密碼編碼學(xué)與網(wǎng)絡(luò)安全：ch18-入侵漏洞和防范

1第18章入侵漏洞和防范18.1入侵18.2入侵檢測(cè)18.3口令管理↓↓↓↓*

18.a代碼安全(Buffer

overflow)*

18.b

破解示例

↓入侵和缺陷

入侵是由于存在安全缺陷，是操作系統(tǒng)或應(yīng)用軟件的漏洞被利用造成的。用戶(hù)的不當(dāng)設(shè)置或使用也會(huì)產(chǎn)生漏洞，如弱口令等。刑法節(jié)選第二百八十五條

違反國(guó)家規(guī)定，侵入國(guó)家事務(wù)、國(guó)防建設(shè)、尖端科學(xué)技術(shù)領(lǐng)域的計(jì)算機(jī)信息系統(tǒng)的，處三年以下有期徒刑或者拘役。第二百八十六條

違反國(guó)家規(guī)定，對(duì)計(jì)算機(jī)信息系統(tǒng)功能進(jìn)行刪除、修改、增加、干擾，造成計(jì)算機(jī)信息系統(tǒng)不能正常運(yùn)行，后果嚴(yán)重的，處五年以下有期徒刑或者拘役；后果特別嚴(yán)重的，處五年以上有期徒刑。違反國(guó)家規(guī)定，對(duì)計(jì)算機(jī)信息系統(tǒng)中存儲(chǔ)、處理或者傳輸?shù)臄?shù)據(jù)和應(yīng)用程序進(jìn)行刪除、修改、增加的操作，后果嚴(yán)重的，依照前款的規(guī)定處罰。故意制作、傳播計(jì)算機(jī)病毒等破壞性程序，影響計(jì)算機(jī)系統(tǒng)正常運(yùn)行，后果嚴(yán)重的，依照第一款的規(guī)定處罰。第二百八十七條利用計(jì)算機(jī)實(shí)施金融詐騙、盜竊、貪污、挪用公款、竊取國(guó)家秘密或者其他犯罪的，依照本法有關(guān)規(guī)定定罪處罰。18.1入侵入侵IntruderAn

entity

that

gains

or

attempts

to

gain

access

ta

system

or

system

resource

without

havingauthorization

to

do

so.未經(jīng)允許的對(duì)資源的訪問(wèn)和使用有危害的故意和行為事實(shí)善意的入侵也是入侵成功的入侵體現(xiàn)為對(duì)非授權(quán)資源的訪問(wèn)和使用資源指硬件、軟件、系統(tǒng)、文件、帶寬等等獲得口令是集中體現(xiàn)安全事件統(tǒng)計(jì)摘自CERT–

/stats/cert_stats.htmlgoogle各種“黑客聯(lián)盟”安全事件報(bào)告網(wǎng)站Microsoft

Security

Bulletins/technet/security/WooY

|自由平等開(kāi)放的漏洞報(bào)告平臺(tái)/看雪安全論壇/WebSploitOWASP入侵者Intruder區(qū)分hacker、cracker、intruder外部入侵者、內(nèi)部攻擊者惡性、良性、好心(幫倒忙)的假冒者、越權(quán)者、秘密用戶(hù)黑客組織安全應(yīng)對(duì)組織，如CERT//入侵的前奏：掃描主機(jī)（IP）存在/開(kāi)機(jī)–

OS端口服務(wù)漏洞掃描工具手工pingnetcraftnmap/tools/1.htmlNetcraft/Whats

that

site

running?

was

running

MicrosofIIS

on

Windows

Server

2003.

was

running

Microsoft-IIS

on

Windows

Server

2003.練習(xí):發(fā)現(xiàn)網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu)trace

route

server>nmap

/nmap/index.htmlNmap

V.

3.00

Usage:nmap

[Scan

Type(s)]

[Options]

<hostor

net

list>Some

Common

Scan

Types

("*"

options

require

root

privileges)*

-sS

TCP

SYN

stealth

port

scan

(default

if

privileged

(root))-sTTCP

connect()

port

scan

(default

for

unprivileged

users)*

-sU

UDP

port

scan-sP

pingscan(Find

any

reachable

machines)*

-sF,-sX,-sN

Stealth

FIN,

Xmas,

or

Null

scan

(experts

only)-sR/-I

RPC/Identd

scan

(use

withother

scan

types)Some

Common

Options

(none

are

required,

most

can

be

combined):*

-O

Use

TCP/IP

fingerprinting

to

guess

remote

operating

system-p

<range>ports

toscan.

Example

range:

"1-1024,1080,6666,31337"-F

Only

scans

ports

listed

innmap-services-v

Verbose.

