缓冲区溢出攻击的格式 [英] Buffer overflow attack format
问题描述
通常我们都看到里面有基本的缓冲区溢出格式: - NOP指令壳+ code + return_address
Usually we all see the basic buffer overflow format which has :-
NOPs + shellcode + return_address
为什么不我们使用, NOP指令+ return_address +外壳code?,我们做的返回地址指向外壳code的开始?
Why dont we use,
NOPs + return_address + shellcode? where we make the return address point to the start of the shellcode?
即时猜测,这是因为我们可能会想,如果该漏洞是在主写的堆栈段以外的数据()。我对吗?如果我是唯一的原因?
Im guessing that this is because we might be trying to write data outside the stack segment if the vulnerability is in the main(). Am I right? If I am, is that the only reason?
哦,是的,我不是指其他类型的攻击,它们使用的返程libc的,ptrace的等;我只是想知道为什么最基本的缓冲区溢出攻击演示了第一种方式,而不是第二个无处不在。
Oh, and yes I am not referring to other kinds of attacks which use return-to-libc, ptrace etc. ; I just wish to know why the most basic buffer overflow attack is demonstrated in the first way and not the second everywhere.
推荐答案
返回地址可以在壳code + NOP雪橇之前或之后到来。例如,如果你正在写一个变量关闭,你可能需要写堆栈顶部的 NOP橇+外壳code 过去的返回地址(EIP),因为可能没有足够的空间。
The return address can come before the shellcode+nop sled or after. For instance if you are writing to a variable close the top of the stack you might have to write your nop sled+shell code past the Return address (EIP) because there might not be enough room.
不过,NOP雪橇将永远是旁边的壳code。究其原因,就是因为你用NOP雪橇让你的shell code的目标尽可能大。如果您的EIP指向从shell code + = 100字节,那么你需要使用超过100个字节的NOP雪橇保证你会打你的目标。因此, NOP指令+ return_address +外壳code 是无效的。一个常见的攻击字符串将是这样的:
However, the NOP sled will always be next to the shell code. The reason why is because you use a nop sled to make the target of your shell code as much large as possible. If your EIP is pointing +=100 bytes from your shell code then you need to use a nop sled of more than 100 bytes to guarantee you'll hit your target. Thus NOPs + return_address + shellcode is invalid. A common exploit string will look like this:
JUNK + return_address + NOP指令壳+ code
当然还有返回到libc的式的进攻不需要壳code或NOP雪橇。
And of course a "return-to-libc" style attack doesn't require shellcode or a nop sled.
这个简单的基于堆栈的缓冲区溢出攻击将不是一个现代的系统上运行。 Alpeh-One的砸堆栈的乐趣和利润不再起作用,因为NX区,栈金丝雀,和ASLR,所有这一切都是在默认情况下Windows和Linux的。
This simplistic stack-based buffer overflow exploit will not work on a modern system. Alpeh-One's Smashing The Stack For Fun and Profit no longer works because of NX zones, stack canaries, and ASLR, all of which are default on Windows and Linux.
您应该拿起的副本:
这篇关于缓冲区溢出攻击的格式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
