Linux and Security experiment One: Buffer Overflow vulnerability experiment

Linux and Security experiment One: Buffer overflow vulnerability Experiment 20125113 Zhaoqiao, experimental description

A buffer overflow is a scenario in which a program attempts to write to a buffer beyond the pre-allocated fixed-length data. This can have some serious consequences. Buffer overflow attack: by writing to the program's buffer beyond its length content, causing buffer overflow, thereby destroying the program's stack, causing the program to crash or to make the program to execute other instructions to achieve the purpose of the attack. This vulnerability could be exploited by malicious users to alter the flow control of a program, or even execute arbitrary fragments of code. This vulnerability occurs because of a temporary shutdown of the data buffer and the return address, which causes the return address to be rewritten.

II. Preparation of the experiment

System User name Shiyanlou, password Shiyanlou

The lab building provides 64-bit Ubuntu Linux, and in this experiment we need to operate in 32-bit environments to facilitate the observation of assembly statements, so we need to do some preparation before the experiment.

Practice One:

1. Enter a command to install something for compiling a 32-bit C program. 2. Enter the command "linux32" into the 32-bit Linux environment. At this point you will find that the command line is not as good as the tab completion, so enter "/bin/bash" to use bash.

Iii. Experimental Step 3.1 initial Setup

In Ubuntu and some other Linux systems, the initial address of random heap (heap) and stack (stack) is randomized using address space, which makes it difficult to guess the exact memory address, and guessing the memory address is the key to the buffer overflow attack. So in this experiment, we use the following command to turn off this feature:

In addition, in order to further protect against buffer overflow attacks and other attacks using shell programs, many shell programs automatically abandon their privileges when called. Therefore, even if you can trick a set-uid program into invoking a shell, you cannot maintain root privileges in the shell, which is implemented in/bin/bash.

In a Linux system,/bin/sh is actually a symbolic link to/bin/bash or/bin/dash. To reproduce the situation before this protective measure was implemented, we used another shell program (zsh) instead of/bin/bash. The following instructions describe how to set up the ZSH program:

3.2 Shellcode

In general, a buffer overflow can cause a program to crash, and in the program, the overflow data overwrites the return address. And if the data that overwrites the return address is another address, then the program jumps to that address, and if the address is a piece of well-designed code to implement other functions, this code is shellcode.

Observe the following code:

#include <stdio.h>

{

Char  *name[ 2];

name[0] = ‘‘/bin/sh’’;

name[1] = NULL;

execve(name[0], name, NULL);

}

The shellcode of this experiment is the compiled version of the code just now:

\x31\xc0\x50\x68"//sh" " \x68 /bin"\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80

3.3 Vulnerability Procedures

Save the following code as a "stack.c" file and save it to the/tmp directory. The code is as follows:

The code lets you know that the program reads a file named "Badfile" and loads the contents of the file into "buffer".

Compile the program, and set the Set-uid. The command is as follows:

sudo su

gcc -m32 -g -z execstack -fno-Stack stack stack  .c

Stack

Exit

The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to use –fno-stack-protector to close this mechanism when compiling the code.

The-Z execstack is used to allow execution of the stack.

3.4 Attack Program

Our goal is to attack the vulnerability program just now and gain root access through the attack.

Save the following code as a "exploit.c" file and save it to the/tmp directory. The code is as follows:

Notice the above code, "\x??" \x?? \x?? \x?? " Need to add shellcode to the address stored in memory because the location can overwrite the return address just after an overflow occurs.

and strcpy (Buffer+100,shellcode); This sentence tells us again that Shellcode is stored in the buffer+100 position.

Now we're going to get shellcode in-memory address, enter the command:

Stack

disass main

Results

According to the statement strcpy (Buffer+100,shellcode); We calculate the address of Shellcode as 0xffffd1b0 (hex) +100 (decimal) =0xffffd214 (hexadecimal)

Modify EXPLOIT.C file Now! Will \x?? \x?? \x?? \x?? Modify to \x14\xd2\xff\xff

Then, compile the EXPLOIT.C program:

Gcc -m32 -o exploit exploit.c

3.5 Attack Results

Run the attack program exploit before running the vulnerability stack and observe the results:

Visible, through the attack, get the root permission!

If the attack succeeds and the "segment error" is indicated, re-use GDB disassembly to compute the memory address.

Exercise two:

2, through the command "sudo sysctl-w kernel.randomize_va_space=2" to open the system's address space randomization mechanism, repeated use of exploit program to attack the stack program, to see if the attack succeeds, can gain root authority.

Exercise Three:

3, the/bin/sh to/bin/bash (or/bin/dash), to observe whether the attack succeeds, can gain root privileges.

Summarize:

This is the first experiment of our Linux kernel analysis, the three exercises in this experiment let me learn more about the Linux buffer Overflow vulnerability and attack method, in which the stack is an important process, from this experiment, the Linux for the protection of the stack there are two measures for sudo sysctl-w Kernel.randomize_va_space=2 and/bin/bash. During the experiment I also encountered a lot of problems, such as in the preparation stage, the use of the sudo command, you need to enter the password, the input is not displayed on the screen, but the actual input, to prevent attacks. And through this experiment more familiar with the operation of the laboratory building, but also through the virtual machine more familiar with the Linux system environment, to our future Linux learning has a great help, let me benefit a lot.

Linux and Security experiment One: Buffer Overflow vulnerability experiment