Its

use

is

recommended.

Use

twice

for

greater

effect.-P0

Don"t

pinghosts

(needed

to

scan

and

others)*

-Ddecoy_host1,decoy2[,...]

Hide

scan

using

many

decoys-T

<Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>

General

timing

policy-n/-RNever

do

DNS

resolution/Always

resolve

[default:sometimes

resolve]-oN/-oX/-oG

<logfile>

Output

normal/XML/grepable

scan

logs

to

<logfile>-iL

<inputfile>

Get

targets

fromfile;

Use

"-"

for

stdin*

-S

<your_IP>/-e

<devicename>

Specify

source

address

or

network

interface--interactive

Go

into

interactive

mode

(then

pressh

for

help)--win_help

Windows-specific

featuresExample:

nmap-v

-sS-O

/16

"192.88-90.*.*"SEE

THE

MAN

PAGE

FOR

MANY

MORE

OPTIONS,

DEscriptIONS,

AND

EXAMPLESC:\Programs\nmap-4.20>nmap.exe

Starting

Nmap

4.20()at

2007-10-06

10:04

中國(guó)標(biāo)準(zhǔn)時(shí)間Interesting

ports

on

50:Not

shown:

1678

closed

portsPORT

STATE

SERVICE80/tcp

open

http135/tcp

filtered

msrpc136/tcp

filtered

profileNmap

Free

Stealth

Port

Scanner

For

NetworkExploration

&

Security

Audits./nmap/命令行見(jiàn)備注行NMapWin/projects/nmapwin*審慎練習(xí)–scan是違反法規(guī)的D.o.S是難于預(yù)防的有效的攻擊方式，但不像入侵。入侵技術(shù)獲取口令字典攻擊＋窮舉嘗試?yán)寐┒蠢寐┒传@取口令，或者繞過(guò)口令的保護(hù)技術(shù)漏洞、管理漏洞木馬和病毒－Malicious

Code被遠(yuǎn)程可控制自動(dòng)執(zhí)行某些破壞活動(dòng)欺騙和社會(huì)工程漏洞Hole操作系統(tǒng)Windows、Linux/Unix常用軟件服務(wù)軟件，如sendmail、apache客戶(hù)端軟件，如IE、Outlook套組件，如office設(shè)計(jì)和實(shí)現(xiàn)配置和管理用戶(hù)因素及時(shí)更新和補(bǔ)丁舉例：輸入法漏洞未補(bǔ)丁的Win2k你并不知道其任何口令

在登錄窗口按“CTL+SP”或

“CTL+SHIFT”激活比如全拼輸入法進(jìn)入輸入法的幫助界面在按鈕欄上鼠標(biāo)右鍵“跳至URL”，輸入比如“C:\”，即見(jiàn)文件及目錄列表有些操作不能用*補(bǔ)丁patch

update部分，登錄窗口被擋在后面了輸入法漏洞屏圖?舉例：Unicode

holeWin2k

IIS5

(unpatched)Patch舉例：ipc$入侵win9x的vredir.vxd漏洞win2k的c$/d$/admin$共享–138、139、445–137、138–

C:\WINNT\system32\drivers\etc\services協(xié)議漏洞攻擊FTP重定向攻擊open

ftpserveruser

ftppass

xxxport

xxx,xxx,xxx,xxx,xx,xxretr

doc某些FTP服務(wù)器TCP/IP漏洞攻擊Teardrop

Land利用了某些實(shí)現(xiàn)的缺陷，而不是

TCP/IP協(xié)議設(shè)計(jì)上的漏洞18.2入侵檢測(cè)技術(shù)手段

–收集信息網(wǎng)關(guān)、sniffer、OS

log/審計(jì)–分析發(fā)現(xiàn):異?，F(xiàn)象和行為–響應(yīng)干預(yù)及時(shí)制止/被動(dòng)補(bǔ)丁規(guī)則定義和行為描述–

AAA–異常檢測(cè)主機(jī)vs.網(wǎng)絡(luò),Firewall,IDS入侵者comp.授權(quán)用戶(hù)?收集信息：審計(jì)日志W(wǎng)indows事件查看器IIS

