œ ์ด๋Ÿฌํ•œ ๊ฐ’์„ ์ง์ˆ˜๋กœ ํšŒ์ „ ํ•  ์ˆ˜ ๋„ ์žˆ๋‹ค. MVN Register MVN์€ ์ด๋Ÿฌํ•œ ๊ฐ’์˜ ๋น„ํŠธ ๋ณด์ˆ˜๋ฅผ ๋กœ๋“œ ํ•  ์ˆ˜ ์žˆ๋‹ค. ์ˆซ์ž ๊ฐ’์€ ํ•„์š”ํ•œ ํšŒ์ „์— ๋Œ€ํ•ด ๊ณ„์‚ฐํ•  ํ•„์š”๊ฐ€ ์—†์œผ๋ฉฐ ์–ด์…ˆ๋ธ”๋Ÿฌ๊ฐ€ ๊ณ„์‚ฐ์„ ์ˆ˜ํ–‰ํ•œ๋‹ค. MOV, Mโ€ฆ

February 10, 2021
ARM
ARM Register Address load

๋ ˆ์ง€์Šคํ„ฐ์— ์ฃผ์†Œ ๋กœ๋“œ ๋ ˆ์ง€์Šคํ„ฐ์— ์ฃผ์†Œ๋ฅผ ๋กœ๋“œํ•ด์•ผ ํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์ข…์ข… ์žˆ๋‹ค. ๋ณ€์ˆ˜์˜ ์ฃผ์†Œ ๊ฐ’, ๋ฌธ์ž์—ด ์ƒ์ˆ˜ ๋˜๋Š” ์ ํ”„ ํ…Œ์ด๋ธ”์˜ ์‹œ์ž‘ ์œ„์น˜โ€ฆ ์ฃผ์†Œ๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ ํ˜„์žฌ pc ๋˜๋Š” ๋‹ค๋ฅธ ๋ ˆ์ง€์Šคํ„ฐ์˜ ์˜คํ”„์…‹์œผ๋กœ ํ‘œํ˜„๋œ๋‹ค. ๋ ˆ์ง€์Šคํ„ฐ๋ฅผ ์ง์ ‘๋กœ๋“œํ•˜๋ ค๋ฉด ADR, ADRL ์„ ์‚ฌ์šฉํ•œ ์ง์ ‘๋กœ๋“œ ๋ฆฌํ„ฐ๋Ÿฌ ํ’€์—์„œ ์ฃผ์†Œ ๋กœ๋“œ (LDR, Rd, = label) ADR, ADRL ์ง์ ‘ ๋กœ๋”ฉ ADR, ADRL ์˜์‚ฌ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ๋ฐ์ดํ„ฐ ๋กœ๋“œ๋ฅผ ์ˆ˜ํ–‰ํ•˜์ง€ ์•Š๊ณ  ํŠน์ • ๋ฒ”์œ„ ๋‚ด์—์„œ ์ฃผ์†Œ๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ๋‹ค. ์„ ํƒ์  ์˜คํ”„์…‹์ด ์žˆ๋Š” ๋ ˆ์ด๋ธ” ์ธ ํ”„๋กœ๊ทธ๋žจ ๊ธฐ์ค€ ํ‘œํ˜„์‹ ์ด๋ฉฐ ์—ฌ๊ธฐ์„œ ๋ ˆ์ด๋ธ”์˜ ์ฃผ์†Œ๋Š” ํ˜„์žฌ PC์— ์ƒ๋Œ€์ ์ด๋‹ค. ์„ ํƒ์  ์˜คํ”„์…‹์ด ์žˆ๋Š” ๋ ˆ์ด๋ธ” ์ธ ๋ ˆ์ง€์Šคํ„ฐ ๊ธฐ์ค€ ์‹ ์ด๋ฉฐ ์—ฌ๊ธฐ์„œ ๋ ˆ์ด๋ธ”์˜ ์ฃผ์†Œ๋Š” ์ง€์ •๋œ ๋ฒ”์šฉ ๋ ˆ์ง€์Šคํ„ฐ์— ์žˆ๋Š” ์ฃผ์†Œ์— ์ƒ๋Œ€์ ์ด๋‹ค. ์–ด์…ˆ๋ธ”๋Ÿฌ๋Š” ๋‹ค์Œ์„ ์ƒ์„ฑํ•˜์—ฌ ์˜์‚ฌ ๋ช…๋ น์–ด๋ฅผ ๋ณ€ํ™˜ํ•œ๋‹ค. ์ฃผ์†Œ๊ฐ€ ๋ฒ”์œ„๋‚ด์— ์žˆ๋Š” ๊ฒฝ์šฐ ์ฃผ์†Œ๋ฅผ๋กœ๋“œํ•˜๋Š” ๋‹จ์ผ ADD, SUB ๋ช…๋ น์–ด ๋‹จ์ผ ๋ช…๋ น์–ด์—์„œ ์ฃผ์†Œ์— ๋„๋‹ฌํ•  ์ˆ˜ ์—†๋Š” ๊ฒฝ์šฐ ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€ ์–ด์…ˆ๋ธ”๋Ÿฌโ€ฆ

February 10, 2021
ARM
ARM and THUMB Instruction

ARM Instruction Load/Store ๊ตฌ์กฐ ARM์—๋Š” ๋ฉ”๋ชจ๋ฆฌ ๋‚ด์— ๋ฐ์ดํ„ฐ๋ฅผ ์ง์ ‘์ ์œผ๋กœ ์ ‘๊ทผํ•˜๋Š” ๊ฒƒ์ด ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค. LDR, STR๊ณผ ๊ฐ™์€ ๋ช…๋ น์„ ํ†ตํ•ด์„œ ๋ฉ”๋ชจ๋ฆฌ์™€ ๋ ˆ์ง€์Šคํ„ฐ ์‚ฌ์ด์— ๋ฐ์ดํ„ฐ๋ฅผ ์ „์†กํ•œ๋‹ค. 3-Address date Processing ๋‘ ๊ฐœ์˜ source operand, result operand ARM ๋ชจ๋“  ๋ช…๋ น์–ด๋Š” ์กฐ๊ฑด๋ถ€ ์‹คํ–‰ ๊ฐ€๋Šฅ ๋ชจ๋“  ARM ๋ช…๋ น์–ด๋Š” CPSR์˜ ALU ์ƒํƒœ ํ”Œ๋ž˜๊ทธ ๊ฐ’์— ๋Œ€ํ•ด ์กฐ๊ฑด๋ถ€๋กœ ์‹คํ–‰๋  ์ˆ˜ ์žˆ๋‹ค. ์ผ๋ จ์˜ ๋ช…๋ น์–ด๊ฐ€ ๋™์ผํ•œ ์กฐ๊ฑด์— ์ข…์† ๋  ๋•Œ ๋” ์ข‹์„ ์ˆ˜ ์žˆ์ง€๋งŒ ์กฐ๊ฑด๋ถ€ ๋ช…๋ น์–ด๋ฅผ ๊ฑด๋„ˆ ๋›ฐ๊ธฐ ์œ„ํ•ด ๋ถ„๊ธฐ๋ฅผ ์‚ฌ์šฉํ•  ํ•„์š”๊ฐ€ ์—†๋‹ค. ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ ๋ช…๋ น์–ด๊ฐ€ ์ด๋Ÿฌํ•œ ํ”Œ๋ž˜๊ทธ์˜ ์ƒํƒœ๋ฅผ ์„ค์ •ํ•˜๋Š”์ง€ ์—ฌ๋ถ€๋ฅผ ์ง€์ •ํ•  ์ˆ˜ ์žˆ๋‹ค. ํ•œ ๋ช…๋ น์–ด๋กœ ์„ค์ •๋œ ํ”Œ๋ž˜๊ทธ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๊ทธ ์‚ฌ์ด์— ๋งŽ์€ ๋ช…๋ น์–ด๊ฐ€ ์žˆ๋”๋ผ๋„ ๋‹ค๋ฅธ ๋ช…๋ น์–ด์˜ ์‹คํ–‰์„ ์ œ์–ดํ•  ์ˆ˜ ์žˆ๋‹ค. Register Access ARM ์ƒํƒœ์—์„œ ๋ชจ๋“  ๋ช…๋ น์–ด๋Š” r0 ~ r14 ์— ์•ก์„ธ์Šค๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค. ๋Œ€๋ถ€๋ถ€์€ r15(pc)์— ๋Œ€ํ•œ ์•ก์„ธโ€ฆ

February 09, 2021
ARM
ARM Register

37๊ฐœ์˜ ๋ ˆ์ง€์Šคํ„ฐ๊ฐ€ ์žˆ๋‹ค. ๋ ˆ์ง€์Šคํ„ฐ๋Š” ๋ถ€๋ถ„์ ์œผ๋กœ ๊ฒน์น˜๋Š” bank์— ๋ฐฐ์—ด๋œ๋‹ค. ํ”„๋กœ์„ธ์„œ ๋ชจ๋“œ๋งˆ๋‹ค ๋‹ค๋ฅธ ๋ ˆ์ง€์Šคํ„ฐ bank๊ฐ€ ์žˆ๋‹ค. bank ๋ ˆ์ง€์Šคํ„ฐ๋Š” ํ”„๋กœ์„ธ์„œ ์˜ˆ์™ธ ๋ฐ ๊ถŒํ•œ์žˆ๋Š” ์ž‘์—…์„ ์ฒ˜๋ฆฌํ•˜๊ธฐ ์œ„ํ•œ ๋น ๋ฅธ ๋ฌธ๋งฅ ๊ตํ™˜์„ ์ œ๊ณตํ•œ๋‹ค. ๋ฒ”์šฉ 32 bit register ํ”„๋กœ์„ธ์„œ ๋ชจ๋“œ์— ๋”ฐ๋ผ r0, r1, โ€ฆ, r13, r14์™€ ๊ฐ™์€ 15๊ฐœ์˜ ๋ฒ”์šฉ ๋ ˆ์ง€์Šคํ„ฐ๊ฐ€ ํ•œ ๋ฒˆ์— ํ‘œ์‹œ๋œ๋‹ค. R0 ~ R10์€ ๋ฒ”์šฉ ์ ์œผ๋กœ ์‚ฌ์šฉ R11 ~ R15ํŠน๋ณ„ํ•œ ๋ชฉ์ ์œผ๋กœ ์‚ฌ์šฉ๋จ r0 Register Return Value ์ €์žฅ r0 ~ r3 Register ํ•จ์ˆ˜ ํ˜ธ์ถœ ์‹œ์— Argument๋ฅผ ์ „๋‹ฌํ•˜๋Š” ์šฉ๋„๋กœ ์‚ฌ์šฉ (์ธ์ž๊ฐ€ 4๊ฐœ ์ด์ƒ์ผ์‹œ ์Šคํƒ์„ ์‚ฌ์šฉ) r11 Register ํ˜„์žฌ ์Šคํƒ ํ”„๋ ˆ์ž„์˜ Frame Pointer๋ฅผ ์ €์žฅํ•œ๋‹ค. r13 Register ARM ์–ด์…ˆ๋ธ”๋ฆฌ ์–ธ์—์„œ ์Šคํƒ ํฌ์ธํ„ฐ (SP)๋กœ ์“ฐ์ธ๋‹ค. C, C++ ์ปดํŒŒ์ผ๋Ÿฌ๋Š” ํ•ญ์ƒ r13์„ ์Šคํƒ ํฌ์ธํ„ฐ๋กœ ์‚ฌ์šฉํ•œ๋‹ค. PUSH, POP ๋ช…๋ น์˜ ์˜ํ•ด์„œ ๊ฐ’์ด ๋ณ€ํ™”ํ•œ๋‹ค. r14โ€ฆ

February 09, 2021
ARM
ARM hack overview

CISC (Complex Instruction Set Computer) ๋ช…๋ น์–ด๊ฐ€ ๋ณต์žกํ•˜์—ฌ ๋ช…๋ น์–ด๋ฅผ ํ•ด์„ํ•˜๋Š” ๋ฐ ์‹œ๊ฐ„์ด ์˜ค๋ž˜ ๊ฑธ๋ฆฌ๋ฉฐ ๋ช…๋ น์–ด์˜ ์ˆ˜๊ฐ€ ๋งŽ๊ณ  ๋ช…๋ น์„ ์ฒ˜๋ฆฌํ•˜๋Š” ์‹œ๊ฐ„์ด ๊ธธ์–ด ๋ช…๋ น ์ฒ˜๋ฆฌ ๋Œ€๊ธฐ ์‹œ๊ฐ„์ด ๊ธธ๋‹ค. ๋ช…๋ น์–ด๊ฐ€ ๋ณต์žกํ•˜๋‹ค? RISC (Reduced Instruction Set Computer) CPU ๋ช…๋ น์–ด์˜ ๊ฐœ์ˆ˜๋ฅผ ์ค„์—ฌ ํ•˜๋“œ์›จ์–ด ๊ตฌ์กฐ๋ฅผ ์ข€ ๋” ๊ฐ„๋‹จํ•˜๊ฒŒ ๋งŒ๋“œ๋Š” ๋ฐฉ์‹ 32๋น„ํŠธ๋กœ ๋ช…๋ น์–ด์˜ ํฌ๊ธฐ๊ฐ€ ๋™์ผ ํ•˜๋ฉฐ ๊ณ ์ • ๊ธธ์ด๋ฅผ ๊ฐ–๋Š”๋‹ค. ๋ช…๋ น์–ด์˜ ๊ฐœ์ˆ˜๊ฐ€ ์ ๋‹ค. ํ•ต์‹ฌ์ ์ธ ๋ช…๋ น์–ด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ์ตœ์†Œํ•œ์˜ ๋ช…๋ น์–ด ์ง‘ํ•ฉ์„ ๊ตฌ์„ฑํ•˜์—ฌ pipelining ๊ธฐ์ˆ ์„ ๋„์ž…ํ•˜์—ฌ ๋น ๋ฅธ ๋™์ž‘ ์†๋„์™€ ํ•˜๋“œ์›จ์–ด์˜ ๋‹จ์ˆœํ™”์™€ ํšจ์œจ์„ฑ์„ ๊ฐ–์„ ์ˆ˜ ์žˆ์œผ๋ฉฐ ๊ฐ€๊ฒฉ ๊ฒฝ์Ÿ๋ น์—์„œ๋„ ์šฐ์œ„๋ฅผ ์ ํ•˜์˜€๋‹ค. ARM ์—์„œ RISC ๋ฐฉ์‹์„ ์‚ฌ์šฉํ•˜๋Š” ์ด์œ  ARM์€ Berkeley RISC์—์„œ ํŒŒ์ƒ๋˜์—ˆ๋‹ค. ARM Processor Operation Mode ARM ํ”„๋กœ์„ธ์„œ์—๋Š” ์ด 7๊ฐœ์˜ ๋™์ž‘ ๋ชจ๋“œ๊ฐ€ ์žˆ๋‹ค. ๋™์ž‘ ๋ชจ๋“œ๋Š” ํ”„๋กœ์„ธ์„œ๊ฐ€ ์–ด๋– ํ•œ ๊ถŒํ•œ์„ ๊ฐ€์ง€๊ณ  ์–ด๋– โ€ฆ

February 09, 2021
ARM
ARM Assembly 1

ARM Instruction Layout label์ด ์—†๋”๋ผ๋„ ๋ช…๋ น์–ด, ์˜์‚ฌ ๋ช…๋ น์–ด ๋ฐ ์ง€์‹œ์–ด์—๋Š” ๊ณต๊ฐ„์ด๋‚˜ ํƒญ๊ณผ ๊ฐ™์€ ๊ณต๋ฐฑ์ด ์„ ํ–‰๋˜์–ด์•ผ ํ•œ๋‹ค. CASE Rule ๋ช…๋ น์–ด, ์ง€์‹œ๋ฌธ ๋ฐ ๊ธฐํ˜ธ ๋ ˆ์ง€์Šคํ„ฐ ์ด๋ฆ„์€ ๋Œ€๋ฌธ์ž ๋˜๋Š” ์†Œ๋ฌธ์ž๋กœ ์“ธ ์ˆ˜ ๋Š” ์žˆ์ง€๋งŒ ํ˜ผํ•ฉ ๋ถˆ๊ฐ€ Line Length Line์ด ๊ธธ๋ฉด ๋ฐฑ ์Šฌ๋ž˜์‹œ ๋ฌธ์ž๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ์—ฌ๋Ÿฌ line์œผ๋กœ ๋‚˜๋ˆ„๊ธฐ ๊ฐ€๋Šฅ ๋ฐฑ์Šฌ๋ž˜์‹œ ๋’ค์—๋Š” ๋‹ค๋ฅธ ๋ฌธ์ž๊ฐ€ ์˜ฌ ์ˆ˜ ์—ˆ๋‹ค. Label ์ฃผ์†Œ๋ฅผ ๋‚˜ํƒ€๋‚ด๋Š” ๊ธฐํ˜ธ์ด๋‹ค. ๋ ˆ์ด๋ธ”์— ์ง€์ •๋œ ์ฃผ์†Œ๋Š” assembly ์ค‘์— ๊ณ„์‚ฐ๋œ๋‹ค. ์–ด์…ˆ๋ธ”๋Ÿฌ๋Š” ๋ ˆ์ด๋ธ”์ด ์ •์˜ ๋œ ์„น์…˜์˜ ์›์ ์„ ๊ธฐ์ค€์œผ๋กœ ๋ ˆ์ด๋ธ”์˜ ์ฃผ์†Œ๋ฅผ ๊ณ„์‚ฐํ•œ๋‹ค. ๋™์ผํ•œ ์„น์…˜ ๋‚ด์˜ ๋ ˆ์ด๋ธ”์— ๋Œ€ํ•œ ์ฐธ์กฐ๋Š” ์˜คํ”„์…‹์„ ๋”ํ•˜๊ฑฐ๋‚˜ ๋บ€ ํ”„๋กœ๊ทธ๋žจ ์นด์šดํ„ฐ๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ์ด๋ฅผ ํ”„๋กœ๊ทธ๋žจ ๊ธฐ์ค€ ์ฃผ์†Œ ์ง€์ •์ด๋ผ๊ณ  ํ•œ๋‹ค. Local Label ์ง€์—ญ ๋ ˆ์ด๋ธ”์€ ๋ ˆ์ด๋ธ”์˜ ํ•˜์œ„ ํด๋ž˜์Šค์ด๋‹ค. ์ง€์—ญ ๋ ˆ์ด๋ธ”์€ 0-99 ๋ฒ”์œ„์˜ ์ˆซ์ž๋กœ ์‹œ์ž‘ํ•œ๋‹ค. ๋‹ค๋ฅธ ๋ ˆ์ด๋ธ”๊ณผ ๋‹ฌ๋ฆฌ ๋กœ์ปฌ ๋ ˆ์ด๋ธ”์€ ์—ฌ๋Ÿฌ ๋ฒˆ ์ •์˜ํ•  ์ˆ˜ ์žˆ๋‹ค. ์ง€์—ญ ๋ ˆ์ด๋ธ”์€ ๋งคํฌโ€ฆ

