课程主页:

http://staff.ustc.edu.cn/~bjhua/courses/security/2014/labs/lab1/index.html

Lab Overview

这里介绍了课程实验最终所要达到的目标, 以及所用的实验环境.相对前几届的实验,多了一个名为Touchstone的web server. Touchstone为试金石之意, 寓意其为判断学生所学的效果如何的重要尺度.整个实验安排是以touchstone 的演变过程为中心的,思想就是:如何让一个纯C的代码可以一点点满足现代服务器的设计原则, 避免一些安全设计缺陷.

Part A: Buffer Overflow Principal

 $ gcc -g stack1.c -o stack1
 $ ./stack1

  gcc编译和运行可执行程序stack1.

  gcc 是linux系统下非常流行的编译器, 与vc6.0 或者 vs不同的是,它没有可视化界面. 

  -g 是一个编译选项, 可以让gdb调试可执行程序的时候,给出更多的辅助调试信息 

  stack1.c 是编译过程的输入文件

  -o stack 指定编译的目标程序名称为stack, 省略也是可以的. 默认输出a.out可执行文件. 更多信息,可以查看 gcc 编译选项

Exercise 1. Now, you can write some code. Your job is to print the address of the 
variable buffer, in the C program stack1.c, and compile the C program as above. Run 
it three times, observe and write down the output addresses in address.txt, are 
these 3 addresses the same or not? 

把实验所需的代码下载到本地, 按照实验要求打印buffer的地址.多次运行查看输出的buffer地址, 肯定是不一样的.,因为随机化的原因, 但是目前知道不一样就足够了.

Challenge! Read the file /proc/pid/maps on your machine (pid is the process id), 
observe the value of [stack]. You can read this article to learn how effective 
the ASLR on Linux systems is. 

maps信息输出了进程的一些控制信息, 如代码段在哪, 堆的位置, 所加载的库文件的位置, 栈的位置等信息.

Use gdb to debug the program, as the following. You may find the online gdb manual 
useful. 

按照调试步骤, 熟悉一下流程即可. 关注一些调试打印技巧, 以后的实验中会大量用到.

Address Space Layout Randomization

  $ su root
  Password : (enter root password)
  # sysctl -w kernel.randomize_va_space=0

su root 切换当前的用户为root用户, root用户默认是linux里面的权限最高的用户.如果以root身份登陆系统,则需要此步骤.

Exercise 3. Turn off the address space layout randomization, and then do exercise 1
again, write down the three addresses in args.txt, are those three addresses same or not? 

关掉随机化, 输出结果就该一样了.

Buffer Overflow and Shellcode

 $ ./stack1 aaaaaaaaaa
 Returned Properly
 $ ./stack1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 Segmentation fault

出现段错误的原因是: 每个函数栈的默认空间都是有限的, 如果输入的内容过多,会破坏栈结构. 这样,当函数返回的时候,就会跳到一个随机的地方. Segment fault绝大部分由于权限问题导致的.

Exercise 4. Use gdb, to print the value of the register %eip when the program crashes. How 
does the program run to this address? 

解释同上.

Challenge! Try to write a C program which prints every return address in the call stack 
until the invocation of the current function. This is often called a backtrace. This behaves 
like the bt command in the gdb. Hint: just as the following picture shows, the stack is 
simply a list with %ebp as the next pointer.

参照本博客中中的一篇名为  <<读取ebp值的两种方式>> 的博文.

  $ gcc -z execstack test-shell.c -o test-shell   
  $ ./test-shell
  sh-3.2$ id
  uid=1000(seed) gid=1000(seed) groups=4(adm),20(dialout),24(cdrom),
  46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(seed)
  sh-3.2$ exit
  $ 

  -z 一个编译选项, 标示栈段可执行. 否则,即使缓冲区溢出, 返回地址跳到缓冲区开始, shellcode也执行不了.

Exercise 5. The shellcode we offered can pop up a shell, Now it's your turn to attack the 
C program named stack.c using shellcode, you will get a shell if you succeed. You should 
compile and run your program as follows:

   $ gcc -g -z execstack -fno-stack-protector stack2.c -o stack2
   $ ./stack2
   sh-3.2$ id
   uid=1000(seed) gid=1000(seed) groups=4(adm),20(dialout),24(cdrom),
   46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(seed)
   sh-3.2$ exit
   $ 

Here, the -fno-stack-protector option will disable gcc's stack canary. Hint: you can use 
the gdb when necessary, but keep in mind that there are some minor differences between the 
result from gdb and that from the stand-alone executable. 