Log本地安全策略－本地策略－審核策略等Linuxaccess-logacct/pacctaculog記錄HTTP/web的傳輸記錄用戶(hù)命令記錄MODEM的活動(dòng)–

btmp–

lastlog記錄失敗的記錄記錄最近幾次成功登錄的事件和最后一次不成功的登錄–messages從syslog中記錄信息（有的鏈接到syslog文件）sudologsulogsyslogutmpwtmpxferlog記錄使用sudo發(fā)出的命令記錄使用su命令的使用從syslog中記錄信息（通常鏈接到messages文件）記錄當(dāng)前登錄的每個(gè)用戶(hù)一個(gè)用戶(hù)每次登錄進(jìn)入和退出時(shí)間的永久記錄記錄FTP會(huì)話(huà)專(zhuān)門(mén)的檢測(cè)日志一般內(nèi)容和格式主題執(zhí)行者會(huì)話(huà)、進(jìn)程、用戶(hù)等類(lèi)別動(dòng)作讀/寫(xiě)/執(zhí)行、注冊(cè)/注銷(xiāo)、IO/網(wǎng)絡(luò)等對(duì)象數(shù)據(jù)文件、系統(tǒng)文件、程序、數(shù)據(jù)庫(kù)等操作結(jié)果返回，尤其是失敗或例外的情況資源使用讀寫(xiě)字節(jié)數(shù)、網(wǎng)絡(luò)活動(dòng)字節(jié)數(shù)等發(fā)生和持續(xù)時(shí)間AAAAuthentication,

Authorization

and

Accounting/html.charters/aaa-charter.html/html.charters/OLD/aaa-charter.htmlRequest

for

Comments:AccountingAttributes

and

Record

Formats

(RFC

2924)Introduction

to

Accounting

Management

(RFC

2975)Criteria

for

Evaluating

AAA

Protocols

for

Network

Acces(RFC

2989)Authentication,

Authorization,

and

Accounting:ProtocoEvaluation

(RFC

3127)統(tǒng)計(jì)異常檢測(cè)用于對(duì)審計(jì)記錄進(jìn)行分析的方法閾值檢測(cè)檢測(cè)一段時(shí)間內(nèi)特殊事件的發(fā)生次數(shù)輪廓檢測(cè)檢測(cè)用戶(hù)行為和過(guò)去相比的重大偏差統(tǒng)計(jì)學(xué)平均值、標(biāo)準(zhǔn)差、方差馬爾可夫過(guò)程模型、時(shí)間序列模型、操作模型不用預(yù)先知道安全漏洞的知識(shí)基于規(guī)則的檢測(cè)

觀察用戶(hù)的歷史行為模式，建立規(guī)則庫(kù)，刻畫(huà)正常/異常行為

由專(zhuān)家(或投誠(chéng)的黑客)設(shè)立規(guī)則，建立專(zhuān)家系統(tǒng)，進(jìn)行滲透鑒別(假冒)檢測(cè)系統(tǒng)調(diào)用事件系統(tǒng)調(diào)用–

Unix/Linux–

DOS/WIN32int21h/sysDLL定義并學(xué)習(xí)系統(tǒng)調(diào)用序列–正常的/異常的定義規(guī)則/抽象為規(guī)則模式識(shí)別和判斷模糊匹配++++|

Process

1

|

Process

2

|

...|syscall

table

++++|

Linux

Kernel

|++|

Hardware

|+

+D.o.S閱讀:素材ddos.zip分布式檢測(cè)分布式檢測(cè)–對(duì)于大范圍現(xiàn)象的檢測(cè)WAN

干線(xiàn)運(yùn)營(yíng)商和檢測(cè)部門(mén)*蠕蟲(chóng)爆發(fā)預(yù)警–SQL蠕蟲(chóng)–口令蠕蟲(chóng)蜜罐honey

pot

可以引誘入侵者，獲得關(guān)于攻擊者的信息系統(tǒng)文件的保護(hù)不被竄改、刪除win2k/xpC:\WINNT\system32\dllcacheLinux系統(tǒng)重要配置文件的權(quán)限和修改記錄*安全操作系統(tǒng)的實(shí)時(shí)報(bào)警劉海峰卿斯?jié)h等計(jì)算機(jī)學(xué)報(bào)2003

03SecLinux是北京中科安勝信息技術(shù)有限公司著作的安全OS選讀1《安全操作系統(tǒng)的實(shí)時(shí)報(bào)警》*使用SecLinux定義審計(jì)事件(審計(jì)點(diǎn))以系統(tǒng)調(diào)用、系統(tǒng)命令、特權(quán)命令為主；審計(jì)事件的參數(shù)定義“正?！焙汀爱惓！毙蛄泻推綍r(shí)類(lèi)似的序列被視作正常，反之異常建立正常庫(kù)收集并分析正常的事件序列，這是個(gè)學(xué)習(xí)的過(guò)程實(shí)時(shí)監(jiān)控、分析和報(bào)警K步窗口匹配選讀2《基于粗糙集理論的入侵檢測(cè)新方法》*監(jiān)控進(jìn)程的非正常行為匹配方法：粗糙集理論Rough

Set

Theory從數(shù)據(jù)樣本空間提取規(guī)律和規(guī)則的方法數(shù)據(jù)挖掘http://www2.cs.uregina.ca/~roughset/Google，Bingle入侵檢測(cè)工具：SnortAn

Open

Source

Network

Intrusion

Detection

System

Snort

is

an

open

source

network

intrusiondetection

system,

capable

of

performing

realtime

traffic

analysis

and

packet

logging

on

Inetworks.