February 09, 2021
ARM
ARM Conditional Execution

ARM Conditional Execution Conditional Execution ARM ์ƒํƒœ์—์„œ ๊ฐ ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ ๋ช…๋ น์–ด์—๋Š” ์ž‘์—… ๊ฒฐ๊ณผ์— ๋”ฐ๋ผ CPSR(Current Program State Register)์˜ ALU ์ƒํƒœ ํ”Œ๋ž˜๊ทธ๋ฅผ ์—…๋ฐ์ดํŠธ ํ•˜๋Š” ์˜ต์…˜์ด ์žˆ๋‹ค. ARM ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ ๋ช…๋ น์–ด์— S ์ ‘๋ฏธ์‚ฌ๋ฅผ ์ถ”๊ฐ€ํ•˜์—ฌ CPSR์—์„œ ALU ์ƒํƒœ ํ”Œ๋ž˜๊ทธ๋ฅผ ์—…๋ฐ์ดํŠธ ํ•œ๋‹ค. CMP, CMN, TST, TEQ์— S ์ ‘๋ฏธ์‚ฌ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์•ˆ๋œ๋‹ค. ์ด๋Ÿฌํ•œ ๋น„๊ต ๋ช…๋ น์–ด๋Š” ํ•ญ์ƒ ํ”Œ๋ž˜๊ทธ๋ฅผ ์—…๋ฐ์ดํŠธ ํ•˜๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค. Thumb ์ƒํƒœ์—์„œ๋Š” ์˜ต์…ฅ์ด ์—†๋‹ค. MOV, ADD ๋ช…๋ น์–ด์—์„œ ํ•˜๋‚˜ ์ด์ƒ์˜ ์ƒ์œ„ ๋ ˆ์ง€์Šคํ„ฐ๊ฐ€ ์‚ฌ์šฉ๋˜๋Š” ๊ฒฝ์šฐ๋ฅผ ์ œ์™ธํ•˜๊ณ  ๋ชจ๋“  ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ ๋ช…๋ น์–ด๋Š” CPSR์˜ ALU ์ƒํƒœ ํ”Œ๋ž˜๊ทธ๋ฅผ ์—…๋ฐ์ดํŠธ ํ•œ๋‹ค. MOV ๋ฐ ADD๋Š” ์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ ์ƒํƒœ ํ”Œ๋ž˜๊ทธ๋ฅผ ์—…๋ฐ์ดํŠธ ํ•  ์ˆ˜ ์—†๋‹ค. ARM ์ƒํƒœ ์ˆ˜ํ–‰ ๋ฐ์ดํ„ฐ ์ž‘์—…์˜ ๊ฒฐ๊ณผ์— ๋Œ€ํ•ด CPSR์˜ ALU ์ƒํƒœ ํ”Œ๋ž˜๊ทธ๋ฅผ ์—…๋ฐ์ดํŠธ ํ•œ๋‹ค. ํ”Œ๋ž˜๊ทธ๋ฅผ ์—…๋ฐ์ดํŠธ ํ•˜์ง€ ์•Š๊ณ  ๋‹ค๋ฅธ ์—ฌ๋Ÿฌ ๋ฐ์ดํ„ฐ โ€ฆ

February 09, 2021
ARM
Windows SEH (Structured Exception Handler) 0

SEH (Structured Exception Handler) SEH Windows ์šด์˜์ฒด์ œ์—์„œ ์ œ๊ณตํ•˜๋Š” ์˜ˆ์™ธ์ฒ˜๋ฆฌ ์‹œ์Šคํ…œ์ด๋‹ค. ํ‚ค์›Œ๋“œ๋กœ ๊ฐ„๋‹จํžˆ ๊ตฌํ˜„ํ•  ์ˆ˜ ์žˆ๋‹ค. ํ•˜๋“œ์›จ์–ด ์˜ค๋ฅ˜์™€ ๊ฐ™์€ ํŠน์ • ์˜ˆ์™ธ ์ฝ”๋“œ ์ƒํ™ฉ์„ ์ •์ƒ์ ์œผ๋กœ ์ฒ˜๋ฆฌํ•˜๊ธฐ ์œ„ํ•ด C์— ๋Œ€ํ•œ Microsoft ํ™•์žฅ์ด๋‹ค. SEH๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์‹คํ–‰์ด ์˜ˆ๊ธฐ์น˜ ์•Š๊ฒŒ ์ข…๋ฃŒ ๋˜๋Š” ๊ฒฝ์šฐ ๋ฉ”๋ชจ๋ฆฌ ๋ธ”๋ก ๋ฐ ํŒŒ์ผ๊ณผ ๊ฐ™์€ ๋ฆฌ์†Œ์Šค๊ฐ€ ์˜ฌ๋ฐ”๋ฅด๊ฒŒ ํ•ด์ œ ๋˜๋„๋ก ํ•  ์ˆ˜ ์žˆ๋‹ค. SEH ๋งค์ปค๋‹ˆ์ฆ˜ ์˜ˆ์™ธ ์ฒ˜๋ฆฌ๊ธฐ , ์˜ˆ์™ธ์— ์‘๋‹ต ํ•˜๊ฑฐ๋‚˜ ํ•ด์ œํ•  ์ˆ˜ ์žˆ๋Š” ๋ธ”๋ก Termination Handlers ์˜ˆ์™ธ๊ฐ€ ์ข…๋ฃŒ๋ฅผ ๋ฐœ์ƒ ์‹œํ‚ค๋Š” ์ง€ ์—ฌ๋ถ€์— ๊ด€๊ณ„ ์—†์ด ํ•ญ์ƒ ํ˜ธ์ถœ๋˜๋Š” ์ข…๋ฃŒ ์ฒ˜๋ฆฌ๊ธฐ ๋˜๋Š” ๋ธ”๋ก ์ผ๋ฐ˜ ์‹คํ–‰์˜ ๊ฒฝ์šฐ ์˜ˆ์™ธ ์ฒ˜๋ฆฌ ๋ฐฉ๋ฒ• OS๋Š” ํ”„๋กœ์„ธ์Šค ์‹คํ–‰ ์ค‘์— ์˜ˆ์™ธ๊ฐ€ ๋ฐœ์ƒํ•˜๋ฉด ํ”„๋กœ์„ธ์Šค์—๊ฒŒ ์ฒ˜๋ฆฌ๋ฅผ ๋งก๊ธด๋‹ค. ํ”„๋กœ์„ธ์Šค ์ฝ”๋“œ์— (SEHโ€ฆ) ์˜ˆ์™ธ์ฒ˜ ๋ฆฌ๊ฐ€ ๊ตฌํ˜„๋˜์–ด ์žˆ๋‹ค๋ฉด, ํ•ด๋‹น ์˜ˆ์™ธ๋ฅผ ์ž˜ ์ฒ˜๋ฆฌํ•œ ํ›„ ๊ฒŒ์† ์‹คํ–‰๋  ๊ฒƒ์ด๋‹ค. ๊ตฌํ˜„๋˜์–ด ์žˆ์ง€ ์•Š๋‹ค๋ฉด ๊ธฐ๋ณธ ์˜ˆ์™ธ ์ฒ˜๋ฆฌ๊ธฐ๋ฅผ ๋™์ž‘์‹œ์ผœ ํ”„๋กœ์„ธ์Šค๋ฅผ ์ข…๋ฃŒ ์‹œํ‚จ๋‹ค. ๋””๋ฒ„๊น…โ€ฆ

January 03, 2021
Windows
Windows SEH (Structured Exception Handler) 1

SEH ๋Š” ๊ฐ Thread์™€ ๊ด€๋ จ๋œ ๊ตฌ์„ฑ๋œ๋‹ค. ์›์น™์ ์œผ๋กœ ํ•ด๋‹น ๋ชฉ๋ก์˜ ๋…ธ๋“œ๋Š” stack์— ํ• ๋‹น๋œ๋‹ค. ๋ชฉ๋ก์˜ Head๋Š” TEB(Thred Environment Block)์˜ ์‹œ์ž‘ ๋ถ€๋ถ„์— ์žˆ๋Š” ํฌ์ธํ„ฐ๋กœ ๊ฐ€๋ฆฌํ‚ค๋ฏ€๋กœ ์ฝ”๋“œ๊ฐ€ ์ƒˆ ์˜ˆ์™ธ์ฒ˜๋ฆฌ๊ธฐ๋ฅผ ์ถ”๊ฐ€ํ•˜๋ ค๋Š” ๊ฒฝ์šฐ ์ƒˆ ๋…ธ๋“œ๊ฐ€ ๋ชฉ๋ก์˜ ํ—ค๋“œ์™€ ํฌ์ธํ„ฐ์— ์ถ”๊ฐ€๋œ๋‹ค. TEB์—์„œ ์ƒˆ ๋…ธ๋“œ๋ฅผ ๊ฐ€๋ฆฌํ‚ค๋„๋ก ๋ณ€๊ฒฝ๋œ๋‹ค. ๊ฐ ๋…ธ๋“œ๋Š” ์œ ํ˜•์ด๋ฉฐ ํ•ธ๋“ค๋Ÿฌ์˜ ์ฃผ์†Œ์™€ ๋ชฉ๋ก์˜ ๋‹ค์Œ ๋…ธ๋“œ์— ๋Œ€ํ•œ ํฌ์ธํ„ฐ๋ฅผ ์ €์žฅํ•œ๋‹ค. ์ด์ƒํ•˜๊ฒŒ๋„ ๋ชฉ๋ก์˜ ๋งˆ์ง€๋ง‰ ๋…ธ๋“œ์˜ โ€œnext pointerโ€ ๋Š” NULL์ด ์•„๋‹ˆ์ง€๋งŒ ์™€ ๊ฐ™๋‹ค. TEB๋Š” FS:[0] ๋ถ€ํ„ฐ ์‹œ์ž‘ํ•˜๋Š” FS๋ฅผ ํ†ตํ•ด์„œ๋„ ์•ก์„ธ์Šค ํ•  ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ ๋‹ค์Œ๊ณผ ๊ฐ™์€ ์ฝ”๋“œ๋ฅด ๋ณด๋Š” ๊ฒƒ์ด ์ผ๋ฐ˜์ ์ด๋‹ค. ์ปดํŒŒ์ผ๋Ÿฌ๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ ํ”„๋กœ๊ทธ๋žจ์˜ ์–ด๋Š ์˜์—ญ์ด ์‹คํ–‰๋˜๊ณ  ์žˆ๋Š”์ง€ (์ „์—ญ ๋ณ€์ˆ˜์— ์˜์กด) ์•Œ๊ณ  ํ˜ธ์ถœ๋  ๋  ๋•Œ ๊ทธ์— ๋”ฐ๋ผ ๋™์ž‘ํ•˜๋Š” ๋‹จ์ผ ์ „์—ญ ์ฒ˜๋ฆฌ๊ธฐ๋ฅผ ๋“ฑ๋กํ•œ๋‹ค. ๊ฐ ์Šค๋ ˆ๋“œ์—๋Š” ๋‹ค๋ฅธ ๊ฐ€ ์žˆ์œผ๋ฏ€๋กœ ์šด์˜ ์ฒด์ œ๋Š” ์— ์˜ํ•ด ์„ ํƒ๋œ ์„ธ๊ทธ๋จผํŠธ๊ฐ€ ํ•ญ์ƒ ์˜ฌ๋ฐ”๋ฅธ TEB(์ฆ‰, ํ˜„์žฌโ€ฆ

January 03, 2021
Windows
TEB (Thread Environment Block)

TEB (Thread Environment Block) ํ”„๋กœ์„ธ์Šค์—์„œ ์‹คํ–‰๋˜๋Š” ์Šค๋ ˆ๋“œ์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ๋‹ด๊ณ  ์žˆ๋Š” ๊ตฌ์กฐ์ฒด ์Šค๋ ˆ๋“œ๋ณ„๋กœ TEB ๊ตฌ์กฐ์ฒด๊ฐ€ ํ•˜๋‚˜์”ฉ ํ• ๋‹น๋œ๋‹ค. OS ์ข…๋ฅ˜๋ณ„๋กœ ํ•ด๋‹น ๋ชจ์–‘์ด ์กฐ๊ธˆ์”ฉ ๋‹ฌ๋ผ์ง„๋‹ค. ProcessEnvironmentBlock member 0x30 offset ์— ์œ„์น˜ํ•œ ProcessEnvironmentBlock member PEB(Process Environment Block) ๊ตฌ์กฐ์ฒด์˜ ํฌ์ธํ„ฐ์ด๋‹ค. PEB๋Š” ํ”„๋กœ์„ธ์Šค ๋ณ„๋กœ ํ•˜๋‚˜๋งŒ ์ƒ์„ฑ๋œ๋‹ค. NtTib member TEB ๊ตฌ์กฐ์ฒด์˜ ์ฒซ ๋ฒˆ์งธ ๋ฉค๋ฒ„๋Š” ๊ตฌ์กฐ์ฒด์ด๋‹ค. _NT_TIB (_NT_Thread information Block) ํ˜„์žฌ ์‹คํ–‰ ์ค‘์ธ ์Šค๋ ˆ๋“œ์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ์ €์žฅํ•˜๊ณ  ์žˆ๋‹ค. ExceptionList member๋Š” _EXCEPTION_REGISTRATION_RECORD ๊ตฌ์กฐ์ฒด ์—ฐ๊ฒฐ ๋ฆฌ์ŠคํŠธ๋ฅผ ๊ฐ€๋ฆฌํ‚ค๊ณ  ์žˆ๋‹ค. ์ด๊ฒƒ์€ SEH(Structured Exception Handler) ๋ผ๊ณ  ํ•˜๋Š” Window OS์˜ ์˜ˆโ€ฆ

January 03, 2021
Windows
PEB (Process Environment Block)

window NT ๋ฐ์ดํ„ฐ ๊ตฌ์กฐ์ฒด ์ด๋ฉฐ ํ”„๋กœ์„ธ์Šค ์ •๋ณด๋ฅผ ๋‹ด๊ณ  ์žˆ๋Š” ๊ตฌ์กฐ์ฒด PEB ์ ‘๊ทผ ๋ฐฉ๋ฒ• TEB.ProcessEnvironmentBlock ๋ฉค๋ฒ„๊ฐ€ PEB ๊ตฌ์กฐ์ฒด์˜ ์ฃผ์†Œ TEB ๊ตฌ์กฐ์ฒด๋Š” FS ์„ธ๊ทธ๋จผํŠธ ์…€๋ ‰ํ„ฐ๊ฐ€ ๊ฐ€๋ฆฌํ‚ค๋Š” ์„ธ๊ทธ๋จผํŠธ ๋ฉ”๋ชจ๋ฆฌ์˜ base address์— ์œ„์น˜ํ•œ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ProcessEnvironmentBlock ๋ฉค๋ฒ„๋Š” TEB ๊ตฌ์กฐ์ฒด ์‹œ์ž‘ ๋ถ€ํ„ฐ 30 ์˜ต์…‹๋งŒํผ ๋–จ์–ด์ ธ ์žˆ๋‹ค. method 1 ๋ฐ”๋กœ PEB ์ฃผ์†Œ๋ฅผ ๊ตฌํ•˜๋Š” ๋ฐฉ๋ฒ• method 2 TEB ์ฃผ์†Œ๋ฅผ ๊ตฌํ•œํ›„ ProcessEnvironmentBlock ๋ฉค๋ฒ„๋ฅผ ์ด์šฉ FS:[0x30] ์ฃผ์†Œ ๊ฐ’์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. PEB ๊ตฌ์กฐ์ฒด ์ •์˜ PEB.BeingDebugged Kernel32!IsDebuggerPresent() API ํ˜„์žฌ ํ”„๋กœ์„ธ์Šค๊ฐ€ ๋””๋ฒ„๊น…์„ ๋‹นํ•˜๋Š”์ง€๋ฅผ ํŒ๋‹จํ•ด์„œ ๊ฒฐ๊ณผ๋ฅผ ๋ฐ˜ํ™˜ํ•œ๋‹ค. API๊ฐ€ ์ฐธ์กฐํ•˜๋Š” ์ •๋ณด๊ฐ€ ๋ฐ”๋กœ PEB.BeingDebugged ๋ฉค๋ฒ„์ด๋‹ค. (๋””๋ฒ„๊น… ์ค‘์ด๋ฉด1, ์•„๋‹ˆ๋ฉด 0์„ ๋ฐ˜ํ™˜) PEB.ImageBaseAddressโ€ฆ

January 03, 2021
Windows
TLS(Thread Local Storage CallBack)

Thread Local Storage (TLS) ํ”„๋กœ์„ธ์Šค์˜ ๋ชจ๋“  ์Šค๋ ˆ๋“œ๋Š” ๊ฐ€์ƒ ์ฃผ์†Œ ๊ณต๊ฐ„์„ ๊ณต์œ ํ•œ๋‹ค. ํ•จ์ˆ˜์˜ ์ง€์—ญ ๋ณ€์ˆ˜๋Š” ํ•จ์ˆ˜๋ฅผ ์‹คํ–‰ํ•˜๋Š” ๊ฐ ์Šค๋ ˆ๋“œ์— ๊ณต์œ ํ•œ๋‹ค. ์ •์  ๋ฐ ์ „์—ญ ๋ณ€์ˆ˜๋Š” ํ”„๋กœ์„ธ์Šค์˜ ๋ชจ๋“  ์Šค๋ ˆ๋“œ์—์„œ ๊ณต์œ ๋œ๋‹ค. ์ฆ‰, ์Šค๋ ˆ๋“œ ๋ณ„๋กœ ๋…๋ฆฝ๋œ ๋ฐ์ดํ„ฐ ์ €์žฅ ๊ณต๊ฐ„์ด๋ฉฐ ์Šค๋ ˆ๋“œ ๋‚ด์—์„œ ํ”„๋กœ์„ธ์Šค์˜ ์ „์—ญ(Global) ๋ฐ์ดํ„ฐ๋‚˜ ์ •์ (static) ๋ฐ์ดํ„ฐ๋ฅผ ๋งˆ์น˜ ์ง€์—ญ(Local) ๋ฐ์ดํ„ฐ ์ฒ˜๋Ÿผ ๋…๋ฆฝ์ ์œผ๋กœ ์ทจ๊ธ‰ํ•˜๊ณ  ์‹ถ์„ ๋•Œ ์‚ฌ์šฉํ•œ๋‹ค. IMAGE_DATA_DIRECTORY[9] PE ํ—ค๋”์˜ TLS Table ํ•ญ๋ชฉ์ด ์„ธํŒ…๋œ๋‹ค. IMAGE_NT_HEADERS - IMAGE_OPTIONAL_HEADER - IMAGE_DATA_DIRECTORY[9] {: width=โ€œ65%โ€ height=โ€œ65%โ€œ} RVA 01AAF3A0 ์ฃผ์†Œ์—๋Š” IMAGE_TLS_DIRECTORY ๊ตฌ์กฐ์ฒด๊ฐ€ ์žˆ๋‹ค. IMAGE_TLS_DIRECTORY IMAGE_TLS_DIRECTORY ๊ตฌ์กฐ์ฒด๋Š” x86/x64 bit๋กœ ์„ค๊ณ„๋˜์–ด ์žˆ๋‹ค. โ€ฆ

January 03, 2021
Windows
Development of window GUI binary fuzzing using the dump fuzzing theory.

