Procedure of experimental operation
- First, the 32-bit system is configured in the experimental Building experiment environment.
We shut down a feature in the system--using the address space to randomize the initial address of the random heap (heap) and stack (stack) (in order to guess the memory address and implement a buffer overflow attack.)
To further protect against buffer overflow attacks and other attacks using shell programs, many shell programs automatically abandon their privileges when called, and cannot maintain root privileges in the shell, which is implemented in/bin/bash. Set up the ZSH program:
Enter the command "linux32" into the 32-bit Linux environment. Enter "/bin/bash" Using bash:
Create a new STACK.C file in the/tmp directory, enter the following code, and the program reads a file named "Badfile" and loads the contents of the file into "buffer":
- Compile the STACK.C, and set the Set-uid,
-fno-stack-proteck
Turn off the stack protection mechanism used to block buffer overflow; -z execstack
Used to allow execution of stacks;
-g
parameter is to enable the compiled executable document to be debugged with GDB
New exploit.c, code below, \x?? \x?? \x?? \x?? Need to add shellcode to the address stored in memory because the location can overwrite the return address just after an overflow occurs.
We want to get shellcode in-memory address, enter commands gdb stack
anddisass main
- According to
strcpy(buffer + 100,shellcode)
the statement, we calculate shellcode
the address as0xffffd350(十六进制) + 0x64(100的十六进制) = 0xffffd3b4(十六进制)
- Modify EXPLOIT.C file Now!
\x??\x??\x??\x??
Change the revision to\xb4\xd3\xff\xff
Compile the EXPLOIT.C program, the first error, will badfile into the hadfile:
By successively running the attack program and the vulnerability program, input whoami
, you can get root privileges, the attack succeeds.
Experimental thoughts and summary
- To implement an attack, it is important to ensure that the closed space address is randomized and that the memory address is the key to successful attack.
- We're going to use a shell program instead of/bin/bash, so the system's safeguards are canceled.
- The GCC compiler has a stack protection mechanism to prevent buffer overflows, and we want to close this mechanism
- Calculate the starting address of the Shellcode
- Run the vulnerability code and the attack code to get permission.
- The key to attack is to weaken the system protection, manufacturing, looking for code loopholes, so as to crack memory address, attack system, get permissions.
2018-2019-1 20165322 "The foundation of Information security system Design" buffer Overflow vulnerability experiment