It

can

perform

protocol

analysis,content

searching/matching

and

can

be

used

to

detect

a

variety

of

attacks

and

probes,

sucas

buffer

overflows,

stealth

port

scans,

CGIattacks,

SMB

probes,

OS

fingerprintingattempts,

and

much

more.

-SSnort使用下載和安裝/源代碼，或二進(jìn)制執(zhí)行文件(for

Win32/Linux)winpcap(仿libpcap)http://winpcap.polito.it/文檔命令行提示（見(jiàn)備注行）manual手冊(cè)“SnortUsersManual.pdf”Snort運(yùn)行模式Sniffer

Modesnort

–vdePacket

Logger

Modesnort

-vde

-l

./logNetwork

Intrusion

Detection

Modesnort

-dev

-l

./log

-h

/16

-c

snort.conf/etc/snort.confNimda＝＝＝＝alert

tcp

$EXTERNAL_NETany

->

$HOME_NET

139

(msg:"NETBIOS

nimda

.eml";

content:"|00|.|00|E|00|M|00|L";flow:to_server,established;

classtype:bad-unknown;

reference:url,/v-descs/nimda.shtml;

sid:1293;

rev:7;)alert

tcp

$EXTERNAL_NET

any

->

$HOME_NET

139

(msg:"NETBIOS

nimda

.nws";

content:"|00|.|00|N|00|W|00|S";flow:to_server,established;

classtype:bad-unknown;

reference:url,/v-descs/nimda.shtml;

sid:1294;

rev:7;)alert

tcp

$EXTERNAL_NET

any

->

$HOME_NET

139

(msg:"NETBIOS

nimda

RICHED20.DLL";content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0";

flow:to_server,established;

classtype:bad-unknown;

reference:url,/v-

descs/nimda.shtml;

sid:1295;

rev:6;)NULL

Session＝＝＝＝alert

tcp

$EXTERNAL_NET

any->

$HOME_NET

139

(msg:"NETBIOS

NT

NULL

session";

flow:to_server,established;

content:

"|00

000000

57

00

69

00

6E

00

64

00

6F

00

77

00

73

00

20

00

4E

00

54

00

20

00

31

00

33

00

38

00

31|";

reference:bugtraq,1163;reference:cve,CVE-2000-0347;

reference:arachnids,204;

classtype:attempted-recon;

sid:530;

rev:7;)Snort規(guī)則規(guī)則Action

Protocol

IP

Port

Dir

Optionvar、includealert

icmp

any

any

->

51

anyalert

udp

any

any

->

51

anyalert

tcp

any

any

->

51

any

(flags:S;)…Rules目錄已知攻擊特征（見(jiàn)備注行）–

/rules/Snort練習(xí)安裝、配置、試用主要步驟說(shuō)明練習(xí):設(shè)置合適的規(guī)則記錄(報(bào)警)進(jìn)出本機(jī)的除DNS外的UDP分組記錄(報(bào)警、阻斷)外部到本機(jī)的TCP連接會(huì)話(huà)

從外部發(fā)起連接到本機(jī)的。不僅是連接請(qǐng)求，要記錄整個(gè)會(huì)話(huà)(能否可行？給出答案)啟用flexresp(flexible

response)根據(jù)實(shí)際，選擇Rules目錄的某條規(guī)則測(cè)試參考：SnortUsersManual.pdf商業(yè)IDSCyberCop

Monitor,NAIDragon

Sensor,

EnterasyseTrust

ID,

CANetProwler,

SymantecNetRanger,

CiscoNID-100/200,

NFRSecurityRealSecure,ISSSecureNet

Pro,

I研究

retaliation神經(jīng)網(wǎng)絡(luò)數(shù)據(jù)挖掘（DataMining）產(chǎn)品檢測(cè)算法關(guān)聯(lián)性（correlation）千兆網(wǎng)絡(luò)IDSIDS