Fuzz Fuzzingย orย fuzz testingย is an automatedย software testingย technique that involves providing invalid, unexpected, orย random dataย as inputs to aย computer program. The program is then monitored for exceptions such asย crashes, failing built-in codeย assertions, or potentialย memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in aย file formatย orย protocolย and distinguishes valid from invalid input. An effective fuzzer generatesโ€ฆ

December 20, 2020
projects
SQLite3 fts3_tokenizer() Remote Code Execution ์ทจ์•ฝ์  ์—ฐ๊ตฌ

Web Application : PHP php๋ฅผ ํ™œ์šฉํ•œ rce๋Š” ๋‹ค์Œ ์„ค๋ช…์—์„œ ๊ฐ„๋‹จํ•˜๊ฒŒ ์ง„ํ–‰ํ–ˆ๊ณ  ๋ฐ‘์˜ ๋งํฌ๋ฅผ ํ†ตํ•ด ์ฝ์œผ์‹œ๋ฉด ๋˜์š”. Web Application RCE Case PHP Security 1 ๋‹ค์Œ์€ PHP ๋ณด์•ˆ ๊ธฐ๋ฒ•์ค‘ ์— ๋Œ€ํ•˜์—ฌ ์„ค๋ช…์„ ์ง„ํ–‰ํ• ๊ป˜์š”.๐Ÿ˜› PHP Sandbox Disable Function ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ์„ค์ •๋œ PHP ํ•จ์ˆ˜์— ๋Œ€ํ•ด ์•ก์„ธ์Šค๋ฅผ ์ œํ•œํ•˜๋Š” ๊ธฐ๋Šฅ ๊ณต๊ฒฉํ•  ์ˆ˜ ์žˆ๋Š” ๊ตฌ๊ฐ„์ด ์กด์žฌํ•˜์—ฌ , , ํ•ด๋‹น ํ•จ์ˆ˜๋“ค์„ ์ด์šฉํ•˜๋Š” ๊ฒฝ์šฐ Safe_Mode ๊ฐ€ ์„ค์ •๋œ ๋””๋ ‰ํ† ๋ฆฌ ๊ฐ€ ์›น ๋ฃจํŠธ๋กœ ์„ค์ •๋˜์–ด ์‰˜ ๋ช…๋ น() ์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์—†๊ฒŒ ๋œ๋‹ค. uid, gid๊ฐ€ ๋‹ค๋ฅธ ๊ฒฝ์šฐ ์ ‘๊ทผํ•  ์ˆ˜ ์—†๋‹ค. ์™€ ๊ฐ™์€ ํŒŒ์ผ์˜ ๊ฒฝ์šฐ ์˜ ํŠน์ • ์˜ต์…˜์ด ์ผœ์ง€๋ฉด ์ ‘๊ทผํ•  ์ˆ˜ ์—†๋‹ค. ๊ฐ€ ๊ฑธ๋ฆฐ PHP ์—์„œ ์‹œ์Šคํ…œ ๋ช…๋ น์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ ์˜ˆ์™ธ ์ฒ˜๋ฆฌ๋˜๋Š” ๋ชจ์Šต์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ๋ฐ‘์— php.ini ์„ค์ • ํŒŒ์ผ๋กœ safe_mode on/off ๋กœ ์„ค์ •์ด ๊ฐ€๋Šฅํ•˜๋‹ค. Safe_Mode Bypass ๊ฐ„๋‹จํ•˜๊ฒŒ ์— ๋Œ€ํ•ดโ€ฆ

December 20, 2020
Web
CVE-2012-0002 1-day ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๋ณด๊ณ ์„œ CVE-2012-0002 Metasploit ์ทจ์•ฝ์„ฑ ํ…Œ์ŠคํŠธ Nessus DB ์ •๋ณด ๋‚ด๋ณด๋‚ด๊ธฐ Metasploit Exploit Framework๋ฅผ ํ†ตํ•ด ๋Œ€์ƒ ์„œ๋น„์Šค ์ทจ์•ฝ์„ฑ ์ ๊ฒ€์„ ํ•˜๊ธฐ ์œ„ํ•ด Nessus๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ์ ๊ฒ€ํ•œ ๊ฒฐ๊ณผ๋ฅผ DB ํ˜•ํƒœ๋กœ ๋‚ด๋ณด๋‚ด๊ธฐ๋ฅผ ์ง„ํ–‰ ํŒŒ์ผ์€ xml ์œ ํ˜•์˜ Nessus ํ™•์žฅ์ž ๊ตฌ์„ฑ์œผ๋กœ ๋˜์–ด์žˆ์œผ๋ฉฐ ํ•ด๋‹น ํŒŒ์ผ์ผ ์ž‘์—… ๊ณต๊ฐ„์— ์ €์žฅ ํ•œ๋‹ค. Metasploit workspace Metasploit ์ƒ์— ์ทจ์•ฝ์  ์ ๊ฒ€ ๋Œ€์ƒ์˜ ์ •๋ณด๋ฅผ ๊ด€๋ฆฌํ•˜๊ธฐ ์œ„ํ•ด Nessus DB์ •๋ณด๋ฅผ ๋ฐ›์•„์™€ ์ž‘์—…ํ•  ๊ณต๊ฐ„์„ ๋งŒ๋“ ๋‹ค. Metasploit DB ์—ฐ๊ฒฐ ์ƒํƒœ ํ™•์ธ ๋ฐ ๊ฐ€์ ธ์˜ค๊ธฐ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์ƒํƒœ๋ฅผ ํ™•์ธํ•œ ํ›„ ๋งŒ์•ฝ ์‹คํŒจ๋กœ ๋‚˜์˜จ๋‹ค๋ฉด PostgreSQL ์„œ๋น„์Šค๋ฅผ ํ‚ค๋„๋ก ํ•œ๋‹ค. db_import ๋ช…๋ น์„ ํ†ตํ•ด ๋‹ค์šด ๋ฐ›์€ Nessus DB ๊ฒฐ๊ณผ ์ •๋ณด๋ฅผ ๋ถˆ๋Ÿฌ์˜จ๋‹ค. ์ ๊ฒ€ ๋Œ€์ƒ ์„œ๋น„์Šค ์ •๋ณด ํ™•์ธ services ๋ช…๋ น์„ ํ†ตํ•ด ์„œ๋น„์Šค ์ •๋ณด๋ฅผ ํ™•์ธํ•œ ๊ฒฐ๊ณผ ์ ๊ฒ€ ๋Œ€์ƒ์ธ msrdp/3389 ์„œ๋น„์Šค๊ฐ€ โ€ฆ

December 07, 2020
windows
1-day
SSTF 2020 t_express

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ๊ฐœ์š” ๋ณดํ˜ธ๊ธฐ๋ฒ• security check CANARY NX PIE RELRO ๋ฐ”์ด๋„ˆ๋ฆฌ ์ •๋ณด ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ๋กœ์ง ํ๋ฆ„ main output ์ด 4๊ฐœ์˜ ๋ฉ”๋‰ด๋ฅผ ์„ ํƒํ•  ์ˆ˜ ์žˆ๋Š” ์„ ํƒ์ฐฝ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ , , , ๋ฉ”๋‰ด๊ฐ€ ์กด์žฌํ•œ๋‹ค. Buy ๋ฉ”๋‰ด Buy ๋ฉ”๋‰ด ๋‘ ๊ฐ€์ง€ ์„ ํƒ์œผ๋กœ , ์„ ์„ ํƒํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ž…๋ ฅ ๊ฐ’์€ , ๋Œ€์ž… ๋˜๋Š” ๊ฒƒ์œผ๋กœ ํ™•์ธ๋œ๋‹ค. ๋‘ ๋ฒˆ์งธ ์€ ์ถœ๋ ฅ ๋ฌธ์— ์˜ต์…˜ ๊ฐ’๋“ค์ด ๊ธฐ๋ณธ ์„ธํŒ…๋˜๋Š” ๊ฒƒ์œผ๋กœ ํ™•์ธ๋œ๋‹ค. View ๋ฉ”๋‰ด {: width=โ€œ60%โ€ height=โ€œ60%โ€œ} View ๋ฉ”๋‰ด Use ๋ฉ”๋‰ด ์•ž์—์„œ ์ž…๋ ฅํ•œ ๋“ค์„ ์ถœ๋ ฅํ•ด์ฃผ๋Š” ํ˜•์‹์ด๋ฉฐ, ์ธ๋ฑ์Šค๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ์ถœ๋ ฅํ•˜๋Š” ๊ฒƒ์œผ๋กœ ๋ณด์•„ ๊ตฌ์กฐ์ฒด ๋ฐฐ์—ด ๊ตฌ์กฐ์ž„์„ ์ถ”์ธกํ•  ์ˆ˜ ์žˆ๋‹ค. {: width=โ€œ60%โ€ height=โ€œ60%โ€œ} Use ๋ฉ”๋‰ด 0 ๋ฒˆ์งธ ์ธ๋ฑ์Šค๋ฅผ ์„ ํƒํ•œ ๊ฒฐ๊ณผ ๋ฌธ์ž์—ด์ด ์ถœ๋ ฅ๋˜์ง€๋งŒ 1 ๋ฒˆ์งธ ์ธ๋ฑ์Šค ๊ฐ™์€ ๊ฒฝ์šฐ ๊ตฌ์กฐ์ฒด ๋ฉค๋ฒ„๋“ค์˜ ๊ฐ’์„ ์„ค์ •ํ•  ์ˆ˜ ์žˆ๋Š” ์˜ต์…˜์„ ์ถ”๊ฐ€์ ์œผ๋กœ ํ•  ์ˆ˜ ์žˆ๋‹ค. 0 ๋ฒˆ์งธ โ€ฆ

September 18, 2020
CTF
Midnight sun 2019 gissa2 ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ๊ฐœ์š” ๋ณดํ˜ธ๊ธฐ๋ฒ• ๋ณดํ˜ธ๊ธฐ๋ฒ• NX PIE RELRO ๋ฐ”์ด๋„ˆ๋ฆฌ ์ •๋ณด ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ ๋ฉ”์ธ ์ถœ๋ ฅ ๋ฉ”์ธ ์ถœ๋ ฅ ๋ถ€๋ถ„ ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋™์ž‘ํ•  ๊ฒฝ์šฐ ๋ฌธ์ž์—ด์„ ์ถœ๋ ฅํ•˜๋ฉด์„œ ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ ๊ฐ’์„ ๋ฐ›๊ธฐ ์œ„ํ•ด ๋Œ€๊ธฐ ์ƒํƒœ์— ์žˆ๋Š”๋‹ค. ์‚ฌ์šฉ์ž๊ฐ€ ์ž…๋ ฅ์„ ํ•  ๊ฒฝ์šฐ ๋งŒ์•ฝ ๊ณต๋ฐฑ์ด๋ฉด ๋ฌธ์ž์—ด์„ ์ถœ๋ ฅํ•˜๋ฉด์„œ ์žฌ ์ž…๋ ฅ์„ ํ•œ๋ฉฐ ์นด์šดํ„ฐ๊ฐ€ ์ฆ๊ฐ€ํ•˜์ง€ ์•Š๋Š”๋‹ค. ์‚ฌ์šฉ์ž๊ฐ€ ์ž…๋ ฅ์„ ํ•  ๊ฒฝ์šฐ ๋งŒ์•ฝ ์ž…๋ ฅ ๊ฐ’์ด์กด์žฌ ํ•œ๋‹ค๋ฉด ์–ด๋–ค ๋กœ์ง์„ ๋ฐ”ํƒ•์œผ๋กœ ๊ฒ€์ฆ์„ ํ•˜์—ฌ ํ‹€๋ฆฌ๊ฒŒ ๋˜๋ฉด ๋ฌธ์ž์—ด์„ ์ถœ๋ ฅํ•˜๋ฉด์„œ ์นด์šดํ„ฐ๊ฐ€ ์ฆ๊ฐ€ ํ•œ๋‹ค. system call ์ถ”์  strace system call์„ ์ถ”์ ํ•œ ๊ฒฐ๊ณผ ํ•จ์ˆ˜๊ฐ€ โ€˜/home/ctf/flagโ€™ ํŒŒ์ผ์˜ ์ƒํƒœ ์—ฌ๋ถ€์™€ ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ์ฝ๊ธฐ ์ „์šฉ์œผ๋กœ ๋ฐ์ดํ„ฐ๋ฅผ ์ฝ์–ด์˜ค๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ๋ฐ‘ ๋ถ„์„ ์ž˜ ๋ณด๋ฉด ํ•จ์ˆ˜์˜ ์ธ์ž๋กœ ์„ ์ „๋‹ฌํ•˜์—ฌ seccom ๋ณดํ˜ธ ๊ธฐ๋ฒ•์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ๋ชจ๋“œ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ธ”๋ž™๋ฆฌ์ŠคํŠธ ๊ธฐ๋ฐ˜์œผ๋กœ ์ ‘๊ทผ์ œ์–ด๋ฅผ ํ•˜๊ณ  ์žˆ๋‹ค. SECCOMP_MODE_FILTER LIST daโ€ฆ

September 18, 2020
CTF
DEFCON 2016 xkcd ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๊ธฐํƒ€ ์ •๋ณด statically linked, 64 bit Heartbeat packet ๋ณดํ˜ธ๊ธฐ๋ฒ• No RELRO No Canary found NX enabled No PIE ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ main ํ•จ์ˆ˜ ๋ถ„์„ flag ํŒŒ์ผ์˜ ๋‚ด์šฉ์„ ์ฝ์–ด์™€ flag ๋ณ€์ˆ˜์— ์ง‘์–ด๋„ฃ๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. flag ๋ณ€์ˆ˜๋Š” .bss ์„น์…˜์— ์กด์žฌํ•˜๋ฉฐ ์ „์—ญ ๋ณ€์ˆ˜๋กœ ํ™•์ธ๋œ๋‹ค. ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ ๊ฐ’์„ ํ† ๋Œ€๋กœ ํŠน์ • ์กฐ๊ฑด์„ ์ˆ˜ํ–‰ํ•˜๊ฒŒ ๋˜๋Š”๋ฐ ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ๋ฌธ์ž ๋‹จ์œ„๋กœ ์งค๋ผ ํ•ด๋‹น ๋ฌธ์ž์—ด์ด ํฌํ•จ๋˜๋Š” ์ง€๋ฅผ ํ™•์ธํ•˜๊ณ  ์žˆ๋‹ค. strtok ๊ทธํ›„ ํ•ด๋‹น ๋ถ€๋ถ„์—์„œ ๊นŒ์ง€ ์ž˜๋ผ ํ•ด๋‹น ๋ฌธ์ž์—ด์˜ ๊ฐ’์„ ์ „์—ญ ๋ณ€์ˆ˜์— memcpy๋ฅผ ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. globals ์ „์—ญ ๋ณ€์ˆ˜ ์ „์—ญ ๋ณ€์ˆ˜๋Š” ์ด 512๋ฐ”์ดํŠธ์ด๋ฉฐ, ๊ฐ™์€ .bss ์˜์—ญ์ด๋ฏ€๋กœ ์•ž์—์„œ ์„ ์–ธ๋œ flag์™€๋Š” 0x200์ฐจ์ด๊ฐ€ ๋‚˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜์žˆ๋‹ค. 0x200 ๋ฐ”์ดํŠธ ์ฐจ์ด ๋น„๊ต strtok ํ•œ ๋‚ด๋ถ€์˜ ํŠน ์ • ์ •์ˆ˜ ๊ฐ’์„ ๋ฐ”ํƒ•์œผ๋กœ ํ•จ์ˆ˜์˜ ์ธ์ž๋กœ ์“ฐ์ด๋Š”โ€ฆ

