3. Network service penetration attack
3.1 Memory attack and defense technology
3.1.1 Buffer Overflow Vulnerability Mechanism
A buffer overflow is an abnormal behavior of a program caused by the lack of boundary condition checks on buffers.
Generally, buffer overflows are divided into stack overflows and heap overflows according to the different memory locations of buffer overflows.
3.1.2 Principle of Stack Overflow Exploitation
Stack overflow occurs when data is written to the stack. When the data length exceeds the space allocated by the stack, an overflow will occur.
①Utilization method of overriding function return address
Generally, when a program executes a function, it saves the return address of the function, the call parameters of the function, and local variables together in the stack, which gives the attacker the opportunity to overflow the stack buffer to modify the return address of the function.
Since the address of the variable in the stack changes every time the program runs, some jump register instructions are used as a springboard to enable the program to execute the shellcode in the stack. The most common way is to overwrite the return address with the address of JMP ESP , so that the program jumps back to the stack after executing the instruction to execute the data after the buffer overflow.
② Override exception handling structure utilization method
An exception may occur when the program is running, and an exception handling mechanism is required at this time. Windows provides SEH to handle exceptions.
The exception handling structure is stored in the stack in the form of a linked list. The operating system will search for a function that handles the exception from the beginning to the end of the linked list. If not found, the last function, which is the default exception handling function of the system, will be responsible.
Overwriting the exception handling structure is to overwrite the exception handling function pointer in the exception handling structure in the stack with a specific address, and trigger an exception to load the tampered function pointer.
3.1.3 Heap overflow utilization principle
The heap is the memory dynamically allocated when the program is running. The location is not fixed, and the specific implementation is more complicated. Here we only briefly introduce the most common heap buffer overflow caused by the operation of free heap blocks.
The free heap block contains two pointers, pointing to two free blocks before and after.
The heap block memory in the same heap is usually continuous, so if the data exceeds the size of a certain heap block, it will cause data overflow to cover the adjacent free block behind the heap block, and the two pointers contained will be overwritten .
After getting such an opportunity, the attacker can perform a heap overwrite overflow.
3.1.4 Restrictions on Buffer Overflow Exploitation
Need to consider the size of the buffer space, style, filter bad characters.
3.2 Network service penetration attack surface
3.2.1 Penetration attacks against the network services that come with the Windows system
1. NetBIOS network service
Realized by NBT protocol, including NetBIOS name service on UDP137 port, NetBIOS datagram service on UDP138 port and session service on UDP139 port. Penetration attacks using NetBIOS are rare, and metasploit has no such modules.
2. SMB service
The penetration attack modules targeting SMB services are exploit/windows/smb in metasploit, only a few of them directly target SMB, and most of them target MSPRC over SMB channels.
3. MSRPC network service
MSRPC is the largest attack surface of Windows' built-in network services. Such penetration modules also exist in the metasploit framework, located in exploit/windows/smb and exploit/windows/dcerpc.
4. RDP remote desktop service
By default it runs on port 3389.
3.2.2 Penetration attacks against Windows operating system Microsoft network services
The common ones are IIS service, MSSQL service, Exchange email service, MSDTC service, DNS domain name service, WINS service, etc., which may have large security holes and become the target of attackers.
3.2.3 Penetration attacks against third-party network services on the Windows operating system
The common ones are Apache, IBM WebSphere, Tomcat, Oracle, Mysql, Ser-U, FileZilla, etc. The attacker detects whether some common third-party services are used by scanning the default port of the service.
3.2.4 Penetration attacks against industrial control system service software
Industrial control systems refer to systems used to control generating equipment in the industrial field, including SCADA systems, DCS and other equipment controllers. metasploit has many penetration modules for these software in the exploit/windows/scada directory.
3.2.5 Differences between Linux and Windows
① Differences in the layout of the process memory space
The first byte of the memory address of the stack in Windows is 0X00 or NULL, which is usually a bad character that needs to be considered. However, the memory address of the stack in Linux has no null bytes, so there is no need to consider the problem of input truncation caused by bad characters.
②Differences in the handling of discarded stacks during program running
Windows will write some random data to the discarded stack, while Linux will do nothing
③Differences in the implementation of system function calls
Windows completes system function calls through API and kernel handler call chains, and Linux calls system functions through "int 80" interrupt processing, so there is a big difference in the implementation of shellcode
④ Different dynamic link library implementation mechanisms
Linux introduces GOT table and PLT table, and uses various reset items to realize "position independent code" and achieve better sharing performance.
3.2.6 Linux system service penetration attack principle
The principle is basically the same as that of windows, and the attack against Linux contains some characteristics of its own.
Due to the open source code, white box testing is possible.
Due to the large number of releases, the same vulnerability needs to be adjusted for different system environments.
The security of Linux is more dependent on the user.