ED 201: Linux Buffer Overflow: Command Injection (15 pts) ED 201:Linux缓冲区溢出:命令注入(15分)

What You Need你需要什么

A 32-bit x86 Kali 2 Linux machine, real or virtual. 32位x86 Kali 2 Linux机器,真实或虚拟。

Purpose目的

To develop a very simple buffer overflow exploit in Linux, using injected shell commands.使用注入的shell命令在Linux中开发一个非常简单的缓冲区溢出漏洞。

Task 1: Exploiting a Local Service任务1:利用本地服务

Creating a Vulnerable Program创建一个易受攻击的程序

This program inputs a name from the user and prints out a "Goodbye" message.该程序从用户输入名称并打印出“Goodbye”消息。 It then calls system() to print out the Linux version.然后调用system()打印出Linux版本。 It uses two buffers in a subroutine to do that in an unsafe manner, allowing the name buffer to overflow into the command buffer.它在子例程中使用两个缓冲区以不安全的方式执行此操作,允许名称缓冲区溢出到命令缓冲区中。

In a Terminal window, execute this command:在终端窗口中,执行以下命令: 

 nano buf.c
Copy and paste in this code:复制并粘贴此代码: 
 #include <string.h> #include <stdio.h> main(){ char name[200]; printf("What is your name?\n"); scanf("%s", name); bo(name, "uname -a"); } int bo(char *name, char *cmd){ char c[40]; char buffer[40]; printf("Name buffer address: %x\n", buffer); printf("Command buffer address: %x\n", c); strcpy(c, cmd); strcpy(buffer, name); printf("Goodbye, %s!\n", buffer); printf("Executing command: %s\n", c); fflush(stdout); system(c); }

Save the file with Ctrl+X , Y , Enter .使用Ctrl + XYEnter保存文件。

Execute this command to compile the code without modern protections against stack overflows, and with debugging symbols:执行此命令以编译代码,而不对堆栈溢出进行现代保护,并使用调试符号: 

 gcc -g -fno-stack-protector -z execstack -o buf buf.c
You should see compiler warnings, but no errors.您应该看到编译器警告,但没有错误。

Troubleshooting故障排除

If you see this error:如果您看到此错误:
fatal error: string.h: No such file or directory 致命错误:string.h:没有这样的文件或目录
That means gcc is not properly installed, which was the case on my Kali 2017.3 machine.这意味着gcc没有正确安装,就像我的Kali 2017.3机器一样。

Execute this command to fix gcc:执行此命令修复gcc: 

apt install build-essential -y apt install build-essential -y

Running the Program Normally正常运行程序

Execute this command:执行以下命令: 
 ./buf
Enter your first name when prompted to.提示时输入您的名字。

The program prints out the location of the Name buffer and the command buffer, says "Goodbye", and excutes the command "uname -a", as shown below.程序打印出Name缓冲区和命令缓冲区的位置,表示“Goodbye”,并执行命令“uname -a”,如下所示。

Observing a Crash观察崩溃

Execute this command:执行以下命令: 
 ./buf
Enter fifty 'A' characters instead of your name.输入五十个'A'字符而不是您的姓名。

The program attempts to execute the command AAAAAAA, as shown below.程序尝试执行命令AAAAAAA,如下所示。

Finding the Code Injection Point查找代码注入点

Execute this command:执行以下命令: 
 ./buf
Enter:输入: The program attempts to execute the command EEEEEEEEEE, as shown below.程序尝试执行命令EEEEEEEEEE,如下所示。 So any text we put in place of EEEEEEEEEE will execute.因此,我们代替EEEEEEEEEE的任何文本都将执行。

Executing the "ls" command执行“ls”命令

Execute this command:执行以下命令: 
 ./buf
Enter ten 'A' characters, then ten 'B' characters, then ten 'C' characters, then ten 'D' characters, then ls输入十个'A'字符,然后输入十个'B'字符,然后输入十个'C'字符,然后输入十个'D'字符,然后输入ls

The program executes the "ls" command, showing the files in your working directory, as shown below.程序执行“ls”命令,显示工作目录中的文件,如下所示。

Escaping Spaces逃离空间

To execute a command containing a space, insert a backslash before the space.要执行包含空格的命令,请在空格前插入反斜杠。 Try to execute the "ls -l" command, as shown below.尝试执行“ls -l”命令,如下所示。

Hint暗示

If spaces are annoying you, try using backslash to escape them.如果空间让你讨厌,请尝试使用反斜杠来逃避它们。

Task 2: Exploiting a Remote Server任务2:利用远程服务器

Vulnerable Form易受伤害的形式

Try putting in a short name, and then make the name longer until you get unexpected results.尝试输入一个简短的名称,然后使名称更长,直到您得到意想不到的结果。

For a good time, try this string:好好的时间,试试这个字符串:

0123456789012345678901234567890123456789ls
Your name: 你的名字:

ED 201.1: Flag 1 (5 pts) ED 201.1:标志1(5分)

There's a file on the server named "flag1".服务器上有一个名为“flag1”的文件。 Find the flag inside it.找到里面的旗帜。

ED 201.2: Flag 2 (10 pts) ED 201.2:国旗2(10分)

There's a file on the server named "flag2".服务器上有一个名为“flag2”的文件。 Find the flag inside it.找到里面的旗帜。

Sources来源

I based this on the "pwn1" and "pwn2" challenges in the 2015 SCTF competition .我的基础是2015年SCTF竞赛中的“pwn1”和“pwn2”挑战。

Posted: 1-6-16 by Sam Bowne发表:1-6-16由Sam Bowne
Last revised 2-28-16最后修订2-28-16
ASLR disabling removed 3-31-16 ASLR禁用已删除3-31-16
URL changed to "direct" 1-19-17网址已更改为“直接”1-19-17
gcc fix added 1-25-18 gcc fix添加了1-25-18
Minor language fixes 8-25-18次要语言修复8-25-18
Updated for WCIL 5-22-19更新了WCIL 5-22-19