September 18, 2020
CTF
DEFCON 2016 feedme ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ๊ฐœ์š” ๋ณดํ˜ธ ๊ธฐ๋ฒ• stripped statically linked 32 bit ๋ณดํ˜ธ๊ธฐ๋ฒ• No RELRO Canary found NX enabled PIE disabled ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ ๋กœ์ง ๋ถ„์„1 ๋ฐ”์ด๋„ˆ๋ฆฌ์˜ ์ž…๋ ฅ ๊ฐ’์œผ๋กœ ๋ฅผ ์ž…๋ ฅํ•œ ๊ฒฐ๊ณผ SSP๊ฐ€ ์ผœ์ง€๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ์—๋Š” ์นด๋‚˜๋ฆฌ๊ฐ€ ์กด์žฌํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ๋กœ์ง ๋ถ„์„2 ํ•˜์ง€๋งŒ ๋ฐ”์ด๋„ˆ๋ฆฌ์˜ ์ž…๋ ฅ ๊ฐ’์œผ๋กœ ๋ฅผ ๋ฒˆ ์ž…๋ ฅํ•œ ๊ฒฐ๊ณผ SSP ์ผœ์ง€์ง€ ์•Š๋Š” ๊ฒƒ์œผ๋กœ ๋ณด์•„ ์•ž์˜ ์ฒซ ๋ฐ”์ดํŠธ์˜ ์ž…๋ ฅ ๊ฐ’์ด ํ•ด๋‹น ๋‹ค์Œ ์ž…๋ ฅ ๊ฐ’ ์ฆ‰, ๋ฌธ์ž์—ด์˜ ๊ธธ์ด ๊ฐ’์ด ๋˜๋Š” ๊ฒƒ์„ ์ถ”์ธกํ•  ์ˆ˜ ์žˆ๋‹ค. systemcall system ํ˜ธ์ถœ ๋ฒ”์œ„๋ฅผ ๋ถ„์„ํ•˜๋˜ ์ค‘ ์‹œ๊ทธ๋„์„ ๋ณด๋‚ธ ํ›„ ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ์ถœ๋ ฅ์„ ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ๋‹ค์‹œ ์ž์‹ ํ”„๋กœ์„ธ์Šค๋ฅผ ์ƒ์„ฑํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ์ด๋กœ ์ธํ•ด ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ๋Š” ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ์ž์‹ ํ”„๋กœ์„ธ์Šค๋ฅผ ์ƒ์„ฑํ•˜๋Š” ๋กœ์ง์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. main ํ•จ์ˆ˜ ๋ถ„์„ main ํ•จ์ˆ˜ ๋ถ„์„ maโ€ฆ

September 18, 2020
CTF
d3ctf 2019 new_heap ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ๊ฐœ์š” ๋ณดํ˜ธ ๊ธฐ๋ฒ• main ํ•จ์ˆ˜ ๋ถ„์„ ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ 1.alloc, 2. free, 3. exit ์กฐ๊ฑด์„ ์ˆ˜ํ–‰ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. alloc ๋ฉ”๋ชจ๋ฆฌ ๋™์ ํ• ๋‹น ๊ณผ์ •์„ ํ™•์ธํ•ด ๋ณด๋ฉด ์ „์—ญ ํฌ์ธํ„ฐ ๋ฐฐ์—ด ์— ํ• ๋‹นํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ์ธ๋ฑ์Šค ๋ฒ”์œ„๊ฐ€ ์ด19๊ฐœ๊นŒ์ง€ ํ• ๋‹น์ด ๊ฐ€๋Šฅํ•˜๋‹ค. ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ๊ฐ’์ด ์ดํ•˜๊นŒ์ง€ size๋กœ ํ• ๋‹น์ด ๋˜์–ด์ง€๋ฉฐ ํ•ด๋‹น ์‚ฌ์ด์ฆˆ ๋งŒํผ ๋ฐ์ดํ„ฐ๋ฅผ ์ž…๋ ฅ ํ•  ์ˆ˜ ์žˆ๋‹ค. free free๋˜๋Š” ๊ณผ์ •์„ ํ™•์ธํ•ด ๋ณด๋ฉด ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ ๊ฐ’์ด ๊ณง ์ธ๋ฑ์Šค ๋ฒ”์œ„๋กœ ์‚ฌ์šฉ๋˜์–ด ์›ํ•˜๋Š” ํž™์„ ํ•ด์ œํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ๊ธฐ๋ณธ์ ์ธ ๊ธธ์ด ๊ฒ€์ฆ์ด ์กด์žฌํ•œ๋‹ค. ํ•˜์ง€๋งŒ ํ•ด์ œํ•œ ์ดˆ์ธํ„ฐ๋ฅผ ์ดˆ๊ธฐํ™”ํ•˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— Double Free Bug๊ฐ€ ๋ฐœ์ƒํ•œ๋‹ค. memory leak Idea ์–ด๋–ป๊ฒŒ ํ•˜๋ฉด ๋ฉ”๋ชจ๋ฆฌ ์ฃผ์†Œ๊ฐ’์„ ๋ฆญํ•  ์ˆ˜ ์žˆ์„ ๊นŒ? ํž™ ์ฒญํฌ์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ๊ธฐ๋Šฅ์ด ์กด์žฌํ•˜์ง€ ์•Š์•„ ๋‹ค๋ฅธ ๋ฐฉ๋ฒ•์„ ์ฐพ์•„์•ผ ํ•œ๋‹ค. _IO_FILE_stdout ํŒŒ์ผ ๋””์Šคํฌ๋ฆฝํ„ฐ๋Š” ์ถœ๋ ฅํ•  ๋•Œ ์ฃผ๋กœ ์‚ฌ์šฉํ•˜๋ฉฐ ๊ตฌ์กฐ์ฒด๋กœ ์ˆ˜โ€ฆ

September 18, 2020
CTF
CSAW 2019 small_boi ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ SROP ๋ฆฌ๋ˆ…์Šค์—์„œ๋Š” ์‹œ๊ทธ๋„์ด ๋“ค์–ด์˜ค๊ฒŒ ๋˜๋ฉด ์ปค๋„ ๋ชจ๋“œ์—์„œ ์ฒ˜๋ฆฌํ•œ๋‹ค. ์ปค๋„ ๋ชจ๋“œ์—์„œ ์œ ์ €๋ชจ๋“œ๋กœ ๋“ค์–ด์˜ค๋Š” ๊ณผ์ •์—์„œ ์œ ์ €์˜ ์Šคํƒ์— ๋ ˆ์ง€์Šคํ„ฐ ์ •๋ณด๋“ค์„ ์ €์žฅํ•ด ๋†“๋Š”๋‹ค. ์€ ์ด๋ ‡๊ฒŒ ์ €์žฅํ•ด๋†“์€ ์ •๋ณด๋“ค์„ ๋‹ค์‹œ ๋Œ๋ ค๋†“์„ ๋•Œ ์‚ฌ์šฉ๋œ๋‹ค. ๊ณต๊ฒฉ์ž๊ฐ€ ์‹œ์Šคํ…œ ์ฝœ์„ ํ˜ธ์ถœํ•  ์ˆ˜ ์žˆ๊ณ  ์Šคํƒ์„ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค๋ฉด ๋ชจ๋“  ๋ ˆ์ง€์Šคํ„ฐ์™€ > ์„ธ๊ทธ๋จผํŠธ๋ฅผ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค. ์‹œ์Šคํ…œ ์ฝœ์„ ์‚ฌ์šฉํ•˜์—ฌ ์ต์Šคํด๋กœ์ž‡ ํ•˜๋Š” ๊ธฐ๋ฒ•์„ SigReturn Oriented Programming > (SROP)๋ผ๊ณ  ํ•œ๋‹ค. restore_sigcontext , ๋งคํฌ๋กœ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ ˆ์ง€์Šคํ„ฐ๋ฐ ์„ธ๊ทธ๋จผํŠธ๋ฅผ ๋ณต์›ํ•œ๋‹ค. sigcontext-32bit sigcontext-64bit ํ•ด๋‹น ๊ตฌ์กฐ์ฒด๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ SROP ๊ธฐ๋ฒ•์œผ ์ด์šฉํ•˜์—ฌ ๊ณต๊ฒฉ์„ ์ง„ํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค. ๋ฌธ์ œ small_boi.c ๋ฌธ์ œ ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋ถ„์„ํ•ด ๋ณด๋ฉด , , ๋“ฑ ์ต์Šค๋ฅผ ํ•˜๊ธฐ์— ํ•„์š”ํ•œ ๋ช…๋ น๋“ค์ด ์žˆ๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ์นด๋‹ˆ๋ฆฌ ๋ณดํ˜ธ ๊ธฐ๋ฒ•์ด ๊ฑธ๋ ค ์žˆ์ง€ ์•Š์•„ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋ฅผ ๋ฐœ์ƒ์‹œ์ผœ โ€ฆ

September 18, 2020
CTF
CSAW 2019 popping_caps ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ์‹คํ–‰ ๊ฒฐ๊ณผ lib_system ์ฃผ์†Œ๊ฐ€ ๋…ธ์ถœ๋˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ 4๊ฐœ์˜ ์˜ต์…˜์œผ๋กœ ํ•ด์ œ , ํ• ๋‹น, ์ž…๋ ฅ, ์ข…๋ฃŒ๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค. ์ทจ์•ฝํ•œ ๋ถ€๋ถ„ ๋ฉ”๋ชจ๋ฆฌ ์ฃผ์†Œ ๋…ธ์ถœ lib_system ์ฃผ์†Œ๋ฅผ ๋…ธ์ถœ์‹œํ‚ค๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. main ํ•จ์ˆ˜ ๋ถ€๋ถ„ Bye ํ•จ์ˆ˜ ๋ถ€๋ถ„ Exploit Idea ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ์ฃผ์†Œ๊ฐ€ ๋…ธ์ถœ์ด๋˜์–ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ๊ฐ€ 7๊ฐ€์ง€ ์ž‘์—… ๋งŒ ์ˆ˜ํ–‰ ํ•  ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ ์ž‘์—…์„ ๋‚ญ๋น„ํ•  ํ•„์š”๊ฐ€ ์—†๋‹ค. ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ๋ฒ„์ „์€ 2.27 ๋ฒ„์ „์ด๋ฉฐ tcache๋ฅผ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋‹ค. ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ ๊ฒฐ๊ณผ UAF๋ฅผ ์ง์ ‘์ ์œผ๋กœ ๊ฐ€๋Šฅํ•˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— tcache poisoning์ด ๋ถˆ๊ฐ€๋Šฅ ํ•˜๋‹ค. ์šฐ๋ฆฌ๋Š” Double free buf๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ tcache dup์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. ํž™์˜ ์–ด๋Š ์œ„์น˜์—์„œ๋‚˜ ํ•ด์ œ๊ฐ€ ๊ฐ€๋Šฅํ•˜๋ฏ€๋กœ tcache house of spirit์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. security check๋กœ ์ธํ•ด ์ž‘์„ฑํ•˜๋ ค๋Š” ์œ„์น˜์— fake chunk์„ ๋งŒ๋“ค์–ด์•ผ ํ•œ๋‹ค. โ€ฆ

September 18, 2020
CTF
CSAW 2019 traveller ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ๊ฐœ์š” ๋ณดํ˜ธ๊ธฐ๋ฒ• main ํ•จ์ˆ˜ ๋ถ„์„ argc ์Šคํƒ ์ฃผ์†Œ๊ฐ€ ๋…ธ์ถœ๋˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด 4๊ฐœ์˜ ๋ฉ”๋‰ด๋ฅผ ์„ ํƒํ•  ์ˆ˜ ์žˆ๋‹ค. Add ๋ฉ”๋‰ด๋Š” ๋™์  ํ• ๋‹น์„ ์ง„ํ–‰ํ•œ๋‹ค. Change๋Š” ํ•ด๋‹น ํ• ๋‹น๋˜์–ด์ง„ ๊ฐ’์„ ๋ณ€๊ฒฝํ•œ๋‹ค. Delete๋Š” ํ•ด์ œ Check๋Š” ํ• ๋‹น๋œ ๊ฐ’์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. add ํ•จ์ˆ˜ add func <1:0x80, 2:0x110, 3:0x128, 4:0x150, 5:0x200> size๋ฅผ ์„ ํƒํ•ด์„œ ๊ทธ ์‚ฌ์ด์ฆˆ๋ฅผ ํ†ตํ•ด ๋™์  ํ• ๋‹น add func ๋งˆ์ง€๋ง‰ tIndex ์ฆ๊ฐ€ ๋ฐฐ์—ด ์„ค์ •ํ•œ ๊ตฌ์กฐ์ฒด ๋Œ€์ž… change ํ•จ์ˆ˜ ํ• ๋‹น๋˜์–ด์ง„ ๊ตฌ์กฐ์ฒด์˜ destination ๋ถ€๋ถ„์„ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ tIndex ๋ถ€๋ถ„์„ ์‚ฌ์šฉ์ž๊ฐ€ ์ง์ ‘ ์ž…๋ ฅํ•˜์—ฌ trips ๊ตฌ์กฐ์ฒด์˜ ์ฃผ์†Œ ๋ถ€๋ถ„์— ์ ‘๊ทผ์ด ๊ฐ€๋Šฅํ•˜๋‹ค. choice ๊ฐ€ tIndex๋ณด๋‹ค ํด๊ฒฝ์šฐ ํ•จ์ˆ˜๋ฅผ ์ข…๋ฃŒํ•˜๋Š” ์ œ์–ด ๋ฌธ์ด ์กด์žฌ ํ•˜์ง€๋งŒ ํ•ด๋‹น ํ•จ์ˆ˜์—์„œ๋Š” ์ทจ์•ฝํ•œ ์ ์ด ์กด์žฌํ•œ๋‹ค. ๋ฐ์ดํ„ฐ ํƒ€์ž…์€ signed ์ด๊ธฐ ๋•Œ๋ฌธ์— ์Œ์ˆ˜๋ฅผ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋‹ค ๊ทธ๋ ‡๋‹ค๋ฉด ํ•ด๋‹น โ€ฆ

September 18, 2020
CTF
zer0pts ctf 2020 - musicBlof ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ Name musicBlog Description You can introduce favorite songs to friends with MusicBlog! File MusicBlog.tar.gz DockerFile ๋ถ„์„ PHP 7.4.0 ๋ฒ„์ „์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ํ•ด๋‹น ๋ฒ„์ „์— ๋งž๋Š” ๋ฒ„๊ทธ๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ flag๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ๊ฒ ๋‹ค. ํ•จ์ˆ˜์˜ ์•ž์— async ๋ผ๋Š” ์˜ˆ์•ฝ์–ด๋ฅผ ๋ถ™์ธํ›„, ํ•จ์ˆ˜ ๋‚ด๋ถ€์—์„œ ๋น„๋™๊ธฐ ์ฒ˜๋ฆฌ๊ฐ€ ํ•„์š”ํ•œ ๋ฉ”์„œ๋“œ์— await๋ฅผ ๋ถ™์—ฌ์ค€๋‹ค. await ๋ถ™์ธ ๋ฉ”์„œ๋“œ๋Š” ๋น„๋™๊ธฐ ์ฒ˜๋ฆฌ ๋ฉ”์„œ๋“œ๊ฐ€ ๊ผญ promise ๊ฐ์ฒด๋ฅผ ๋ฐ˜ํ™˜ํ•ด์•ผ await๊ฐ€ ์˜๋„ํ•œ ๋Œ€๋กœ ๋™์ž‘ํ•œ๋‹ค. flag ๋ฌธ์ž์—ด ์ฐพ๊ธฐ flag ๋ฌธ์ž์—ด์„ ๊ฒ€์ƒ‰ํ•˜์—ฌ ์†Œ์Šค์ฝ”๋“œ๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ํ•ด๋‹น ์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด ์žฌ์„ ์–ธ, ์žฌํ• ๋‹น์ด ๋ถˆ๊ฐ€๋Šฅํ•˜๋„๋ก ์„ค์ •๋˜์–ด ์žˆ๋‹ค. setUserAgent ๋ฉ”์„œ๋“œ๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ flag ๊ฐ’์„ UserAgent๋กœ ์„ค์ •ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. SamplePage Sample Page ๋ถ„์„์‹œโ€ฆ

August 24, 2020
CTF
HitCon2017 Sakura ์ทจ์•ฝ์  ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ์‹คํ–‰ ๊ฒฐ๊ณผ ์ž…๋ ฅ ๋Œ€๊ธฐ์ค‘ ๐Ÿ˜‘ ๋ฐ”์ด๋„ˆ๋ฆฌ ์ •๋ณด main ํ•จ์ˆ˜ ๋ถ„์„ ๋ฒˆ ๋ฃจํ‹ด์„ ๋Œ๋ฉด์„œ ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ์ž…๋ ฅ์„ ๋ฐ›๋Š”๋‹ค. ์ž…๋ ฅ์„ ๋ฐ›์„์‹œ ํ•ด๋‹น ๋ฒ„ํผ๋ฅผ ์‚ฌ์šฉํ•˜๋Š”๋ฐ ํ•ด๋‹น ์‚ฌ์ด์ฆˆ๋Š” 400๋ฐ”์ดํŠธ์ž„์„ ๊ณ„์‚ฐํ•  ์ˆ˜ ์žˆ๋‹ค. ๋ฃจํ‹ด์„ ๋Œ๋ฉด์„œ 400๋ฐ”์ดํŠธ ์ž…๋ ฅ์„ ๋ฐ›์€ํ›„ ํ•ด๋‹น ๋ฅผ ์ธ์ž๋กœ ํ•˜์—ฌ ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•œํ›„ ํ•ด๋‹น ๋ฐ˜ํ™˜ ๊ฐ’์„ 0์ด ์•„๋‹๊ฒฝ์šฐ FLAG ๊ฐ’์„ ์ถœ๋ ฅํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ์ถœ๋ ฅ ์ค‘๊ฐ„ ์‚ฌ์ด์— ํ•จ์ˆ˜๊ฐ€ ๋ณด์ผํ…๋ฐ ํ•ด๋‹น ํ•จ์ˆ˜๋Š” ์œผ๋กœ ํ•ด์‰ฌํ™” ํ•˜์—ฌ ์ถœ๋ ฅ์„ ํ•œ๋‹ค ์ฆ‰, ํ•ด๋‹น ํ•จ์ˆ˜๋Š” ์ถœ๋ ฅ์„ ํ•ด์‰ฌํ™” ํ•˜๋Š” ๊ณผ์ •์ด๊ณ  ์šฐ๋ฆฌ๊ฐ€ ์•Œ์•„์•ผ ํ•  ๊ฒƒ์€ ์–ด๋–ค ๊ฑธ ํ•ด์‰ฌํ™”๋ฅผ ํ•˜๋Š”์ง€ ์ž…๋ ฅ ๊ฐ’์„ ๋ฐ”ํƒ•์œผ๋กœ ์–ด๋–ค ์กฐ๊ฑด์„ ํ†ตํ•ด ํ•ด์‰ฌํ™” ๊ฐ€๋˜์–ด์ง€๋Š”์ง€๋ฅผ ์•Œ์•„์•ผ ํ•œ๋‹ค. sub_850 ํ•จ์ˆ˜ ๋ถ„์„ _start _end ๋ฌด๋ ค ์‹œ์ž‘๊ณผ ๋์˜ ์˜ต์…‹ ์ฐจ์ด๊ฐ€ 67493์ด ๊ฐ€ ๋‚˜๋Š” ํ•จ์ˆ˜ ์˜์—ญ์ด๋‹ค. โ€ฆ ์ฒ˜์Œ ํ”„๋กค๋กœ๊ทธ ๋ถ€๋ถ„์—์„œ ์Šคํƒ ์˜์—ญ์„ ๋งŒํผ์ด๋‚˜ ํ• ๋‹นํ•ด์ค€ ํ›„ ๋ฌด์ˆ˜ํžˆ ๋งŽ์€ ๋ณ€์ˆ˜์— ๊ฐ’์„ ๋Œ€์ž…ํ•˜๊ณ  ์žˆ๋‹ค. ๋น„์Šทํ•œ ๊ตฌ์กฐ๋กœ ํ•œ ๋ธ”๋ก์—์„œ ๋ฃจโ€ฆ