FAQ/pubs/

Focus-IDS

Mailinglist/archive/96

Yawl

OldHand

Sinbad/doc.html?board=IDS其他IDS商業(yè)IDS研究資料–在備注行Linux安全模塊格式編譯、安裝、卸載gcc

-c

hello.cinsmod

hello.crmmod

hello模塊體現(xiàn)的漏洞及做為管理用途安全操作系統(tǒng)LinuxLinux

KernelLinux

Loadable

Kernel

Module編譯、安裝該模塊，觀察其行為和結(jié)果，并分析這種機(jī)制在安全和入侵方面的用途Linux+

site//////the

Free

Software

Movement–

//Google！18.3口令管理

口令是安全的焦點(diǎn)，是網(wǎng)絡(luò)攻防的主要對(duì)象。口令是安全鏈條中的第一個(gè)環(huán)節(jié)，其強(qiáng)度太過(guò)依賴(lài)于用戶(hù)的素養(yǎng)和自覺(jué)，因此往往是最不安全的環(huán)節(jié)。為了口令安全，最好的辦法好像是避免使用口令，而使用其他物理設(shè)備或生物學(xué)設(shè)備代替口令。帳號(hào)口令機(jī)制帳號(hào)ID（username/account＋口令）groupsroot/administrator，guest其他默認(rèn)帳號(hào)和默認(rèn)口令A(yù)CL

－

Access

Control

List–

Table

(user,

operation)read,

write,

exec鑒別挑戰(zhàn)應(yīng)答機(jī)制生物學(xué)身份鑒別//

gcca.c-lcrypt#include

<stdio.h>#include

<stdlib.h>#include

<unistd.h>main(int

argc,char

**argv){if

(argc!=3)

exit(0);printf("%s\n",

crypt(argv[1],argv[2]));}口令保護(hù)/etc/passwd加密crypt()函數(shù)#define

_XOPEN_SOURCE#include

<unistd.h>char

*crypt

(const

char

*key,

const

char

*salt);passwd

space–128-32-’7f’=95個(gè)可用字符–

95^nsalt兩個(gè)字符，每個(gè)可從[a-zA-Z0-9./]中選出來(lái)，即有4096種不同取值抵制字典攻擊中的預(yù)算值UNIX

Password

Scheme?encryptverifyPasswd

Cracker攻擊口令基于字典攻擊，構(gòu)造字典及其組合蠻力攻擊snifferJohn

the

Ripper

password

crackerIts

primary

purpose

is

to

detect

weak

Unix

passwordsL0phtCracka

Windows

password-auditing

toolzip,

pdf,

msoffice

document

passwd

cracker(Advanced

ZIP

Password

Recovery

@

PIII933)對(duì)6位的a-z,0-9只需幾(6)分鐘窮舉時(shí)間對(duì)8位的則需幾(5)天時(shí)間，10位的超過(guò)1年專(zhuān)用加速硬件設(shè)計(jì)Zip

crackersample?Advanced

ZIP

Password

Recovery

statistics:Encrypted

ZIP-file:

sdjfks.zipTotal

passwords:

2,091,362,752Total

time:

6m

58s

725msAverage

speed

(passwords/s):

4,994,597Password

for

this

file:

7uee23Password

in

HEX:

37

75

65

65

32

33Passwords

Cracked

(25%

of

13797).au/security/.au/security/passwd.htm選擇好的口令長(zhǎng)度足夠即口令看見(jiàn)得足夠大128-32-’7f’=95個(gè)可用字符(滿(mǎn)算)口令得從其所在空間隨機(jī)選擇不要選擇容易記憶的口令口令得心記不要寫(xiě)在紙上，再貼在顯示屏邊上口令得勤換不要多個(gè)帳戶(hù)使用相同的口令使用口令產(chǎn)生和檢查的工具小程序IC

TokenContact/less

IC

CardSmart

Card–

85.60mm

x

53.98mm

x

0.80mmprinted

circuit

conforms

to

ISO

standard

7816/3circuit

chip,

five

point,

ROM

RAM,

EEPROMThe

printed

circuit

protects

the

circuit

chip

frommechanical

stress

and

static

electricity.Java

CardiKey

USB

token,

Authentication

KeyThe

USB

Smart

key,

also

know

as

a

key-shaped

Token,contains

a

cryptographic

chip

for

securely

storing

auser’s

personal

ID./ikey//URLsHOWTO:

Choose

a

good

passwordhttp://www.head-start.lane.or.us/administration/technology/HOWTO/Linux

Security

Documentation/docs/Unix

System

AdministrationCHAPTER

28

System

Securityhttp://wks.uts.ohio-/sysadm_course/Unix

Security

Page/unix//morris79password.html/防火墻Firewall位置：網(wǎng)絡(luò)出入口考察對(duì)象：分組/連接/會(huì)話(huà)目的：過(guò)濾、代理機(jī)制：考察分組內(nèi)容(控制/數(shù)據(jù))、會(huì)話(huà)語(yǔ)義產(chǎn)品硬件、軟件商用、個(gè)人收費(fèi)、免費(fèi)開(kāi)發(fā)技術(shù)：router、capture、NDIS*病毒防火墻計(jì)算機(jī)安全系統(tǒng)評(píng)估Security

