Ii. concrete steps of the experiment
1. Preparatory work
Install a package that can be used to compile a 32-bit C language program in a 64-bit Linux environment in the lab building
2, close the Linux system related address protection system
In Ubuntu and some other Linux systems, using address space randomization to the initial address of random heap (heap) and stack (stack) makes it difficult to guess the address.
sudo sysctl -w kernel.randomize_va_space=0
Many shell programs automatically give up privileges when they are called, so it is difficult to maintain a root privilege. This step does not fully understand the process during the experiment, so let's put it aside for a while.
Then enter the Linux32-bit environment.
3. Compiling the vulnerability program
Enter the/tmp directory to create a new stack file, compile and set Set-uid
Set-uid gives a way for a normal user to temporarily use Superuser privileges.
The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to use –fno-stack-protector to close this mechanism when compiling the code. The-Z execstack is used to allow execution of the stack.
4. Compile the attack program
Create a new exploit.c file in the/tmp directory, in order to save time, the experimental building directly gave us a link to a code file.
wget http://labfile.oss.aliyuncs.com/courses/231/exploit.c
5, modify the memory address, to cover
exploit.c file, \x?? \x?? \x?? \x?? Need to add shellcode to the memory of the address, where overflow occurs just to overwrite the return address. strcpy (Buffer+100,shellcode); This sentence again tells us that the shellcode is saved in buffer + 100 position. So we get Shellcode's address through GDB debugging. Modified the exploit.c file to compile.
6. Running the program
After the address protection mechanism has been modified, the run is unsuccessful and the segment error is displayed.