20145202 《网络对抗技术》 PC平台逆向破解
2017-03-07 18:27
281 查看
20145202 《网络对抗技术》 PC平台逆向破解
准备工作
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/9b66851fc807edb4cc1b24e4bd23ba32.jpg)
先将环境设置为:堆栈可执行、地址随机化关闭
参考http://git.oschina.net/wildlinux/NetSec/blob/master/ExpGuides/Bof_从缓冲区溢出说起.md?dir=0&filepath=ExpGuides%2FBof_从缓冲区溢出说起.md&oid=72b34d542ae4c73c64c2796d28dbc2d9289c0e2b&sha=4f3790a4c0593c3183871a5e65e20bebd6fbda1e
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/22e8a072602c6895c294e8afe208d24f.jpg)
以 anything+retaddr+nops+shellcode 的结构来构造,先估计返回地址所在位置,并且找到 shellcode 所在地址
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/822b89c23b760fa63d8f2b745f94c289.jpg)
要验证返回地址所在位置以及找到 shellcode 地址,需要使用GDB调试
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/695571a3e50cedf6646b949ced9475a4.jpg)
再找到正在执行的进程号
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/adca1d2cad54697ba5eaabb2849e3cb5.jpg)
进入GDB,联系上该进程号
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/c683e0bacdcb18d4512f503cb854101a.jpg)
在 ret 处设置断点,接着运行到断点处,显示当前esp的值并依照此位置显示接下来的内存地址内容,并由此分析出返回地址位置的正确性以及shellcode的地址
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/bb963b4ccfccdaddc6408b07d87eccd8.jpg)
由上图可以看出,shellcode地址为:0xffffd334
继续运行,可以确认返回地址是被我们之前输入\x01\x02\x03\x04所覆盖的:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/ebcd8b10feb0bee03855b2e1157e9829.jpg)
将返回地址修改为0xffffd334,重新注入。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/976d7e0d209d6e4ec431936964f8c2f1.png)
进入32位linux环境,将地址随机化关闭,并且把/bin/sh指向zsh
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/65391c8b6f7fa0ae5982609281505734.png)
将漏洞程序保存在/tmp目录下:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/6d05206daff045efe7350371b42766d3.jpg)
编译该代码,使用–fno-stack-protector来关闭阻止缓冲区溢出的栈保护机制,并设置给该程序的所有者以suid权限,可以像root用户一样操作:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/14bc33559b285a2cd1d4f1c0a0854790.png)
读取环境变量的程序:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/bedbd94714b1b1cd753c8fe25d293b68.jpg)
将攻击程序保存在/tmp目录下:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/032c4b2581db1409e8f2873ece4c8126.jpg)
用刚才的getenvaddr程序获得BIN_SH地址:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/b8e2a743b40a0b9163690d0a90bb60c3.jpg)
利用gdb获得system和exit地址:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/5e2e3ebe2a8c9e486bbbaccc4cb1912d.jpg)
将上述所找到的三个内存地址填写在20145215exploit.c中:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/e5077018b1f63f445c481d7e2e0839a0.jpg)
到这里才发现之前忘了切换用户了,所以又要重新做一遍但是步骤都一样就不再从新写了,结果是成功了。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/ade667a8123cc4cfcdc5e3a8df4fc364.jpg)
准备工作
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/9b66851fc807edb4cc1b24e4bd23ba32.jpg)
先将环境设置为:堆栈可执行、地址随机化关闭
参考http://git.oschina.net/wildlinux/NetSec/blob/master/ExpGuides/Bof_从缓冲区溢出说起.md?dir=0&filepath=ExpGuides%2FBof_从缓冲区溢出说起.md&oid=72b34d542ae4c73c64c2796d28dbc2d9289c0e2b&sha=4f3790a4c0593c3183871a5e65e20bebd6fbda1e
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/22e8a072602c6895c294e8afe208d24f.jpg)