August 16, 2020
CTF
ELF ๋ถ„์„ ๋„๊ตฌ

Objdump GNU Binutils ๋‚œ๋…ํ™” ๋˜์ง€ ์•Š์€ ์ผ๋ฐ˜์ ์ธ ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋””์Šค์–ด์…ˆ๋ธ”๋งํ•˜์—ฌ ์ž‘์—…ํ•  ์ˆ˜ ์žˆ๋‹ค. ์ผ๋ฐ˜์ ์ธ ELF ํ˜•์‹์ด๋ผ๋ฉด ๋ชจ๋‘ ์ฝ์„ ์ˆ˜ ์žˆ๋‹ค. ์˜ˆ์ œ ๋ฐ”์ด๋„ˆ๋ฆฌ ELF ํŒŒ์ผ์˜ ๋ชจ๋“  ์„น์…˜, ๋ฐ์ดํ„ฐ/์ฝ”๋“œ ์ถœ๋ ฅ ELF ํŒŒ์ผ์˜ ํ”„๋กœ๊ทธ๋žจ ์ฝ”๋“œ ์ถœ๋ ฅ ELF ํŒŒ์ผ ๋ชจ๋“  ์‹ฌ๋ณผ ์ถœ๋ ฅ Strace System Call Trace ptrace(2) ์‹œ์Šคํ…œ ์ฝœ์„ ๊ธฐ๋ฐ˜์œผ๋กœ ํ•˜๋Š” ๋„๊ตฌ ํ”„๋กœ๊ทธ๋žจ์ด ์‹คํ–‰๋˜๋Š” ๋™์•ˆ ํ™œ๋™์— ๋Œ€ํ•œ ์ •๋ณด์™€ ์ˆ˜์ง‘๋˜๋Š” ์‹œ๊ทธ๋„์„ ๋ณด์—ฌ์ฃผ๊ธฐ ์œ„ํ•ด ๋ฃจํ”„ ์•ˆ์—์„œ ์š”์ฒญ์„ ์‚ฌ์šฉํ•œ๋‹ค. ํ”„๋กœ์„ธ์Šค๋ฅผ ๋””๋ฒ„๊น…ํ•˜๊ฑฐ๋‚˜ ์‹คํ–‰ ์ค‘์ผ ๋•Œ ์–ด๋–ค syscall์ด ํ˜ธ์ถœ๋˜๋Š”์ง€์— ๋Œ€ํ•ด ์ •๋ณด ์ˆ˜์ง‘์œผ๋กœ ์œ ์šฉํ•˜๋‹ค. ltrace ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ํŠธ๋ ˆ์ด์Šค strace์™€ ์œ ์‚ฌํ•˜๋‹ค. ํ”„๋กœ๊ทธ๋žจ์˜ ๊ณต์œ  ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ๋งํ‚น ์ •๋ณด๋ฅผ ํŒŒ์‹ฑํ•˜๊ณ  ์‚ฌ์šฉ๋˜๋Š” ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ํ•จ์ˆ˜๋ฅผ ์ถœ๋ ฅํ•œ๋‹ค. ์‹œ์Šคํ…œ ์ฝœ ์™ธ์— ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ํ•จ์ˆ˜ ํ˜ธ์ถœ๋„ ํ™•์ธํ•˜๊ณ ์ž ํ• ์‹œ ํ”Œ๋ž˜๊ทธ๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค. ์‹คํ–‰ ํŒŒ์ผ์˜ ๋™์  ์„ธ๊ทธ๋จผํŠธ๋ฅผ ํŒŒ์‹ฑํ•˜๊ณ  ์‹ค์ œ ๊ณต์œ  ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์™€ ์ •์  ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์˜ โ€ฆ

August 16, 2020
AnalyzingBinaries
ELF ํ”„๋กœ๊ทธ๋žจ ํ—ค๋” (ELF Program Header)

ELF ํ”„๋กœ๊ทธ๋žจ ํ—ค๋” ELF ํ”„๋กœ๊ทธ๋žจ ํ—ค๋”๋Š” ํ”„๋กœ๊ทธ๋žจ ๋กœ๋”ฉ์— ํ•„์š”ํ•œ ๋ฅผ ์ •์˜ํ•œ๋‹ค. ๋Š” ๋””์Šคํฌ์— ์ €์žฅ๋œ ์‹คํ–‰ ํŒŒ์ผ์ด ์ปค๋„์— ์˜ํ•ด ๋กœ๋“œ๋˜๋Š” ๊ณผ์ •์—์„œ ์–ด๋–ค ๋ฉ”๋ชจ๋ฆฌ ๊ตฌ์กฐ๋กœ ๋งคํ•‘๋  ๊ฒƒ์ธ์ง€๋ฅผ ์ •์˜ํ•œ๋‹ค. ํ”„๋กœ๊ทธ๋žจ ํ—ค๋” ํ…Œ์ด๋ธ”์€ ELF ํ—ค๋”์˜ ๋ฉค๋ฒ„์ธ (ํ”„๋กœ๊ทธ๋žจ ํ—ค๋” ํ…Œ์ด๋ธ” ์˜คํ”„์…‹)๋ฅผ ์กฐํšŒํ•ด ์ ‘๊ทผํ•œ๋‹ค. ์ฃผ๋กœ ์‚ฌ์šฉํ•˜๋Š” ํ”„๋กœ๊ทธ๋žจ ํ—ค๋”๋Š” 5๊ฐ€์ง€๋กœ ์‹คํ–‰ ํŒŒ์ผ ๋ฐ ๊ณต์œ  ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์˜ ์„ธ๊ทธ๋จผํŠธ๋ฅผ ์ •์˜ํ•˜๊ณ  ์„ธ๊ทธ๋จผํŠธ ํ˜•์‹(์–ด๋–ค ํ˜•์‹์˜ ๋ฐ์ดํ„ฐ ๋˜๋Š” ์ฝ”๋“œ๊ฐ€ ์žˆ๋Š”์ง€๋ฅผ ๋‚˜ํƒ€๋‚ธ๋‹ค.) 32๋น„ํŠธ ELF ์‹คํ–‰ ํŒŒ์ผ์˜ ํ”„๋กœ๊ทธ๋žจ ํ—ค๋” ํ…Œ์ด๋ธ”์„ ์กฐํšŒํ•ด ๊ตฌ์กฐ์ฒด๊ฐ€ ํ˜•์„ฑํ•˜๋Š” ํ”„๋กœ๊ทธ๋žจ ํ—ค๋”๋ฅผ ๋ถ„์„ํ•ด๋„๋ก ํ•˜๊ฒ ๋‹ค. PT_LOAD ์‹คํ–‰ ํŒŒ์ผ์—๋Š” ํ˜•์‹์˜ ์„ธ๊ทธ๋จผํŠธ๊ฐ€ ํ•˜๋‚˜ ์ด์ƒ ์žˆ์–ด์•ผ ํ•œ๋‹ค. ํ•ด๋‹น ํ˜•์‹์˜ ํ”„๋กœ๊ทธ๋žจ ํ—ค๋”๋Š” ๋กœ๋“œ ๊ฐ€๋Šฅํ•œ ์„ธ๊ทธ๋จผํŠธ ํ˜•์‹์œผ๋กœ ๋ฉ”๋ชจ๋ฆฌ์— ๋กœ๋“œ ๋˜๋Š” ๋งคํ•‘๋œ๋‹ค. ๋‘ ์„ธ๊ทธ๋จผํŠธ๋Š” ๊ฐ’์„ ์ด์šฉํ•ด ์ •๋ ฌ๋œ ํ›„ ๋ฉ”๋ชจ๋ฆฌ์— ๋งคํ•‘๋œ๋‹ค. Phdr ๊ตฌ์กฐ์ฒด๊ฐ€ ๋‚˜ํƒ€๋‚ด๋Š” ์„ธ๊ทธ๋จผํŠธ๊ฐ€ ํŒŒ์ผ๊ณผ ๋ฉ”๋ชจ๋ฆฌ์—์„œ ์–ด๋–ค ๋ฐฉ์‹์œผ๋กœ ๋™์ž‘ํ•˜๋Š”์ง€ ์ดํ•ดํ•˜๊ธฐ ์œ„ํ•ด ๋ฆฌ๋ˆ…์Šค์˜ ํŽ˜โ€ฆ

August 16, 2020
AnalyzingBinaries
ELF ํŒŒ์ผ ํ˜•์‹ (ELF file format)

ELF ํŒŒ์ผ ํ˜•์‹ ET_NONE(ELF type none) ํŒŒ์ผ์€ ์•„์ง ์ •์˜๋˜์ง€ ์•Š์•˜๊ฑฐ๋‚˜ ์•Œ ์ˆ˜ ์—†๋‹ค. ET_REL(ELF Type relocatable) ์žฌ๋ฐฐ์—ด์ด ๊ฐ€๋Šฅํ•œ ํŒŒ์ผ ํ˜•์‹ ์ด ํ˜•์‹์˜ ํŒŒ์ผ์€ ํŒŒ์ผ์˜ ์ „์ฒด ๋˜๋Š” ์ผ๋ถ€๊ฐ€ ์žฌ๋ฐฐ์—ด ๊ฐ€๋Šฅํ•˜๋‹ค. ์žฌ๋ฐฐ์—ด ๊ฐ€๋Šฅํ•œ ํŒŒ์ผ์€ ์œ„์น˜ ๋…๋ฆฝ ์ฝ”๋“œ (PIC, Position Independent Code) ๋ผ๊ณ  ํ•œ๋‹ค. ์ฝ”๋“œ๋ฅผ ์ปดํŒŒ์ผ ํ•ด ์–ป์„ ์ˆ˜ ์žˆ๋Š” ํŒŒ์ผ์€ ์‹คํ–‰ ํŒŒ์ผ์„ ์ƒ์„ฑํ•˜๋Š” ๋ฐ ํ•„์š”ํ•œ ์ฝ”๋“œ์™€ ๋ฐ์ดํ„ฐ๋ฅผ ํฌํ•จํ•œ๋‹ค. ET_EXEC(ELF executable) ์‹คํ–‰ ํŒŒ์ผ ํ˜•์‹์ด๋‹ค. ์ด ํ˜•์‹์˜ ํŒŒ์ผ์€ ์‹คํ–‰ ํŒŒ์ผ์ด๋ฉฐ ํ”„๋กœ๊ทธ๋žจ์ด๋ผ๊ณ  ๋ถ€๋ฅธ๋‹ค. ํ”„๋กœ์„ธ์Šค์˜ ์‹œ์ž‘ ์ง€์ ์ธ Entry Point๊ฐ€ ์žˆ๋‹ค. ET_DYN(ELF type dynamic) ๊ณต์œ  ์˜ค๋ธŒ์ ํŠธ ํŒŒ์ผ ํ˜•์‹ ๋™์  ๋งํ‚น์ด ๊ฐ€๋Šฅํ•œ ์˜ค๋ธŒ์ ํŠธ ํŒŒ์ผ๋กœ ๊ณต์œ  ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌํ•˜๊ณ ๋„ ํ•จ ์‹คํ–‰ ์‹œ๊ฐ„(runtime) ์— ํ”„๋กœ๊ทธ๋žจ์˜ ํ”„๋กœ์„ธ์Šค ์ด๋ฏธ์ง€๋กœ ๋กœ๋“œ๋˜๊ณ  ๋งํฌ๋œ๋‹ค. ET_CORE(ELF type core) ์ฝ”์–ด ํŒŒ์ผ ํ˜•โ€ฆ

August 16, 2020
AnalyzingBinaries
๋ฆฌ๋ˆ…์Šค ๋ง์ปค ํ™˜๊ฒฝ ๋ณ€์ˆ˜

LD_PRELOAD ํ™˜๊ฒฝ ๋ณ€์ˆ˜ ๋‹ค๋ฅธ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ณด๋‹ค ๋จผ์ € ๋™์ ์œผ๋กœ ๋งํฌํ•˜๋„๋ก ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ๊ฒฝ๋กœ๋ฅผ ์ง€์ •ํ•œ๋‹ค. ํ•ด๋‹น ์„ค์ •์€ ์‚ฌ์ „์— ๋กœ๋“œํ•˜๋Š” ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์˜ ํ•จ์ˆ˜๋‚˜ ์‹ฌ๋ณผ์„ ๋‚˜์ค‘์— ๋งํฌ๋˜๋Š” ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ํ•จ์ˆ˜๋‚˜ ์‹ฌ๋ณผ์„ ์˜ค๋ฒ„๋ผ์ด๋“œ ํ•œ๋‹ค. ๊ณต์œ  ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ํ•จ์ˆ˜๋ฅผ ๋ฆฌ๋‹ค๋ ‰์…˜ํ•˜์—ฌ ๋Ÿฐํƒ€์ž„ ํŒจ์น˜๋ฅผ ์ˆ˜ํ–‰ํ•œ๋‹ค. LD_SHOW_AUXV ํ™˜๊ฒฝ ๋ณ€์ˆ˜ ์‹คํ–‰ํ•˜๋Š” ๋™์•ˆ ํ”„๋กœ๊ทธ๋žจ์˜ ๋ณด์กฐ ๋ฒกํ„ฐ๋ฅผ ์ถœ๋ ฅํ•˜๋„๋ก ํ”„๋กœ๊ทธ๋žจ ๋กœ๋”์—๊ฒŒ ์•Œ๋ฆฐ๋‹ค. ๋Š” ํ”„๋กœ๊ทธ๋žจ์˜ ์Šคํƒ (์ปค๋„์˜ ELF ๋กœ๋”ฉ ๋ฃจํ‹ด์— ์˜ํ•œ)์— ์œ„์น˜ํ•œ ์ •๋ณด๋กœ ํ”„๋กœ๊ทธ๋žจ์— ๊ด€ํ•œ ํŠน์ • ์ •๋ณด์™€ ํ•จ๊ป˜ ๋™์  ๋ง์ปค๋กœ ์ „๋‹ฌ๋œ๋‹ค. ํ•ด๋‹น ์ •๋ณด๋Š” ๋ฆฌ๋ฒ„์‹ฑ๊ณผ ๋””๋ฒ„๊น…์— ์œ ์šฉํ•˜๋‹ค. ํ”„๋กœ์„ธ์Šค ์ด๋ฏธ์ง€์— ์œ„์น˜ํ•œ ํŽ˜์ด์ง€์˜ ๋ฉ”๋ชจ๋ฆฌ ์ฃผ์†Œ๋Š” ๋ฅผ ํ™•์ธํ•ด์•ผ ํ•œ๋‹ค. ๋ง์ปค ์Šคํฌ๋ฆฝํŠธ ๋ง์ปค ์Šคํฌ๋ฆฝํŠธ๋Š” ๋ง์ปค๊ฐ€ ํ•ด์„ํ•ด ์„น์…˜, ๋ฉ”๋ชจ๋ฆฌ, ์‹ฌ๋ณผ ๋“ฑ ํ”„๋กœ๊ทธ๋žจ์˜ ๋ ˆ์ด์•„์›ƒ์„ ๊ตฌ์„ฑํ•œ๋‹ค. ๊ธฐ๋ณธ ๋ง์ปค ์Šคํฌ๋ฆฝํ„ฐ๋Š” ๋ช…๋ น์–ด๋กœ ํ™•์ธํ•œ๋‹ค. ๋ง์ปค ํ”„๋กœ๊ทธ๋žจ์€ (์žฌ๋ฐฐ์น˜ ๊ฐ€๋Šฅํ•œ ๊ฐ์ฒด ํŒŒ์ผ, ๊ณต์œ  ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ, ํ—ค๋” ํŒŒ์ผ ๋“ฑ) ์ž…๋ ฅ ํŒŒ์ผ์„ ๋ฐ›์„ ๋•Œ ํ•ด์„๋œ๋‹ค. ํ•ดโ€ฆ

August 16, 2020
AnalyzingBinaries
ELF ๋ถ„์„์— ์œ ์šฉํ•œ ๋””๋ฐ”์ด์Šค ํŒŒ์ผ (Device File)