Evaluation

Criteria安全評(píng)估標(biāo)準(zhǔn)NSA/NCSC/TCSEC

(rainbow)/tpep/ITSEC

-

Information

Technology

Security

Evaluation

Criteria.uk/CC

-

Common

CriteriaJTC1/SC27/WG3/《計(jì)算機(jī)信息系統(tǒng)安全保護(hù)等級(jí)劃分準(zhǔn)則》Dictionary//dictionary/dictionary.htm/orange/美國(guó)可信計(jì)算機(jī)系統(tǒng)評(píng)價(jià)標(biāo)準(zhǔn)（TCSEC）Trusted

Computer

System

Evaluation

Criteria;

commonly

called

the

"Orange

Book)NCSC/TCSECNATIONAL

COMPUTER

SECURITY

CENTERTrusted

Computer

System

Evaluation

CriteriaDC1NT、LinuxC2B1B2B3A118.a代碼安全Secure

program–

capable

of

performing

its

task

withstanding

anyattempts

to

subvert

it沒(méi)有漏洞不受病毒危害適應(yīng)用戶(hù)的野蠻操作適應(yīng)非期望的輸入具體問(wèn)題安全的代碼版權(quán)和破解分析二進(jìn)制代碼分析例子：緩沖區(qū)溢出錯(cuò)誤→備忘–安裝一個(gè)好點(diǎn)的源文件查看程序，如editplusAssembly

in

VCBasic

sample：Buffer

over

flowmyf(int

a,

int

b){char

buf[8];puts("any

str?");gets(buf);…return

0;}main(){myf(0x11223344,0xaabbccdd);return

0;}演?示：VC環(huán)境(in

VS.NET)C/ASM/CodeByte基礎(chǔ)參數(shù)和堆棧stack函數(shù)調(diào)用的發(fā)生和返回gets()不小心導(dǎo)致堆棧數(shù)據(jù)異常對(duì)應(yīng)的匯編代碼?myf(0x11223344,

0xaabbccdd);00411EDE00411EE300411EE8pushpushcall0AABBCCDDh11223344h@ILT+1305(_myf)(41151Eh)esp,800411EED

add調(diào)用函數(shù)后將返回此地址執(zhí)行到puts()時(shí)的堆棧狀況cc

cc

cc

cc

ìììcc

cc

cc

cc

ìììcc

cc

cc

cc

ìììcc

cc

cc

cc

ììì0x0012FDEC0x0012FDF0ì0x0012FDF4ì0x0012FDF8ì0x0012FDFCì0x0012FE000x0012FE040x0012FE08dc

fe

12

00ed

1e

41

0044

33

22

11üt..í.A.D3".m?yf(0x11223344,

0xaabbccdd);char

buf[8];Debug隔離帶ebpreturn

address參數(shù)1參數(shù)2輸入16個(gè)字符，導(dǎo)致堆棧錯(cuò)誤0x0012FDF0ccccccccìììì0x0012FDF4

61

61

61

6161

61

61

61aaaa0x0012FDF8aaaa0x0012FDFC

61616161aaaa0x0012FE0061616161aaaa0x0012FE0461616161aaaa0x0012FE0800332211.3".0x0012FE0CddccbbaaYì?abuf本來(lái)8個(gè)字節(jié)，給予20(+1)各字

符導(dǎo)致其覆蓋了其后的13個(gè)字節(jié)，因此返回地址被竄改返回地址

(尾0)參數(shù)1參數(shù)2溢出會(huì)導(dǎo)致：變量/數(shù)據(jù)被竄改(非期望的)影響原來(lái)的設(shè)計(jì)功能函數(shù)返回地址被竄改返回另外一個(gè)地址而那個(gè)地址已經(jīng)被事先放好了準(zhǔn)備好的代碼*閱讀材料利用BoF?main(){char

passwd[8]

=

{"2e4rfe"};char

yourpasswd[8]

=

{""};again:puts("please

input

passwd?");gets(yourpasswd);if

(strcmp(yourpasswd,

passwd)==0)goto

ok;puts("passwd

error");goto

again;exit(-2);ok:puts("correct!");//

do

work

you

wantreturn

0;}程序的設(shè)計(jì)功能：輸入正確的口令后做某項(xiàng)工作(否則重復(fù)要求輸入口令)演示：輸入精心計(jì)劃好的字串打亂設(shè)計(jì)期望的執(zhí)行邏輯，從而繞過(guò)某些口令Ready

?