-fno-stack-protector 又一个 gcc 编译选项, 可以取消gcc编译时候默认采用的canary策略. 这样, 当发生缓冲区溢出的时候, 程序不会crash掉.可以去掉这个选项, 对比一下前后的效果, 加深理解.

Challenge! Write other kind of (more interesting) shellcode, do whatever you want to do. 

对比着提供给你们的shellcode, 进行适当修改.

Part B: Buffer Overflows in the Touchstone Web Server

The Touchstone Web Server

 $ cd web-server
 $ make
 $ ./touchstone 

make 指令会执行当前目录下的Makefile里面的编译指令, 有兴趣的可以学习Makefile的系列教程.

Exercise 6. Study the web server's code, and look for code vulnerability which can be 
exploited to crash the server by buffer overflows, pay special attention to the file 
parse.c. Write down a description of each vulnerability in the file named bugs.txt.

For each vulnerability, how you would construct the input (i.e., the HTTP request) to 
overflow the buffer, Locate at least one vulnerabilities. Here is a tutorial of the 
HTTP protocol, you can focus on the GET request. 

仔细观察 parse.c 文件, 会注意到有数组的存在, 利用好缓冲区溢出漏洞吧.

标准的get请求格式:
GET / HTTP/1.1rnrn

攻击的get请求可以随意构造
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AA

Attack the Web Server

Exercise 7. For the buffer overflow vulnerability you've found, construct an input to 
send to the touchstone web server, your goal is to crash the web server (the http server 
daemon). Note: if you're successful to crash the web server, your browser will remain 
dead-waiting to receive data from the server. Don't forget that any valid request must 
end up with rnrn. 

Exercise 8. Perform your attack by constructing an exploit that hijacks control flow of 
the web server and unlink (delete) grades.txt. Remember that the web server is on your 
computer, so you should create a file named grades.txt first. 

E7 和 E8是相似的两个过程, E7负责找出服务器段接收的"合法输入"格式, E8可以按照一定的格式来构造这个非法输入.
参照 shellcode 的书写格式,构造输入串实施攻击.

Challenge! Write a remote shellcode, so that you can gain control of a remote machine. 
Remote shellcode is used when an attacker wants to target a vulnerable process running 
on another machine on a local network or intranet. If successfully executed, the 
shellcode can provide the attacker access to the target machine across the network. 
Remote shellcodes normally use standard TCP/IP socket connections to allow the attacker 
access to the shell on the target machine. Such shellcode can be categorised based on 
how this connection is set up: if the shellcode can establish this connection, it is 
called a "reverse shell" or a connect-back shellcode because the shellcode connects 
back to the attacker's machine. To bypass the firewalls, you can use the port reuse 
techniques.

正常的 shellcode弹出的shell出现的位置, 不知道注意到没有?!在服务器端 !! 这显然不是攻击者所想要的效果. 那攻击者所需的是什么呢?攻击者需要的是:在提交输入的客户端,拿到服务器段的Terminal.有点绕,不知道看明白没有. 所以需要一些高级的玩意来达到这个效果--->反向shellocde.

Part C: Fixing buffer overflow

Exercise 9. Try to fix the buffer overflow vulnerabilities of the touchstone web server. 
You can use whatever techniques to achieve this, say use safe string copying function 
strncpy or to allocate the buffer in the heap but not on the stack. And re-do the attack, 
observe whether or not your attack will succeed. 

通过一些策略来避免缓冲区的溢出, 如使用一些安全的拷贝函数等.

最后

以上就是幸福薯片为你收集整理的Lab 1: Buffer OverflowsPart A: Buffer Overflow PrincipalPart B: Buffer Overflows in the Touchstone Web ServerPart C: Fixing buffer overflow 的全部内容，希望文章能够帮你解决Lab 1: Buffer OverflowsPart A: Buffer Overflow PrincipalPart B: Buffer Overflows in the Touchstone Web ServerPart C: Fixing buffer overflow 所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。