Device File /proc//maps ๊ฐ ๋ฉ”๋ชจ๋ฆฌ ๋งคํ•‘์„ ํ‘œ์‹œํ•ด ํ”„๋กœ์„ธ์Šค ์ด๋ฏธ์ง€์— ๋Œ€ํ•œ ๋ ˆ์ด์•„์›ƒ์„ ๊ฐ€์ง„๋‹ค. ์‹คํ–‰ ํŒŒ์ผ, ๊ณต์œ  ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ, ์Šคํƒ, ํž™, VDSO ๋“ฑ์ด ํฌํ•จ๋œ๋‹ค. ํ”„๋กœ์„ธ์Šค ์ฃผ์†Œ ๊ณต๊ฐ„์˜ ๋ฐฐ์น˜๋ฅผ ์‹ ์†ํžˆ ๋ถ„์„ํ•  ๋•Œ ๋งค์šฐ ์ค‘์š”ํ•˜๋‹ค. /proc/kcore proc ํŒŒ์ผ์‹œ์Šคํ…œ์— ์žˆ๋Š” ์—”ํŠธ๋ฆฌ๋กœ ๋ฆฌ๋ˆ…์Šค ์ปค๋„์˜ ๋™์  ์ฝ”์–ด ํŒŒ์ผ์ฒ˜๋Ÿผ ํ–‰๋™ํ•œ๋‹ค. GDB์— ์ปค๋„ ๋””๋ฒ„๊น…๊ณผ ๋ถ„์„์„ ๋ชฉ์ ์œผ๋กœ ์‚ฌ์šฉํ•  ์ˆ˜์žˆ๋Š” ELF ์ฝ”์–ด ํŒŒ์ผ ํ˜•ํƒœ์ธ ๋กœ์šฐ ๋ฉ”๋ชจ๋ฆฌ ๋คํ”„์ด๋‹ค. /boot/System.map ๋ชจ๋“  ๋ฆฌ๋ˆ…์Šค ๋ฐฐํฌํŒ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๊ณ  ์ปค๋„ ํ•ด์ปค์—๊ฒŒ ์•„์ฃผ ์œ ์šฉํ•˜๋‹ค. ์ „์ฒด ์ปค๋„์˜ ๋ชจ๋“  ์‹ฌ๋ณผ์ด ๋‹ด๊ฒจ ์žˆ๋‹ค. /proc/kallsyms kallsyms๋Š” /proc ์—”ํŠธ๋ฆฌ๋งŒ ์ œ์™ธํ•˜๊ณ  ์ปค๋„์ด ๊ด€๋ฆฌํ•˜๊ณ  ๋™์ ์œผ๋กœ ์—…๋ฐ์ดํŠธํ•˜์—ฌ ๊ณผ ๋งค์šฐ ์œ ์‚ฌํ•˜๋‹ค. ์ƒˆ๋กœ์šด LKM์„ ์„ค์น˜ํ•˜๋ฉด ์‹ฌ๋ณผ์€ /proc/kallsyms์— ๋ฐ”๋กœ ์ถ”๊ฐ€๋œ๋‹ค. /proc/kallsyms๋Š” ๋Œ€๋ถ€๋ถ„์˜ ์‹ฌ๋ณผ๊ณผ ์ปค๋„ ์„ค์ •์— ๋ช…์‹œ๋œ ๊ฒƒ ์ „๋ถ€๊ฐ€ ํฌํ•จ๋œ๋‹ค. /procโ€ฆ

August 16, 2020
AnalyzingBinaries
Docker Ubuntu ํ™˜๊ฒฝ Python pip locale ์—๋Ÿฌ ํ•ด๊ฒฐ ๋ฐฉ์•ˆ

๋ฌธ์ œ ํ•ด๊ฒฐ Step1: error check Dockerํ™˜๊ฒฝ์—์„œ Ubuntu ์„œ๋ฒ„๋ฅผ ์šด์˜ํ•˜๋‹ค๊ฐ€ ์ด ์ž‘๋™์„ ์•ˆํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์ƒ๊ธด๋‹ค. ํ•ด๋‹น ์—๋Ÿฌ๋Š” ๊ฐ€ ๋ฐœ์ƒํ•˜๋ฉฐ local ์ชฝ์— ๋ฌธ์ œ๊ฐ€ ์ƒ๊ธด ๊ฒƒ์œผ๋กœ ๋ณด์ธ๋‹ค. Step2 ๋ช…๋ น์œผ๋กœ ํ•ด๋‹น ํŒŒ์ผ์„ ์ฐพ์„ ์ˆ˜ ์—†๋‹ค๋Š” ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€๊ฐ€ ๋œฌ๋‹ค๋ฉด์€ ์•„๋ž˜์— ํ™˜๊ฒฝ ์„ค์ •์„ ํ•ด์ฃผ๊ธธ ๋ฐ”๋ž€๋‹ค. Step3 ํ™˜๊ฒฝ ์„ค์ •์„ ์™„๋ฃŒํ•˜์˜€์œผ๋ฉด ์˜ต์…˜์œผ๋กœ ์‚ฌ์šฉํ•  locales ๋ฅผ ์ง€์ •ํ•˜๋„๋ก ํ•œ๋‹ค. ์„ ์„ ํƒํ•˜๊ณ  ์„ ์„ค์ •ํ•˜๋„๋ก ํ•œ๋‹ค. ๊ทธ ํ›„์— ์ด ์ž˜๋˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜์žˆ๋‹ค.๐Ÿ˜Š๐Ÿ˜Š Step1: error check Step2 Step3

August 15, 2020
troubleshooting
CodeGate2017 angrybird ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ Angry Bird ๋ฐ”์ด๋„ˆ๋ฆฌ ๋™์ž‘ ๊ฒฐ๊ณผ ๋ฐ”์ด๋„ˆ๋ฆฌ ์‹คํ–‰์‹œ ์•„๋ฌด ๊ฒฐ๊ณผ๊ฐ€ ์•ˆ๋‚˜์˜ค๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. main ํ•จ์ˆ˜ ๋ถ„์„ ๋ณดํ˜ธ๊ธฐ๋ฒ•์ด ์ ์šฉ๋˜์–ด ์žˆ์–ด Stack Prlog๋ฅผ ๊ฑฐ์น˜๋ฉด์„œ ๋ฅผ ๋ ˆ์ง€์Šคํ„ฐ์— ์—์„œ ์ƒ์„ฑ๋œ ๊ฐ’์„ ๊ฐ€์ ธ์™€ ํ•ด๋‹น ๊ฐ’์„ ์Šคํƒ์— ์ง‘์–ด๋„ฃ๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜๊ฐ€ ์žˆ์œผ๋ฉฐ ๋ ˆ์ง€์Šคํ„ฐ๋ฅผ 0์œผ๋กœ ์ดˆ๊ธฐํ™” ํ•œํ›„ 0๊ณผ ๋น„๊ต๋ฅผ ํ•˜์—ฌ ํ•จ์ˆ˜๋กœ ์ ํ”„ํ•˜๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ๋‹ค. ๊ทธ๋ž˜์„œ, ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ์‹คํ–‰ํ•˜์˜€์„ ๋•Œ ๋ฐ”๋กœ ๋๋‚˜๋Š” ๋ชจ์Šต์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. Nop Sled ์ ์šฉ Hex ๊ฐ’์„ 90(Nop)์œผ๋กœ ํŒจ์น˜ํ•˜์—ฌ ์ ํ”„๋ฅผ ๋›ฐ์–ด๋„ ๋๋‚  ์ˆ˜ ์—†๋„๋ก ์ง„ํ–‰ํ•˜์˜€๋‹ค. ๋””๋ฒ„๊ฑฐ๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ํ•จ์ˆ˜๋กœ ์ ํ”„ํ•˜๋Š” ๊ฒƒ์€ ์šฐํšŒ๋ฅผ ํ•˜์—ฌ ๋ฌธ์ž์—ด์„ ๋ฐ˜ํ™˜ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜์žˆ๋‹ค. you should return 21 not 1 :( ์ถœ๋ ฅ๋œ ๊ฒฐ๊ณผ๋ฅผ ํ™•์ธํ•ด ๋ณด๋ฉด 21์„ ๋ฐ˜ํ™˜ํ•ด์•ผ ํ•œ๋‹ค๊ณ  ํ•œ๋‹ค. ํ•ด๋‹น ํ•จ์ˆ˜๋ฅผ ๋ถ„์„ํ•ด๋ณด๋„๋ก ํ•˜๊ฒ ๋‹ค. Sub_4006F6 ํ•จ์ˆ˜ ๋ถ„์„ ์•ž์˜ ๋ฌธ์ž์—ด์„ ์ถœ๋ ฅํ•œ ํ•จ์ˆ˜ ๋ธ”๋ก ๋‚ด๋ถ€์ด๋ฉฐ ๋ฐ˜ํ™˜ ๋˜๋Š” ๊ฐ’ โ€ฆ

August 15, 2020
CTF
Sharky CTF Z3 Robot

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ์ •๋ณด ๋ฐ”์ด๋„ˆ๋ฆฌ ์‹คํ–‰ ์ž…๋ ฅ ๊ฐ’์„ ๋ฐ›์„ ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋ฉฐ ์ž„์˜์˜ ๋ฌธ์ž์—ด์„ ์ž…๋ ฅํ•  ์‹œ ํ•ด๋‹น ๋ฌธ์ž์—ด์„ ์ถœ๋ ฅํ•˜๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค. ํ•จ์ˆ˜ ํ˜ธ์ถœ ์ธ์ž , , ํ•จ์ˆ˜ ํ˜ธ์ถœ ์ธ์ž , , str1์— ์žˆ๋Š” ๋ฌธ์ž์—ด์—์„œ str2 ๋ฌธ์ž๊ฐ€ ์žˆ์„ ๊ฒฝ์šฐ ๊ทธ ๋ฌธ์ž ๊นŒ์ง€์˜ ๊ฐœ์ˆ˜๋ฅผ ๋ฆฌํ„ดํ•œ๋‹ค. flag ๊ฐ’์„ ์–ป๊ธฐ ์œ„ํ•ด์„œ๋Š” ํ•จ์ˆ˜๋ฅผ ๊ฑฐ์ณ์„œ ๋ฐ˜ํ™˜ ๊ฐ’์ด 1์ด์–ด์•ผ ํ•œ๋‹ค. ๋ฐ˜ํ™˜ ๊ฐ’์„ ์–ป๊ธฐ ๊นŒ์ง€์˜ ์กฐ๊ฑด๋“ค์ด ๋„ˆ๋ฌด ๋”๋Ÿฝ๋‹คโ€ฆ ํ•ด๋‹น ์กฐ๊ฑด์„ ๋””์ปดํŒŒ์ผ ํ•œ ๊ฒฐ๊ณผ ์กฐ๊ฑด์„ ๋งŒ์กฑํ•  ์‹œ ๋ฐ˜ํ™˜ ๋˜๋Š” ๊ฐ’์€ 1์ด๋‹ค. ๋ฌธ์ œ ์ œ๋ชฉ ์ฒ˜๋Ÿผ Z3๋ฅผ ํ†ตํ•ด ํ’€์–ด๋ณด๋„๋ก ํ•˜๊ฒ ๋‹ค. ํ•ด๊ฒฐ ๋ฐฉ์•ˆ SAT (Boolean SATisfiability problem) ์ฃผ์–ด์ง„ Boolean ์‹์„ ์ถฉ์กฑ์‹œํ‚ค๋Š” ํ•ด (True๋กœ ํ‘œํ˜„๋˜๋Š” ํ•ด)๊ฐ€ ์กด์žฌํ•˜๋Š”์ง€ ๊ฒฐ์ •ํ•˜๋Š” ๋ฌธ์ œ SAT๋Š” ๋ช…์ œ๋…ผ๋ฆฌ์‹์ด๊ธฐ ๋•Œ๋ฌธ์— ๊ฐ ๋ณ€์ˆ˜์— True/False๋งŒ ํ• ๋‹นํ•œ๋‹ค. ๋ฐ”์ด๋„ˆ๋ฆฌ ์ •๋ณด ๋ฐ”์ด๋„ˆ๋ฆฌ ์‹คํ–‰

August 14, 2020
CTF
Droid APK ์ทจ์•ฝ์  ์—ฐ๊ตฌ

์ทจ์•ฝ์  ๋ถ„์„ ์•ˆ๋“œ๋กœ์ด๋“œ ์•ฑ์˜ ์‹œ์ž‘์  MainActivty1 k() ์˜ ๋ฐ˜ํ™˜๊ฐ’์ด False ์ด๋ฉด ์•ฑ ์ข…๋ฃŒ K ํ•จ์ˆ˜ ๋ถ„์„ ๋นŒ๋“œ ๋„ค์ž„์ด ์•„๋ž˜ ์ค‘ ํ•˜๋‚˜ ์กฐ๊ฑด์— ๋งž์œผ๋ฉด ํ†ต๊ณผ MainActivity2 intent ์š”์ฒญ ์กฐ๊ฑด ๋ถ„์„ Button์„ ๋ˆ„๋ฅด๋ฉด ๊ธธ์ด๊ฐ€ (10 โ‰ฅ && โ‰ค 26) ์ผ ๊ฒฝ์šฐ Main2Activity ๋ฅผ ํ˜ธ์ถœ MainActivity2 MainActivty์—์„œ ์ž…๋ ฅ ๋ฐ›์€ edittext ๋ฅผ stringExtra ๋ณ€์ˆ˜์— ์ €์žฅ obj์— Main2Activity์—์„œ ์ž…๋ ฅํ•˜๋Š” ๊ฐ’์„ ์ €์žฅํ•˜๊ณ  ํ•จ์ˆ˜๋ฅผ stringExtra๋กœ ์‹คํ–‰ํ•œ ๊ฐ’๊ณผ ์ผ์น˜ํ•˜๋Š”์ง€ ๋น„๊ตํ•œ๋‹ค. MainActivty์—์„œ ์ž…๋ ฅํ•œ ๊ฐ’์ด id, Main2Acticity์—์„œ ์ž…๋ ฅํ•œ ๊ฐ’์ด password์ธ ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. MainActivity2 a ํ•จ์ˆ˜ ๋ถ„์„ ์ž…๋ ฅ ๋ฐ›์€ str(id) ๋ฅผ ๊ฐ–๊ณ  xor ์—ฐ์‚ฐ์„ ํ•˜๋ฉด์„œ ์—ฐ์‚ฐํ•˜๋Š” ํ•จ์ˆ˜ MainActivity3 ๋ถ„์„ ํ•จ์ˆ˜ ๋ฐ˜ํ™˜ ๊ฐ’๊ณผ Main3Activity ์—์„œ ์ž…๋ ฅํ•˜๋Š”โ€ฆ

August 14, 2020
Mobile
CodeGate2018 RedVelvet write-up

๋ฐ”์ด๋„ˆ๋ฆฌ ์ •๋ณด main ํ•จ์ˆ˜ ๋ถ„์„ Undefined (U) โ†’ Create String (a) โ†’ WOW String ์ธ์ฝ”๋”ฉ๋˜์–ด์ง„ ๊ฐ’์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ์‚ฌ์šฉ์ž ์ž…๋ ฅ์„ 27๋ฐ”์ดํŠธ๋ฅผ ๋ฐ›์œผ๋ฉฐ ~ ๊นŒ์ง€ ํ•จ์ˆ˜ ํ˜ธ์ถœ ๊ณผ์ •์ด ๋๋‚˜๊ณ  ๋ฅผ ํ˜ธ์ถœํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ptrace Anti-Debugging ํ•จ์ˆ˜๋Š” ์ธ์ž ์„ ๋ฐ›์œผ๋ฉฐ ํ˜ธ์ถœ๋˜๋ฉฐ ๋ฐ˜ํ™˜ ๋˜๋Š” ๊ฐ’์ด ๊ฐ’ ์ฆ‰, ๊ณผ ๋น„๊ต๋˜์–ด 0 ์ด ์•„๋‹ˆ๊ฒŒ ๋˜๋ฉด ์ •์ƒ ๋ฃจํ‹ด์ด ์•„๋‹Œ ๋‹ค๋ฅธ ๋ฃจํ‹ด์œผ๋กœ ๋น ์ง€๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์—ˆ๋‹ค. ์˜ ์˜ต์…˜์€ ์ž๊ธฐ ์ž์‹ ์—๊ฒŒ ๋””๋ฒ„๊ฑฐ๋ฅผ ๋ถ™์ด๋ผ๋Š” ์˜๋ฏธ๋กœ์„œ ํ•ด๋‹น ์ฝ”๋“œ์—์„œ๋Š” ์˜ ๊ฒฐ๊ณผ๊ฐ€ -1์ธ์ง€ ๊ฒ€์‚ฌํ•˜๊ณ  ์ฐธ์ด๋ผ๋ฉด ์œ ํšจํ•˜์ง€ ์•Š์€ ์ฝ”๋“œ ์˜์—ญ์œผ๋กœ ์ ํ”„๋ฅผ ํ•˜๊ฒŒ ๋œ๋‹ค. ์ฆ‰ ์•ˆํ‹ฐ ๋””๋ฒ„๊น…์„ ํ•˜๊ธฐ ์œ„ํ•ด ํ•˜๋Š” ๊ฒƒ์ด๋‹ค. ์•ˆํ‹ฐ ๋””๋ฒ„๊น… ๊ฒ€์‚ฌ๋ฅผ ๋งˆ์นœ ํ›„์— ๋‹ค์‹œ ~ ๊นŒ์ง€ ํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•˜์—ฌ ์ž…๋ ฅ๊ฐ’ ๊ฒ€์ฆ์„ ์‹œ๋„ํ•œ๋‹ค. ํ•จ์ˆ˜์˜ ๋ฐ˜ํ™˜ ๊ฐ’์„ ์ธ์ž๋กœ ์‚ผ์•„ ํ•จ์ˆ˜๊ฐ€ ํ˜ธ์ถœ๋˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ rax๋ ˆ์ง€์Šคํ„ฐ ์ฆ‰, ๊ฒ€์ฆ ํ•จ์ˆ˜โ€ฆ

August 14, 2020
CTF
angr ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ ํ™œ์šฉ ๋ฐฉ์•ˆ 2