!TryHa

ha

!Pass

!gets(),

scanf(),

memcpy(),

strcpy()

et

sc_passwd\source1.cpp(12):

warning

C4996:"gets":

This

function

or

variable

may

beunsafe.

Consider

using

gets_s

instead.

Todisable

deprecation,

use_CRT_SECURE_NO_WARNINGS.

Seeonline

help

for

details.buffer

overflows

in

the

heaptodo>openssl

md5

sc_6th.exeMD5(sc_6th.exe)=

42468b940f715b4adc22647f4c6c49f5練習(xí)分析sc_6th.exe繞過(guò)其口令保護(hù)sc_6th.exe需要VC7的運(yùn)行庫(kù)這個(gè)程序很小，因?yàn)樗艘獋€(gè)口令外，啥也不做。該程序無(wú)任何不良操作Sc_6th.zip含有對(duì)應(yīng)的源程序其保護(hù)口令可分析sc_6th.exe獲得利用堆棧執(zhí)行某些代碼SQL蠕蟲(chóng)–376(?)字節(jié)完整的udp分組?如何溢出如何執(zhí)行代碼部分的分析/cgi-

bin/bbs/bbs0an?path=%2Fgroups%2Fcomp%2Efaq%2FVirusExploit

exampleBuffer

overflow致堆棧數(shù)據(jù)被執(zhí)行的例子MS08-067演示/wiki/NX%E4%BD%8D%E5%85%83NX，全名為“No

eXecute”，即“禁止運(yùn)行”，是應(yīng)用在CPU的一種技術(shù)，用作把存儲(chǔ)器區(qū)域分隔為只供存儲(chǔ)處理器指令集，或只供數(shù)據(jù)使用。任何使用NX技術(shù)的存儲(chǔ)器，代表僅供數(shù)據(jù)使用，因此處理器的指令集并不能在這些區(qū)域存儲(chǔ)。這種技術(shù)可防止大多數(shù)的緩沖滿(mǎn)溢攻擊（即一些惡意程序把自身的惡意指令集放在其他程序的數(shù)據(jù)存儲(chǔ)區(qū)并運(yùn)行，從而控制整臺(tái)電腦）。[編輯]背景類(lèi)似的技術(shù)其實(shí)已應(yīng)用在SPARC、DEC

Alpha、IBM的PowerPC、甚至是英特爾的IA-64架構(gòu)處理器Itanium上，但“NX”這個(gè)名稱(chēng)最先在AMD的Athlon

64、Opteron等支持AMD64的處理器上使用，并成為這些技術(shù)的代名詞。在x86處理器的頁(yè)表索引中，NX位置于63號(hào)的位置（以0作第一位），即64位中的最后一位，如果NX位的數(shù)值是0（關(guān)閉），在頁(yè)表內(nèi)的指令集可正常運(yùn)行；但如果是1（啟動(dòng)）的話(huà)則不能運(yùn)行頁(yè)表的指令集，并會(huì)把頁(yè)表的一切皆當(dāng)作數(shù)據(jù)。在格式上，頁(yè)表需為PAE格式，而非x86傳統(tǒng)的格式。2001年，英特爾在自家的Itanium處理器加入這種技術(shù)，但未有在Pentium、Celeron、Xeon等x86處理器上使用。在AMD把NX應(yīng)用在AMD64之后，英特爾也為Prescott版本的Pentium

4處理器加入類(lèi)似技術(shù)，并以“XD”（eXecute

Disable）的名義推出市場(chǎng)。在功能上，AMD的“NX”和Intel的“XD”完全相同，只是名稱(chēng)不同。depNX

“No

eXecute”Windows的保護(hù)機(jī)制Linux

？/wiki/Address_space_layout_randomizationAddress

space

layout

randomization

Address

space

layout

randomization

(ASLR)is

a

computer

security

technique

whichinvolves

randomly

arranging

the

positions

okey

data

areas,

usually

including

the

base

othe

executable

and

position

of

libraries,heap,

and

stack,

in

a

process"s

addressspace.代碼安全：不能假設(shè)不能相信用戶(hù)的輸入gets，scanf31/scripts/..%c1%1c../winn

stem32/cmd.exe?/c+dir不能假設(shè)用戶(hù)操作按照你想象的正確順序–輸入法漏洞不能假設(shè)你的二進(jìn)制代碼不被分析vredir.vxdrc4代碼分析破解：序列號(hào)sn、激活keyLinks：How