以 anything+retaddr+nops+shellcode 的结构来构造,先估计返回地址所在位置,并且找到 shellcode 所在地址
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/822b89c23b760fa63d8f2b745f94c289.jpg)
要验证返回地址所在位置以及找到 shellcode 地址,需要使用GDB调试
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/695571a3e50cedf6646b949ced9475a4.jpg)
再找到正在执行的进程号
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/adca1d2cad54697ba5eaabb2849e3cb5.jpg)
进入GDB,联系上该进程号
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/c683e0bacdcb18d4512f503cb854101a.jpg)
在 ret 处设置断点,接着运行到断点处,显示当前esp的值并依照此位置显示接下来的内存地址内容,并由此分析出返回地址位置的正确性以及shellcode的地址
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/bb963b4ccfccdaddc6408b07d87eccd8.jpg)
由上图可以看出,shellcode地址为:0xffffd334
继续运行,可以确认返回地址是被我们之前输入\x01\x02\x03\x04所覆盖的:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/ebcd8b10feb0bee03855b2e1157e9829.jpg)
将返回地址修改为0xffffd334,重新注入。
Return-to-libc 攻击
我先另外添加了一个用户:![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/976d7e0d209d6e4ec431936964f8c2f1.png)
进入32位linux环境,将地址随机化关闭,并且把/bin/sh指向zsh
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/65391c8b6f7fa0ae5982609281505734.png)
将漏洞程序保存在/tmp目录下:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/6d05206daff045efe7350371b42766d3.jpg)
编译该代码,使用–fno-stack-protector来关闭阻止缓冲区溢出的栈保护机制,并设置给该程序的所有者以suid权限,可以像root用户一样操作:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/14bc33559b285a2cd1d4f1c0a0854790.png)
读取环境变量的程序:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/bedbd94714b1b1cd753c8fe25d293b68.jpg)
将攻击程序保存在/tmp目录下:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/032c4b2581db1409e8f2873ece4c8126.jpg)
用刚才的getenvaddr程序获得BIN_SH地址:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/b8e2a743b40a0b9163690d0a90bb60c3.jpg)
利用gdb获得system和exit地址:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/5e2e3ebe2a8c9e486bbbaccc4cb1912d.jpg)
将上述所找到的三个内存地址填写在20145215exploit.c中:
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/e5077018b1f63f445c481d7e2e0839a0.jpg)
到这里才发现之前忘了切换用户了,所以又要重新做一遍但是步骤都一样就不再从新写了,结果是成功了。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/07/ade667a8123cc4cfcdc5e3a8df4fc364.jpg)
参考资料:https://git.oschina.net/wildlinux/NetSec/blob/master/ExpGuides/MAL_逆向与Bof基础.md?dir=0&filepath=ExpGuides%2FMAL_逆向与Bof基础.md&oid=bf7c0c8fd8e306ddb9f728b4db42b5efbb00af80&sha=f4a0f4414045ff786a72020586fcf7663dd56f8b
相关文章推荐
- 2017-2018-2 《网络对抗技术》 20155319 第二周 Exp1 PC平台逆向破解(5)M
- 20145219《网络对抗技术》PC平台逆向破解之逆向与Bof基础
- 20145331魏澍琛 《网络对抗技术》 PC平台逆向破解
- 20145329 《网络对抗技术》PC平台逆向破解
- 20145325张梓靖 《网络对抗技术》 PC平台逆向破解
- 20145333 《网络对抗技术》 PC平台逆向破解
- 2017-2018-2 20155303『网络对抗技术』Exp1:PC平台逆向破解
- 20145234黄斐《网络对抗技术》PC平台逆向破解
- 网络对抗技术 2017-2018-2 20152515 Exp1 PC平台逆向破解(5)M
- 20145336张子扬 《网络对抗技术》 PC平台逆向破解
- 20145302张薇《网络对抗技术》PC平台逆向破解
- 20145206邹京儒《网络对抗技术》 PC平台逆向破解
- 2017-2018-2 《网络对抗技术》 20155302 第二周 Exp1 PC平台逆向破解(5)M
- 20145225 《网络对抗技术》PC平台逆向破解
- 20155338《网络对抗技术》 Exp1 PC平台逆向破解
- 2017-2018-2 《网络对抗技术》 20155322 第二周 Exp1 PC平台逆向破解(5)M
- 20145232韩文浩《网络对抗》PC平台逆向破解
- 20145218张晓涵 PC平台逆向破解_advanced
- 20145330 《网络对抗》PC平台逆向破解:注入shellcode 和 Return-to-libc 攻击实验
- 20145219《网络对抗》PC平台逆向破解