The Loader ๋ฅผ ๋กœ๋“œํ•˜๊ณ  ๋กœ๋”์™€ ์ƒํ˜ธ ์ž‘์šฉ ํ•˜๋Š” ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด ์•Œ์•„๋ณด์ž ์˜ˆ์ œ๋กœ ์‚ฌ์šฉํ•  ๋ฐ”์ด๋„ˆ๋ฆฌ๋Š” ๋‹ค์Œ ๋งํฌ์—์„œ ๋‹ค์šด๋กœ๋“œ: dnsdudrla97/angr-doc Loaded Objects CLE ๋กœ๋” (cle.Loader)๋Š” ๋กœ๋“œ๋œ ๋ฐ”์ด๋„ˆ๋ฆฌ ๊ฐ์ฒด์˜ ์ „์ฒด ๊ทธ๋ฃน์„ ๋‚˜ํƒ€๋‚ด๋ฉฐ ๋‹จ์ผ ๋ฉ”๋ชจ๋ฆฌ ๊ณต๊ฐ„์— ๋กœ๋“œ๋˜๊ณ  ๋งคํ•‘๋œ๋‹ค. ๊ฐ ๋ฐ”์ด๋„ˆ๋ฆฌ ๊ฐ์ฒด๋Š” ํŒŒ์ผ ํ˜•์‹(cle.Backend์˜ subclass)์„ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” loader backend์— ์˜ํ•ด ๋กœ๋“œ๋œ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, cle.ELF ๋Š” ELF ๋ฐ”์ด๋„ˆ๋ฆฌ ํŒŒ์ผ์„ ๋กœ๋“œ ํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋œ๋‹ค. ๋ฉ”๋ชจ๋ฆฌ์— ๋กœ๋“œ๋œ ๋ฐ”์ด๋„ˆ๋ฆฌ ์ˆ˜ ์™€ ์ผ์น˜ํ•˜์ง€ ์•Š๋Š” ๊ฐ์ฒด๋„ ์žˆ์„ ๊ฒƒ์ด๋ฉฐ ์˜ˆ๋ฅผ ๋“ค์–ด, ์ง€์›์„ ์ œ๊ณตํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋˜๋Š” ๊ฐ์ฒด์™€ ํ™•์ธ๋˜์ง€ ์•Š์€ Symbols์„ ์ œ๊ณตํ•˜๋Š”๋ฐ ์‚ฌ์šฉ๋˜๋Š” ์™ธ๋ถ€ ๊ฐ์ฒด CLE๊ฐ€ ์™€ ํ•จ๊ป˜ ๋กœ๋“œํ•œ ์ „์ฒด ๋ชฉ๋ก๋ฟ๋งŒ ์•„๋‹ˆ๋ผ ๋‹ค์Œ๊ณผ ๊ฐ™์ด ๋ช‡ ๊ฐ€์ง€ ์ถ”๊ฐ€ ํ‘œ์  ๋ถ„๋ฅ˜๋„ ์–ป์„ ์ˆ˜์žˆ๋‹ค. ํ•ด๋‹น ๊ฐ์ฒด๋“ค๊ณผ ์ง์ ‘ ์ƒํ˜ธ ์ž‘์šฉํ•˜์—ฌ ๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ๋ฅผ ์ถ”์ถœ ํ•  ์ˆ˜ ์žˆ๋‹ค. Symbols anโ€ฆ

August 14, 2020
AnalyzingBinaries
angr ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ ํ™œ์šฉ ๋ฐฉ์•ˆ 3

angr fauxware ๋ฌธ์ œ ํ’€์ด ๋ฌธ์ œ ๋ฐ”์ด๋„ˆ๋ฆฌ dnsdudrla97/angr-doc data ์„น์…˜ authenticate ํ•จ์ˆ˜ ์ „์—ญ ๋ณ€์ˆ˜๊ฐ€ ๊ฐ€๋ฆฌํ‚ค๊ณ  ์žˆ๋Š” ๋ฌธ์ž์—ด ๊ณผ ์œ ์ € ์ด๋ฆ„์„ ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ๋น„๊ต๋ฅผ ํ†ตํ•ด ๊ฐ™์œผ๋ฉด 1์„ ๋ฐ˜ํ™˜ํ•˜๊ณ  ์•„๋‹์‹œ ์œ ์ € ์ด๋ฆ„์— ํ•ด๋‹น ํ•˜๋Š” ํŒŒ์ผ ์ด๋ฆ„์„ ํ•จ์ˆ˜๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ์ฝ๊ณ  ํ•ด๋‹น ๊ฐ’๊ณผ ์œ ์ € ํŒจ์Šค์›Œ๋“œ์™€ ๋น„๊ตํ•˜์—ฌ ๊ฐ™์œผ๋ฉด 1์„ ๋ฐ˜ํ™˜ ์•„๋‹ˆ๋ฉด 0์„ ๋ฐ˜ํ™˜ํ•œ๋‹ค. ์šฐ๋ฆฌ๊ฐ€ ํ”ผํ•ด์•ผํ•  ์ฃผ์†Œ ๊ฐ’์€ ์ž„์„ ์•Œ ์ˆ˜์žˆ๋‹ค. ์ ‘๊ทผํ•ด์•ผ ํ•˜๋Š” ์œ„์น˜ ๊ธฐ๋ณธ์ ์œผ๋กœ ์•ž์—์„œ ํ•จ์ˆ˜์—์„œ ๋ฐ˜ํ™˜๋œ ๊ฐ’์ด 1 ์ผ ๊ฒฝ์šฐ ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•˜๊ฒŒ ๋œ๋‹ค. angr solve 1 angr sovle 2 data ์„น์…˜ authenticate ํ•จ์ˆ˜ ์ ‘๊ทผํ•ด์•ผ ํ•˜๋Š” ์œ„์น˜ angr solve 1 angr sovle 2

August 14, 2020
AnalyzingBinaries
angr ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ถ„์„ ํ™œ์šฉ ๋ฐฉ์•ˆ 1

ํ”„๋กœ์ ํŠธ ์„ ํƒ loader ์ด์ง„ ํŒŒ์ผ์—์„œ ๊ฐ€์ƒ ์ฃผ์†Œ ๊ณต๊ฐ„์—์„œ ํ‘œํ˜„ํ•˜๋Š” ๊ฒƒ์€ ๋งค์šฐ ๋ณต์žกํ•˜๋‹ค. ์ด๋ฅผ ์ฒ˜๋ฆฌํ•˜๊ธฐ ์œ„ํ•˜์—ฌ CLE ๋ชจ๋“ˆ์ด ์žˆ๋‹ค. ๋กœ๋”๋ผ๊ณ  ํ•˜๋Š” CLE์˜ ๊ฒฐ๊ณผ๋Š” ์†์„ฑ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ ํ”„๋กœ๊ทธ๋žจ๊ณผ ํ•จ๊ป˜ ๋กœ๋“œ๋œ ๊ณต์œ  ๋ผ์ด๋ฒ„๋ฆฌ๋ฅผ ๋ณด๊ณ  ๋กœ๋“œ๋œ ์ฃผ์†Œ ๊ณต๊ฐ„์— ๋Œ€ํ•œ ๊ธฐ๋ณธ ์ฟผ๋ฆฌ๋ฅผ ์ˆญํ–‰ํ•˜๋Š”๋ฐ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. p.factory (์ƒ์„ฑ์ž๋“ค) ์—๋Š” ๋งŽ์€ ํด๋ž˜์Šค๊ฐ€ ์žˆ์œผ๋ฉฐ ๋Œ€๋ถ€๋ถ„ ํ”„๋กœ์ ํŠธ๋ฅผ ์ธ์Šคํ„ด์Šคํ™”ํ•ด์•ผ ํ•œ๋‹ค. ๋ชจ๋“  ๊ณณ์—์„œ ํ”„๋กœ์ ํŠธ๋ฅผ ์‚ฌ์šฉํ•  ์‹œ ์ž์ฃผ ์‚ฌ์šฉํ•˜๊ณ  ์‹ถ์€ ๊ณตํ†ต ๊ฐ์ฒด์— ๋Œ€ํ•œ ๋ช‡ ๊ฐ€์ง€ ํŽธ๋ฆฌํ•œ ์ƒ์„ฑ์ž๋ฅผ ์ œ๊ณตํ•œ๋‹ค. block ์ฃผ์–ด์ง„ ์ฃผ์†Œ์—์„œ ๊ธฐ๋ณธ ์ฝ”๋“œ ๋ธ”๋ก์„ ์ถ”์ถœํ•˜๋Š”๋ฐ ์‚ฌ์šฉ๋œ๋‹ค. state ๊ฐ์ฒด๋Š” ํ”„๋กœ๊ทธ๋žจ์˜ โ€œ์ดˆ๊ธฐํ™” ์ด๋ฏธ์ง€โ€ ๋งŒ์„ ๋‚˜ํƒ€๋‚ธ๋‹ค. ๋กœ ์‹คํ–‰์„ ์ˆ˜ํ–‰ํ•  ๋•Œ ์‹œ๋ฎฌ๋ ˆ์ด์…˜ ๋œ ํ”„๋กœ๊ทธ๋žจ ์ƒํƒœ๋ฅผ ๋‚˜ํƒ€๋‚ด๋Š” ํŠน์ • ๊ฐœ์ฒด์ธ ๋กœ ์ž‘์—…ํ•œ๋‹ค. ๋Š” ํ”„๋กœ๊ทธ๋žจ์˜ ๋ฉ”๋ชจ๋ฆฌ, ๋ ˆ์ง€์Šคํ„ฐ, ํŒŒ์ผ ์‹œ์Šคํ…œ ๋ฐ์ดํ„ฐ๋ฅผ ํฌํ•จํ•˜๊ณ  ์žˆ๋‹ค. ํ•ด๋‹น ๊ฐ’๋“ค์€ ํŒŒ์ด์ฌ์˜ ์ •์ˆ˜๊ฐ€ ์•„๋‹ˆ๋‹ค. ์ด๋‹ค. ํŒŒ์ด์ฌ ์ •์ˆ˜๋Š” CPU์˜ ๋‹จ์–ด์™€ ๋™์ผํ•œ ์˜๋ฏธโ€ฆ

August 14, 2020
AnalyzingBinaries
TWCTF2016 ReverseBox ๋ถ„์„

์ทจ์•ฝ์  ๋ถ„์„ ๋ฐ”์ด๋„ˆ๋ฆฌ ์ •๋ณด ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ์˜ฌ๋ฐ”๋ฅธ ํ”Œ๋ž˜๊ทธ์™€ ํ•จ๊ป˜ ์‹คํ–‰ํ–ˆ์„ ๋•Œ์˜ ์•„์›ƒํ’€ ์ •๋ณด๋ฅผ ๋ณด์—ฌ์ค€๋‹ค. main ํ•จ์ˆ˜ ๋ถ„์„ ํ˜•์˜ ๋ฐฐ์—ด์€ ํ•จ์ˆ˜๋กœ ์ดˆ๊ธฐํ™”๊ฐ€ ๋˜์–ด์ง€๋ฉฐ argv์˜ค ์ž…๋ ฅํ•œ ๊ธธ์ด ๋งŒํผ ๋ฃจํ‹ด์„ ๋Œ๋ฉด์„œ ์˜ ์ธ๋ฑ์Šค ๋กœ ์‚ฌ์šฉ๋˜์–ด ํ•ด๋‹น ๊ฐ’์„ ์ถœ๋ ฅํ•œ๋‹ค. ์ธ์ˆ˜๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ์‹คํ–‰ํ•˜๋Š”์ง€ ํ™•์ธํ•˜๊ณ , ๊ณ„์‚ฐ ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•˜๊ณ  ๋งˆ์ง€๋ง‰์œผ๋กœ ๊ฒฐ๊ณผ๋ฅผ ์ถœ๋ ฅํ•œ๋‹ค. ์ถœ๋ ฅ ํ˜•์‹์„ ๋ณด๋ฉด 16์ง„์ˆ˜ ํ˜•์‹์˜ ๊ฒฐ๊ณผ๋ฅผ ์•Œ ์ˆ˜ ์žˆ๋‹ค. init_table ํ•จ์ˆ˜ ๋ถ„์„ do~while ๋ฌธ์„ ๋ฐ”ํƒ•์œผ๋กœ ์„ ์ดˆ๊ธฐํ™”ํ•œ ํ›„ ๋‚˜๋จธ์ง€ ์˜ ๊ฐ’์€ 0๋ฒˆ์งธ ๊ฐ’์„ ์ด์šฉํ•ด ์ƒ์„ฑํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜์žˆ๋‹ค. ์— ์˜ฌ ์ˆ˜ ์žˆ๋Š” ๊ฒฝ์šฐ์˜ ์ˆ˜๋Š” 256์ด๊ธฐ ๋•Œ๋ฌธ์— ์ƒ์„ฑ๋  ์ˆ˜์žˆ๋Š” ์˜ ์ˆ˜๋„ 256๊ฐ€์ง€ ์ด๋‹ค. ์‹œ๊ฐ„์„ ๋‚œ์ˆ˜ ์‹œ๋“œ๋กœ ์‚ฌ์šฉํ•˜๋ฉฐ ๊ฒฝ์šฐ์˜ ์ˆ˜๊ฐ€ ๋‹ค์ˆ˜์ด๋‹ค. ํ•ด๋‹น ์–ด์…ˆ๋ธ”๋ฆฌ์–ด๋ฅผ ์‚ดํŽด๋ณด๋„๋ก ํ•œ๋‹ค. ํ•˜์œ„ 2 ๋น„ํŠธ, ์ฆ‰ 0-ff์˜ ๊ฒฝ์šฐ ๋‹ค์Œ ROR1 ๊ณ„์‚ฐ ๋งŒ ์ทจํ•ด ๋ณด๊ฒ ๋‹ค. ์ด๊ฒƒ์€ ์•Œ๊ณ ๋ฆฌ์ฆ˜์ด๋ฉฐ ๋‹ค์‹œ ๋˜๋Œ๋ฆฌ์ˆ˜ ์—†๋‹ค. ๊ทธ๋ ‡๊ธฐ ๋•Œ๋ฌธ์— ๋ธ”๋ผ์ŠคํŒ…์˜ ์‚ฌ์šฉ์€ ์ œํ•œ๋œ๋‹ค. โ€ฆ

August 14, 2020
CTF
GDB cheat sheet

GDB ๋ช…๋ น์–ด ๋ฐ ํ•จ์ˆ˜ ์ •๋ฆฌ ์‹œ์ž‘ ๋„์›€๋ง Breakpoints Stack Backtrace ์†Œ์Šค๋‚ด๋ถ€ Data GDB ๋ช…๋ น์–ด ๋ฐ ํ•จ์ˆ˜ ์ •๋ฆฌ ์‹œ์ž‘ ๋„์›€๋ง Breakpoints Stack Backtrace ์†Œ์Šค๋‚ด๋ถ€ Data

June 09, 2020
Tools
BurpSuite ์ธ์ฆ์„œ ์„ค์น˜ ๋ฐฉ๋ฒ•

ํ”„๋ก์‹œ ์„ค์ • ๋ฐฉ๋ฒ• ํฌ๋กฌ ๋ธŒ๋ผ์šฐ์ € ์œ„์ฃผ ์„ค์ • (ํฌ๋กฌ ์„ค์ • โ†’ ์‹œ์Šคํ…œ) ์ˆ˜๋™ ํ”„๋ก์‹œ ์„ค์ • ๊ธฐ๋ณธ์ ์œผ๋กœ 127.0.0.1:8080์„ ์‚ฌ์šฉํ•œ๋‹ค. Burp Suite CA ์ธ์ฆ์„œ ์„ค์น˜ ๊ณผ์ • (Chrome ์ธ์ฆ ๊ณผ์ •) Burp Suite๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ SSL/TLS ์•”ํ˜ธํ™” ๊ธฐ๋ฐ˜์˜ HTTPS ์›น ์‚ฌ์ดํŠธ๋ฅผ ํƒ์ƒ‰ ํ•  ๊ฒฝ์šฐ ํ”„๋ก์‹œ๋Š” ์ธ์ฆ ๊ธฐ๊ด€ (CA)์œผ๋กœ ๊ณต์œ ํ‚ค ์ธ์ฆ์„œ๋กœ ์„œ๋ช…๋œ ๊ฐ ํ˜ธ์ŠคํŠธ์— ๋Œ€ํ•ด SSL ์ธ์ฆ์„œ๋ฅผ ์ƒ์„ฑํ•˜๊ฒŒ ๋œ๋‹ค. CA ์œผ๋กœ ๋ฐœ๊ธ‰๋œ ์ธ์ฆ์„œ๋Š” Burp Suite๋ฅผ ์ฒ˜์Œ ๊ตฌ๋™ํ•˜์˜€์„ ๋•Œ ๋กœ์ปฌ ํ™˜๊ฒฝ์— ์ €์žฅ์ด ๋œ๋‹ค. HTTPS ์›น ์‚ฌ์ดํŠธ์—์„œ Burp Suite Proxy๋ฅผ ์‚ฌ์šฉํ•˜๋ ค๋ฉด ๋ธŒ๋ผ์šฐ์ €์—์„œ Burp Suite CA ์ธ์ฆ์„œ๋ฅผ ์— ์„ค์น˜๋ฅผ ํ•ด์•ผ ๋œ๋‹ค. Burp Suite CA ์ธ์ฆ์„œ ๋ฐœ๊ธ‰ ๊ณผ์ • Burp Suite ํ”„๋ก์‹œ ์„œ๋ฒ„๋ฅผ ๊ธฐ์ ์œผ๋กœ ๋กœ์ปฌ ํ™˜๊ฒฝ ํ”„๋ก์‹œ๊ฐ€ ์„ธํŒ…๋˜์–ด ์žˆ๋Š” ์ƒํƒœ Burp Suite CA ๋‹ค์šด๋กœ๋“œ ํฌ๋กฌ ์›น ๋ธŒ๋ผ์šฐ์ €๋ฅผ ์‹คํ–‰ ์‹œํ‚จ ํ›„ ์ฃผ์†Œ์ฐฝ์— ๋ฅผ ์ž…๋ ฅํ•œ๋‹ค. Burp Suite ์›น ์‚ฌ์ดโ€ฆ

