2017-2018-2 20179204 "Network Attack and Defense Practice" Buffer Overflow Vulnerability Experiment

Others 2022-04-28 14:15:59 views: 0

Section 1 Experiment Introduction

A buffer overflow is when a program attempts to write more data to the buffer than the pre-allocated fixed length. This vulnerability can be exploited by malicious users to change the flow control of a program or even execute arbitrary pieces of code. The vulnerability arises due to the temporary closure of the data buffer and return address, and overflow causes the return address to be rewritten.

Section 2 Experimental Preparation

The system user name is shiyanlou, and the laboratory building provides 64-bit Ubuntu linux. In order to facilitate the observation of assembly statements in this experiment, we need to operate in a 32-bit environment, so some preparations need to be done before the experiment.

2.1 Enter the command to install something for compiling 32-bit C programs:



2.2 Enter the command "linux32" to enter the 32-bit linux environment. At this point, you will find that the command line is not so fun to use, for example, you cannot complete tab completion, so enter "/bin/bash" to use bash:

Section 3 Exercise 1 Lab Steps

3.1 Initial Setup

In Ubuntu and some other Linux systems, address space randomization is used to randomize the initial address of the heap and stack, which makes guessing the exact memory address very difficult, and guessing the memory address is a buffer overflow attack The essential. Therefore, in this experiment, we use the following command to turn off this function:sudo sysctl -w kernel.randomize_va_space=0

Additionally, to further protect against buffer overflow attacks and other attacks that exploit shell programs, many shell programs automatically relinquish their privileges when invoked. So even if you can trick a Set-UID program into calling a shell, you can't maintain root privileges in that shell. This safeguard is implemented in /bin/bash.

In Linux systems, /bin/sh is actually a symbolic link to /bin/bash or /bin/dash. To reproduce the situation before this protection was implemented, we replaced /bin/bash with another shell program (zsh). The following instructions describe how to set up the zsh program:

  sudo su
  cd /bin
  rm sh
  ln -s zsh sh
  exit

3.2 Vulnerable program

The code is saved as "stack.c" file and saved to /tmp directory.

Compile the program, and set SET-UID. The command is as follows:

  sudo su
  gcc -m32 -g -z execstack -fno-stack-protector -o stack stack.c
  chmod u+s stack
  exit

The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to disable this mechanism with --fno-stack-protector when compiling the code.

And -z execstack is used to allow the execution stack.

3.3 Attack program

Our purpose is to attack the vulnerable program just now and gain root privileges through the attack.

Save the code as an "exploit.c" file and save it to the /tmp directory.

"\x??\x??\x??\x??" needs to add the address of the shellcode stored in memory, because this position can just overwrite the return address after the overflow occurs.

And strcpy(buffer+100, shellcode); This sentence tells us that the shellcode is stored in the buffer+100 position.

Now we want to get the address of the shellcode in memory, enter the command:

  gdb stack
  disass main

The result is as follows:

According to the statement strcpy(buffer+100, shellcode); we calculate the address of the shellcode as 0xffffd1b0(hexadecimal)+100(decimal)=0xffffd214(hexadecimal)

Now modify the exploit.c file! Change \x??\x??\x??\x?? to \xb4\xd3\xff\xff

Then, compile the exploit.c program:

3.4 Attack Results

First run the attack program exploit, then run the vulnerability program stack, and observe the results:

Section 4 Exercise 1

Run the command "sudo sysctl -w kernel.randomize_va_space=2" to turn on the system's address space randomization mechanism, repeatedly use the exploit program to attack the stack program, and observe whether the attack is successful and whether root privileges can be obtained.

Unable to gain root privileges.

Section 5 Exercise 2

Repoint /bin/sh to /bin/bash (or /bin/dash), and observe whether the attack is successful and whether root privileges can be obtained.

Unable to gain root privileges.

Section 6 Summary

In exercise 2, since address space randomization is turned on, the previously calculated address is different from the actual address, so the attack cannot be completed.

In Exercise 3, the bash program used does not have root privileges when the shell is running. At this time, even if the attack program attacks the vulnerable program, the attack cannot be completed.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=326371579&siteId=291194637
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com