Buffer Overflow Attack Experiment (3)

Buffer Overflow Attack Experiment (3)

This experiment is expected to be divided into 3 small experiments to do, this is the third experiment.

• Buffer Overflow Attack Experiment (1)
• Buffer Overflow Attack Experiment (2)
• Buffer Overflow Attack Experiment (3)

This experiment kneeling Xie great god ysunlin of help and guidance ~

No guarantee of success, everything is possible ~

Background introduction

Please refer to experiment (1) (2).

Experimental purpose

The ultimate goal: to give only one need to enter the correct serial number to verify the passed EXE executable file, requiring the use of buffer overflow attacks without knowing the source code to crack the exe file .

Attention!!!

Without knowing the source code in case

Without knowing the source code in case

Without knowing the source code in case

In reality, in the actual attack we can not directly get the source code of the program, so the most likely case is to provide only executable files to crack, open when (if EXE does not prevent disassembly) using disassembly can see assembly language, that's all. What we want to do is to crack this exe, the success of the measurement standard is through the serial number verification .

Of course, because we are just a simple introductory experiment, so in the specific experiment, this EXE file source code is provided, just to remind us exactly what method to use in order to crack success. But the ultimate goal is the above,

Experimental environment

• System

  Windows 10 Home Chinese version (+ bit)

• Ide

  Visual Studio Community 2015

Source

As we said before, in the attack we do not know the source code, but in this experiment we provide the source code only to indicate what might be the attack of the idea.

#define _crt_secure_no_warnings#include <iostream>#include <stdio.h>#include <string.h>intMain () {Charin[ -];printf("Enter Serial number\n");scanf('%s ', in);if(!strncmp(In,"s123n456",8)) {printf("Serial number is correct\n");//The measure of success is the execution of the statement} System ("Pause");return 0;}

Program

• Normal Open

• The successful flag is the output of the line

Crack

Here's how to start thinking about how to hack. Although the purpose of this experiment is to exploit, the 缓存区溢出攻击 main consideration here is how to crack, not necessarily the use of buffer overflow attacks.

Most of the following cracking ideas are attributed to Ysunlin ~

A guess of the way to crack

Maybe the matching string is placed in the global buffer ?

Cracking process

1. Executing the program, (using VS) disassembly to get assembly language code
2. Find the jne command, which is usually used to jump, guess this is the jump statement after the judgment

3. Find the previous jne similar push 352134h statement, remembering this address, which is generally the address of the global buffer.

4. Search the address in memory to 0x352134 get a matching string S123N456 ,

Conclusion

This method is only relatively trickery, but now the password is basically not stored in clear text. The input string will also undergo some processing to match the password, so: (

Two ways to solve the method

Debugging in the assembly language at the time of adding breakpoints, directly modify the register.

This is not achieved, in fact, after attempting to decompile with Visual Studio, add a breakpoint in the jump place, look at the register, can not be modified, so no further attempts.

This approach may work if you can find tools that can decompile the program and modify the registers during execution.

Three ways to crack

This method needs to know the source code, so it cannot achieve our ultimate goal. It's written here just to keep track of the way it is.

using the method of Experiment (1) (2) , it is necessary to return the main function after execution, there must be a jump of return address, we can know the address of the statement at the if point of break. print return After the completion of the function of the return address, search memory can know the data we entered and the main function return address of the difference between the number of bytes, so that when the input data overflow, so that the print statement's execution address overrides the return address of the main function.

The actual measurement is feasible (in the case of the source code), because it is similar to the experimental (1) (2) method, there is no too much elaboration.

Four ways to solve the method

This idea should be the idea that this experiment wants us to realize, use buffer overflow attack to crack.

Similar to the previous experiment (1) and (2), we want to use the reading data this process, the input value can be stretched to cover the stack of some of the jump address, to achieve the purpose of the jump.

Here are two questions we need to solve, that is

1. Where do I change the jump address?

   If you do not see the source code, we do not know what functions inside, do not know what jumps inside, so here consider using the main function of RET to jump .

2. Jump to where?

   Since it is the input of a value if it is correct to pass the verification, here must be judged after the process of jumping. We consider jumping to another branch of judgment .

OK, the idea has, we carry on the experiment.

Process

1. Executing the program, (using VS) disassembly to get assembly language code
2. Find the j beginning of the assembly instructions, the directive is generally used to jump, guess here is the jump statement after the judgment, get the address of the jump after the judgment
3. In the assembly language code to find ret instructions, put a breakpoint, the program before the end of the run we can rob the main function return address (this may be in memory search esp )

Why is there no picture here?

Because there is a problem in the actual operation, is to find the address that needs to jump to, we want to enter data, let buffer overflow to the main function of the return address to overwrite, but here are a few points:

1. The assembly instruction address is
2. Each character in the input string is 1 byte, or 8 bit
3. Which means we're going to use 4 characters to represent this address.
4. The input string is read in ASCII mode.
5. The ASCII code can represent only 128 characters

There's a place to hang daddy!

If the address 7F after the occurrence (decimal 127) After the address, we can not be expressed in ASCII mode ...

Po Main stroke. (┬_┬)

The last few words

1. Attacks do not necessarily succeed
2. Trying to attack while guessing.
3. Luck is definitely needed.
4. Good tools can save a lot of effort.
5. Information safe water is very deep:-P

Buffer Overflow Attack Experiment (3)