June 06, 2020
troubleshooting
Metasploit ํ™˜๊ฒฝ ๊ตฌ์„ฑ

ํ•˜๋“œ ๋“œ๋ผ์ด๋ธŒ ๊ณต๊ฐ„ 10 GB ์ด์ƒ์˜ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ์ €์žฅ ๊ณต๊ฐ„ ๋Œ€์šฉ๋Ÿ‰ ํŒŒ์ผ ์‹œ์Šคํ…œ์„ ์ง€์›ํ•˜๋Š” NTFS, EXT3 ๋˜๋Š” ๊ธฐํƒ€ ํŒŒ์ผ ์‹œ์Šคํ…œ ํ˜•์‹์„ ์„ ํƒ ํ•ด์•ผ ํ•œ๋‹ค. ํ•„์š”ํ•œ ๊ถŒ์žฅ ๊ณต๊ฐ„ 30 GB ์ •๋„ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ๋ฉ”๋ชจ๋ฆฌ ํ˜ธ์ŠคํŠธ OS์— RAM๊ณผ ๊ฐ ๊ฐ€์ƒ ๋จธ์‹ ์— ํ• ๋‹นํ•˜๋Š” RAM์˜ ์ถฉ๋ถ„ํ•œ ์–‘์ด ํ•„์š”ํ•œ๋‹ค. Linux ํ˜ธ์ŠคํŠธ ์ตœ์†Œ ๋ฉ”๋ชจ๋ฆฌ ์š”๊ตฌ ์‚ฌํ•ญ 1GB์˜ ์‹œ์Šคํ…œ ๋ฉ”๋ชจ๋ฆฌ (2GB ์ •๋„๋ฉด ์ ๋‹น) Kali Linux Guest ์ตœ์†Œ ๋ฉ”๋ชจ๋ฆฌ ์š”๊ตฌ ์‚ฌํ•ญ ์ตœ์†Œ 1GB์˜ RAM (2GB ๊ถŒ์žฅ) ํ”„๋กœ์„ธ์„œ 64 bit ์ฟ ๋“œ ์ฝ”์–ด CPU ์ด์ƒ์„ ๊ถŒ์žฅํ•œ๋‹ค. AWS (Amazon Web Server) ์ƒ์—์„œ ์นผ๋ฆฌ ๋ฆฌ๋ˆ…์Šค, ๋ฉ”ํƒ€์Šคํด๋กœ์ž‡์„ ๊ตฌ๋™์„ ํ•˜์—ฌ ์™ธ๋ถ€ ์„œ๋น„์Šค๋ฅผ ์ ๊ฒ€์„ ํ•˜๊ฒŒ ๋œ๋‹ค. ๋Œ€์™ธ์ ์œผ๋กœ ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค ํ™˜๊ฒฝ์—์„œ๋„ ์˜ฌ๋ ค ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋‹ค. METASPLOITABLE (ํ”ผํ•ด์ž ํ™˜๊ฒฝ) ์•…์šฉ ํ”„๋ ˆ์ž„ ์œ„ํฌ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ๋ฐฐ์šธ ๋•Œ ๋ฐœ์ƒํ•˜๋Š” ๋ฌธ์ œ ์ค‘ ํ•˜๋‚˜๋Š” ๊ฒ€์ƒ‰ํ•˜๊ณ  ๊ณต๊ฒฉ ํ•  ๋Œ€์ƒ์„ ์ฐพ๊ณ  ๊ตฌ์„ฑํ•˜๋Š” ๊ฒƒ ํ•ด๋‹น ์ด๋ฏธ์ง€๋Š” ์˜๋„์ ์œผ๋กœโ€ฆ

June 05, 2020
Tools
Metasploit ์•„ํ‚คํ…์ฒ˜ ๋ฐ ํŒŒ์ผ ์‹œ์Šคํ…œ ๊ตฌ์กฐ ์ดํ•ด

Metasploit ์•„ํ‚คํ…์ฒ˜ Metasploit์€ Ruby๋กœ ์ž‘์„ฑ๋˜์—ˆ์œผ๋ฉฐ ์ˆ˜๋…„ ๋™์•ˆ ๊ฐœ๋ฐœ๋˜์—ˆ๋‹ค. ์–ธ๋œป๋ณด๊ธฐ์— ํ”„๋กœ์ ํŠธ์˜ ๊ทœ๋ชจ๋Š” ์–ด๋ ค์šธ ์ˆ˜ ์žˆ์ง€๋งŒ ์•„ํ‚คํ…์ฒ˜๋ฅผ ๊นŠ๊ฒŒ๋Š” ํŒŒ๊ณ ๋“ค ํ•„์š”๊ฐ€ ์—†๋‹ค. Metasploit ํŒŒ์ผ ์‹œ์Šคํ…œ ๋ฐ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์— ์ต์ˆ™ํ•ด์ง€๋ฉด ์ข€๋” ๋Šฅ์ˆ™ํ•˜๊ฒŒ ์ž‘์„ฑํ•  ์ˆ˜ ์žˆ๊ฒ ๋‹ค. Kali Linux์—์„œ Metasploit์€ metasploit-framework ํŒจํ‚ค์ง€๋กœ ์ œ๊ณต๋˜๋ฉฐ ๋””๋ ‰ํ† ๋ฆฌ์— ์„ค์น˜๋œ๋‹ค. Metasploit FileSystem MSF ํŒŒ์ผ ์‹œ์Šคํ…œ์€ ์ง๊ด€์  ์ธ ๋ฐฉ์‹์œผ๋กœ ๋ฐฐ์น˜๋œ๋‹ค. Data Data ๋””๋ ‰ํ„ฐ๋ฆฌ๋Š” ํŠน์ • ๊ณต๊ฒฉ, ๋‹จ์–ด ๋ชฉ๋ก, ์ด๋ฏธ์ง€ ๋ฐ ๋” ํ•„์š”ํ•œ ๋ฐ”์ด๋„ˆ๋ฆฌ์— MSF์—์„œ ์‚ฌ์šฉํ•˜๋Š” ํŽธ์ง‘ ๊ฐ€๋Šฅํ•œ ํŒŒ์ผ์ด ํฌํ•จ๋˜์–ด ์žˆ๋‹ค. Documentation Documentation ๋””๋ ‰ํ„ฐ๋ฆฌ์—๋Š” ํ”„๋ ˆ์ž„ ์›Œํฌ์— ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ๋ฌธ์„œ๊ฐ€ ํฌํ•จ๋œ๋‹ค. LIB LIB ๋””๋ ‰ํ„ฐ๋ฆฌ๋Š” ํ”„๋ ˆ์ž„ ์›Œํฌ ์ฝ”๋“œ ๊ธฐ๋ฐ˜์˜ ๋ผ์ด๋ธŒ๋ฆฌ๋“ค์ด ํฌํ•จ ๋œ๋‹ค. Module Module ์€ ๊ณต๊ฒฉ, ๋ณด์กฐ ๋ฐ ์‚ฌํ›„ ๋ชจ๋“ˆ, ํŽ˜์ด๋กœ๋“œ, ์ธ์ฝ”๋”, โ€ฆ

June 05, 2020
Tools
Windows PE

์œˆ๋„์šฐ ์‹คํ–‰ ํŒŒ์ผ ๊ตฌ์กฐ PE ํŒŒ์ผ (Portable Excutable) ๋‹ค์–‘ํ•œ ์ •๋ณด๋ฅผ ํฌํ•จํ•œ ์ปค๋‹ค๋ž€ ๊ตฌ์กฐ์ฒด๋“ค๋กœ ์ด๋ฃจ์–ด์ ธ ์žˆ๋‹ค. ์ˆ˜๋งŒ์€ ํ…Œ์ด๋ธ”๊ณผ ๋ฉค๋ฒ„๋“ค์„ ํฌํ•จํ•˜๊ณ  ์žˆ๋‹ค. PE ํŒŒ์ผ์˜ ์ข…๋ฅ˜ ์ข…๋ฅ˜ ์„ค๋ช… EXE ์‹คํ–‰ํŒŒ์ผ SCR ์‹คํ–‰ํŒŒ์ผ (ํ™”๋ฉด ๋ณดํ˜ธ๊ธฐ) DLL ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ OCX ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ (ActivieX) SYS ์‹œ์Šคํ…œ ๋“œ๋ผ์ด๋ฒ„ OBJ ์˜ค๋ธŒ์ ํŠธ ํŒŒ์ผ SCR ํŒŒ์ผ์ด ์‹คํ–‰ ํŒŒ์ผ์ž„์„ ์ธ์ง€ ํ•˜์ง€ ๋ชปํ•œ์ฑ„ ์•…์„ฑ ์ฝ”๋“œ๋กœ ๋™์ž‘ํ•˜๊ฒŒ ๋˜์–ด ํ”ผํ•ด๊ฐ€ ๋ฐœ์ƒํ•œ ๊ฒฝ์šฐ๊ฐ€ ๋‹ค์ˆ˜ ์ฒซ ๋ฐ”์ดํŠธ ๋ถ€ํ„ฐ ์‹œ์ž‘๋œ๋‹ค. PE ํŒŒ์ผ์€ ํŒŒ์ผ์— ์กด์žฌํ•  ๋•Œ์˜ ๊ตฌ์กฐ์™€ ๋ฉ”๋ชจ๋ฆฌ์— ๋กœ๋“œ๋œ ํ›„์˜ ๋ชจ์Šต์ด ๋‹ฌ๋ผ์ง„๋‹ค. ํŒŒ์ผ์—์„œ๋Š” ์ฒซ ๋ฐ”์ดํŠธ๋ถ€ํ„ฐ์˜ ๊ฑฐ๋ฆฌ๋ฅผ offset์„ ์‚ฌ์šฉํ•œ๋‹ค. ๋ฉ”๋ชจ๋ฆฌ์—์„œ๋Š” VA(Virtual Address), RVA(Relative Virtual Address, ์ƒ๋Œ€์  ๊ฐ€์ƒ ์ฃผ์†Œ) ๊ณ ์ • ์ฃผ์†Œ ๋Œ€์‹  ์ƒ๋Œ€ ์ฃผ์†Œ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ์ด์œ ๋Š” ํ•ด๋‹น PE ํŒŒ์ผ์ด ๋ฉ”๋ชจ๋ฆฌ์— ๋กœ๋“œ ๋  ๋•Œ ํ•œ ์ฃผ์†Œ์— ๊ณ ์ •์ ์œผ๋กœ ๋กœ๋”ฉ๋˜๋Š” ๊ฒƒ์ด ์•„๋‹ˆ๊ธฐ ๋–„๋ฌธ์ด๋‹ค. ๋ฉ”๋ชจ๋ฆฌ์— ๋กœ๋“œ๋œ ํ›„์— โ€ฆ

June 02, 2020
Windows
Theory
Exploit, ์ทจ์•ฝ์  ?

์ทจ์•ฝ์  ์‚ฌ์šฉ์ž์—๊ฒŒ ํ—ˆ์šฉ๋œ ๊ถŒํ•œ ์ด์ƒ์˜ ๋™์ž‘์ด๋‚˜ ์ •๋ณด ์—ด๋žŒ์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•˜๋Š” ์†Œํ”„ํŠธ์›จ์–ด์˜ ์„ค๊ณ„์ƒ์˜ ํ—ˆ์ ์ด๋‚˜ ๊ฒฐํ•จ ์†Œํ”„ํŠธ์›จ์–ด, ํ•˜๋“œ์›จ์–ด, ์ ˆ์ฐจ ๋ฐ ๊ด€๋ฆฌ ๋“ฑ ๋„“์€ ์˜๋ฏธ๋ฅผ ์˜ˆ๊ธฐํ•˜์ง€๋งŒ ์ค‘์ ์€ ๊ธฐ์ˆ ์  ์†Œํ”„ํŠธ์›จ์–ด ๊ฒฐํ•จ ์„ ํ†ตํ•œ ์ทจ์•ฝ์  ๋ฐœ์ƒ ์—ฌ๋ถ€์ด๋‹ค. Exploit ์ทจ์•ฝ์ ์ด ๋ฐœ๊ฒฌ๋˜๋ฉด ํ•ด๋‹น ์ทจ์•ฝ์ ์„ ๊ณต๊ฒฉํ•˜์—ฌ ์›ํ•˜๋Š” ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜๊ฑฐ๋‚˜ ํˆญ์ • ๋ชฉ์ ์„ ๋‹ฌ์„ฑํ•˜๋Š” ๊ณต๊ฒฉ ์ฝ”๋“œ ๋˜ํ•œ ๊ณต๊ฐœ ๋œ๋‹ค. ์ด๋Ÿฐ ์ทจ์•ฝ์  ๊ณต๊ฒฉ ์ฝ”๋“œ๋ฅผ Exploit์ด๋ผ ๋ถ€๋ฅด๋ฉฐ ์ด๋Ÿฌํ•œ ๊ณต๊ฒฉ ์ฝ”๋“œ๋ฅผ ์ด์šฉํ•œ ๊ณต๊ฒฉ ํ–‰์œ„ ์ผ์ฒด๋ฅผ ํฌํ•จํ•˜๊ธฐ๋„ ํ•œ๋‹ค. Exploit ๊ณต๊ฐœ ๋ฒ”์œ„ ์œ ๋กœ Exploit ๋ฌด๋ฃŒ Exploit ์•…์˜์ ์ธ Exploit (๊ณต๊ฐœ X) Offensive Securityโ€™s Exploit Database Archive ์ทจ์•ฝ์  ๋ฐœ๊ฒฌ ๋ฐ ํŒจ์น˜ ๋ฐœ๊ฒฌ๋˜๋Š” ์ทจ์•ฝ์ ์ธ ๊ฒฝ์šฐ ๋Œ€๋ถ€๋ถ„์ด ์—ฐ๊ตฌ ๋ชฉ์ ์œผ๋กœ ๊ณต๊ฐœ๊ฐ€ ๋˜์–ด ์ง€๋ฉด์„œ ๋™์‹œ์— ํ•ด๋‹น ์ทจ์•ฝํ•œ ์ œํ’ˆ์„ ๋‹ค๋ฃจ๋Š” ๊ธฐ์—…๋“ค์€ ๊ทธ์— ๋งž์ถฐ ํŒจ์น˜๊ฐ€ ์ด๋ค„์ง„๋‹ค. ํ•˜์ง€๋งŒ ์ทจ์•ฝ์ ์„ ์•…์˜์ ์œผ๋กœ ์‚ฌ์šฉํ•  ๊ฒฝ์šฐ ๊ณต๊ฐœ๋ฅผ ํ•˜์ง€ ์•Š๊ณ  ์„œ ๊ตฐ์‚ฌ์  ์ผ๋ถ€โ€ฆ

June 01, 2020
Talk
Lua ์–ธ์–ด ์ •๋ฆฌ

Lua ์–ธ์–ด ์ •๋ฆฌ ์ฃผ์„ ์ฒ˜๋ฆฌ ๋ณ€์ˆ˜ ์ฒ˜๋ฆฌ ๋ชจ๋“  ์ˆ˜๋Š” double ํ˜•์œผ๋กœ ๋ฐ›๋Š”๋‹ค. 64bit double ํ˜•์—๋Š” ์ด 52bit์˜ ์ •์ˆ˜๊ฐ’์„ ์ €์žฅํ•  ์ˆ˜ ์žˆ๋‹ค. ์ฝ”๋“œ ๋ธ”๋ก ํ‘œ๊ธฐ๋ฒ• ๋ธ”๋ก์€ do, end๋กœ ํ‘œ๊ธฐ๋œ๋‹ค. ๋ณ€์ˆ˜ ๋ฐ ํ๋ฆ„์ œ์–ด ํ•จ์ˆ˜ ํ…Œ์ด๋ธ” ํ…Œ์ด๋ธ”์€ ๋ฃจ์•„์˜ ์œ ์ผํ•œ ํ•ฉ์„ฑ ์ž๋ฃŒ ๊ตฌ์กฐ์ด๋‹ค. ํ…Œ์ด๋ธ”์€ ์—ฐ๊ด€ ๋ฐฐ์—ด์ด๋‹ค. php ๋ฐฐ์—ด, ์ž๋ฐ”์Šคํฌ๋ฆฝํŠธ ๊ฐ์ฒด์™€ ๋น„์Šทํ•˜๋‹ค. ํ…Œ์ด๋ธ”์€ ๋ฆฌ์ŠคํŠธ๋กœ๋„ ์‚ฌ์šฉ๋  ์ˆ˜ ์žˆ๋Š” ํ•ด์‹œ ์ฐธ์กฐ ์‚ฌ์ „์ด๋‹ค. ๋ฉ”ํƒ€๋ฐ์ด๋ธ”๊ณผ ๋ฉ”ํƒ€๋ฉ”์†Œ๋“œ ํ…Œ์ด๋ธ” ํ•˜๋‚˜๋Š” ๋ฉ”ํƒ€ํ…Œ์ด๋ธ” ํ•˜๋‚˜๋ฅผ ๊ฐ€์งˆ ์ˆ˜ ์žˆ๋‹ค. ๊ทธ ๋ฉ”ํƒ€ํ…Œ์ด๋ธ”์€ โ€˜์—ฐ์‚ฐ์ž ์˜ค๋ฒ„๋กœ๋”ฉโ€™์„ ์ œ๊ณตํ•œ๋‹ค. ํด๋ž˜์Šค ์™€ ์œ ์‚ฌํ•œ ํ…Œ์ด๋ธ”๊ณผ ์ƒ์† ํด๋ž˜์Šค๋Š” (๋ฃจ์•„)์— ๋‚ด์žฅ๋˜์–ด ์žˆ์ง€ ์•Š๋‹ค. ํด๋ž˜์Šค๋Š” ํ…Œ์ด๋ธ”๊ณผ ๋ฉ”ํƒ€ํ…Œ์ด๋ธ”์„ ์‚ฌ์šฉํ•˜์—ฌ ๋งŒ๋“ค์–ด์ง„๋‹ค. Dog๋Š” ํด๋ž˜์Šค์ฒ˜๋Ÿผ ๋™์ž‘ํ•œ๋‹ค. (Dog๋Š” ํ…Œ์ด๋ธ” ํ˜•์‹์ด๋‹ค.) function ํ…Œ์ด๋ธ”์ด๋ฆ„:ํ•จ์ˆ˜(โ€ฆ)๋Š” function ํ…Œ์ด๋ธ”์ด๋ฆ„.ํ•จ์ˆ˜(self,โ€ฆ) ๋™์ผํ•˜๋‹ค. โ€˜:โ€™์€ ๋‹จ์ง€ ํ•จ์ˆ˜์˜ ์ฒซ ์ธ์ž์— self๋ฅผ ์ถ”๊ฐ€ํ•œ๋‹ค. newObj(์ƒˆ ๊ฐ์ฒด)๋Š” ํด๋ž˜โ€ฆ

May 29, 2020
Language