to

Write

Secure

CodeThe

Shmoo

Group

-

How

to

Write

Secure

Code/securecode/Secure

UNIX

Programming

FAQ/sup/Secure

Programming

for

Linux

and

Unix

HOWTO/secure-programs/《Writing

Secure

Code》/mspress/books/5612.asp/china/msdn/catalog/securitHow

To

Write

Unmaintainable

Code/unmain.html18.b

關(guān)于反盜版、反破解、反跟蹤安裝序列號(hào)用戶(hù)、授權(quán)運(yùn)行口令仿exe壓縮工具upxKey軟盤(pán)或需光盤(pán)專(zhuān)門(mén)的硬件卡watchdog//本程序目的：演示了一個(gè)必須輸入一個(gè)有效的key//

才能繼續(xù)執(zhí)行的簡(jiǎn)單例子。////本程序功能：如果你輸入一個(gè)有效的key，//

它就告訴你一個(gè)下次彩票開(kāi)獎(jiǎng)號(hào)碼。////

by

Linden

13:50

2003-4-26//int

do_you_have_key(){int

k;puts("input

key

number:");

//

82954,100371,...scanf("%d",

&k);if

((k>65537)

&&

(k%65537==17417))

//

prime[2003]return

1;elsereturn

0;}main(){if

(!do_you_have_key()){puts("invalid

key");exit(-2);}//do

calc

workputs("下次彩票號(hào)碼是：3,7,11,12,13,19,28");return

0;}破解舉例int

do_you_have_key(){//

input

key

or

serial

numberreuturn

0;}main(){if

(!do_you_have_key())exit(-2);//

do

my

workreturn

0;}asm

and

code

byte

1pushecx11:

int

do_you_have_key()12:

{??00401000

5113:

int

k;14:

puts("input

key

number:");

//

82954,100371,...00401001

68

00

71

40

00pushoffset

string

"input

key

number:"

(407100h)00401006

E8

8C

00

00

00callputs

(401097h)15:

scanf("%d",

&k);0040100B

8D

44

24

04leaeax,[esp+4]0040100F

50pusheax00401010

68

FC

70

40

00pushoffset

string

"%d"

(4070FCh)00401015

E8

66

00

00

00callscanf

(401080h)16:

if

((k>65537)

&&

(k%65537==17417))

//

prime[2003]0040101A

8B

44

24

0Cmoveax,dword

ptr

[esp+0Ch]0040101E

83

C4

0Caddesp,0Ch00401021

3D

01

00

01

00cmpeax,10001h00401026

7E

17jledo_you_have_key+3Fh

(40103Fh)00401028

99cdq00401029

B9

01

00

01

00movecx,10001h0040102E

F7

F9idiveax,ecx00401030

81

FA

09

44

0000

cmpedx,4409h00401036

75

07jnedo_you_have_key+3Fh

(40103Fh)17:return

1;00401038

B8

01

00

00

00moveax,120:

}0040103D

59popecx0040103E

C3ret18:

else19:return

0;0040103F

33

C0xoreax,eax20:

}00401041

59popecx00401042

C3retasm

and

code

byte

2?22:

main()?23:

{?24:if

(!do_you_have_key())?00401050E8ABFFFFFFcalldo_you_have_key

(401000h)?0040105585C0testeax,eax?004010577514jnemain+1Dh

(40106Dh)25:{26:puts("invalidkey");00401059

68

38

7140

00push

offset

string

"invalid

key"

(407138h)0040105E

E8

34

0000

00call

puts

(401097h)27:exit(-2);00401063

6A

FEpush

0FFFFFFFEh00401065

E8

EB

0100

00call

exit

(401255h)0040106A

83

C4

08add

esp,8?28:

}?29:

//

do

calc

work?30:

puts("下次彩票號(hào)碼是：3,7,11,12,13,19,28");?0040106D

68

14

71

40

00

push

offset

string

“…"...

(407114h)?00401072

E8

20

00

00

00

call

puts

(401097h)?00401077

83

C4

04

add

esp,4?31:

return

0;?0040107A

33

C0

xor

eax,eax?32:

}?0040107C

C3

retcracker方案jne

je75

14

68

38

74

14

68

38mov

eax,

0x????????

/

mov

eax,

1E8

AB

FF

FF

FF

85

C0B8

01

00

00

00

asm{mov

eax,

0x??nopint

0x21…

…}74/75實(shí)例NetSuper21>fc/b

NetSuper.exe

NetSuper破解版.exe正在比較文件.EXENetSuper.exe和NETSUPER破解版00003503:

7475000038E8:

747500007C12:

75