堆溢出漏洞 [英] Heap overflow exploit
问题描述
我了解溢出利用需要三个步骤:
I understand that overflow exploitation requires three steps:
1.将任意代码(shellcode)注入目标进程的内存空间.
1.Injecting arbitrary code (shellcode) into target process memory space.
2.控制eip.
3.设置eip以执行任意代码.
3.Set eip to execute arbitrary code.
我阅读了本·霍肯斯关于堆利用的文章,并了解了一些关于如何最终重写函数指针以指向我的代码的策略.
I read ben hawkens articles about heap exploitation and understood few tactics about how to ultimatly override a function pointer to point to my code.
换句话说,我理解步骤2.
In other words, I understand step 2.
我不了解第1步和第3步.
I do not understand step 1 and 3.
-
如何将我的代码注入进程内存空间?
How do I inject my code to the process memory space ?
在步骤3中,我使用指向我的shellcode的指针,如何计算\知道什么地址我注入的代码被注入了吗?(这个问题解决了在stackoverflow中,使用"jmp esp).
During step 3 I override a function pointer with a Pointer to my shellcode, How can I calculate\know what address Was my injected code injected into ? (This problem is solved In stackoverflow by using "jmp esp).
推荐答案
在堆溢出中,假设系统未激活ASLR,您将知道在其中使用的内存块(也就是缓冲区)的地址.溢出.
In a heap overflow, supposing that the system does not have ASLR activated, you will know the address of the memory chunks (aka, the buffers) you use in the overflow.
一种选择是将shellcode放置在缓冲区所在的位置,因为您可以控制缓冲区的内容(作为应用程序用户).将shellcode字节放入缓冲区后,只需跳转到该缓冲区地址即可.
One option is to place the shellcode where the buffer is, given that you can control the contents of the buffer (as the application user). Once you have placed the shellcode bytes in the buffer, you only have to jump to that buffer address.
执行该跳转的一种方法是,例如,覆盖.dtors条目.一旦易受攻击的程序完成,将执行放置在缓冲区中的shellcode.复杂的部分是.dtors覆盖.为此,您将不得不使用已发布的堆利用技术.
One way to perform that jump is by, for example, overwriting a .dtors entry. Once the vulnerable program finishes, the shellcode - placed in the buffer - will be executed. The complicated part is the .dtors overwriting. For that you will have to use the published heap exploiting techniques.
先决条件是必须停用ASLR(在执行易受攻击的程序之前要知道缓冲区的地址),并且放置缓冲区的内存区域必须是可执行的.
The prerequisites are that ASLR is deactivated (to know the address of the buffer before executing the vulnerable program) and that the memory region where the buffer is placed must be executable.
更多的是,步骤2和步骤3是相同的.如果您控制eip,则逻辑上是将其指向shellcode(任意代码).
On more thing, steps 2 and 3 are the same. If you control eip, it's logic that you will point it to the shellcode (the arbitrary code).
P.S .:绕过ASLR比较复杂.
P.S.: Bypassing ASLR is more complex.
这篇关于堆溢出漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
