堆溢出攻击 [英] heap overflow attacks

问题描述

如何进行堆溢出攻击？

How heap overflow attacks are done?

如果发生堆栈溢出攻击，攻击者将函数返回地址替换为其地址。

In case of stackoverflow attacks, the attacker replaces the function return address with his address.

在堆溢出攻击中如何做到这一点？另外，是否可以从堆运行代码？

How this is done in heap overflow attacks? Also, is it possible to run code from heap?

推荐答案

请注意，这因平台而异，我的示例过于简化。基本上，归结为堆管理器具有可能会被溢出的链表，并且您可以使用链表指针来覆盖进程内存的随机部分。

Note this varies by platform, and my example is overly simplified. It basically comes down to heap managers having linked lists that could be overrun, and you can use the linked list pointers to overwrite random parts of the process's memory.

想象一下我有一个朴素的堆实现，其控制块是这样的：

Imagine I have a naive heap implementation whose control blocks are like this:

struct HeapBlockHeader
{
    HeapBlockHeader* next;
    HeapBlockHeader* prev;
    int size;

    // Actual heap buffer follows this structure.
};

释放堆后，通过修改以下内容，此控制块返回到释放块列表中下一个/上一个指针。如果溢出堆缓冲区，则可以使用我控制的数据覆盖下一个控制块中的指针。假设我重写了这些链接，以指向代码的指针（可能只是在我覆盖的缓冲区中）和堆栈上函数的返回地址。当堆管理器尝试将块链接回释放列表时，它实际上将使用指向我控制的代码的指针覆盖堆栈上的返回地址。

When the heap gets freed, this control block goes back into a list of freed blocks, by modifying the next/prev pointer. If I overrun a heap buffer, I can overwrite the pointers in the next control block with data I control. Suppose I override these links to point to a pointer to code (probably just in the buffer I overran) and to the return address of the function on the stack. When the heap manager tries to link the block back into a freed list, it will actually overwrite the return address on the stack with a pointer to code I control.

本文概述了堆溢出攻击：
http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html

This article has a nice overview on heap overflow attacks: http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html

此本文介绍了Vista堆管理器中为防止这种攻击而进行的一些强化：
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Marinescu.pdf

This article describes some of the hardening that went into Vista's heap manager to prevent this sort of attack: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Marinescu.pdf

编辑：关于从堆运行代码的可能性，是可能的。现在，许多平台默认将堆内存设为不可执行，这增加了运行任意代码的障碍。但是，您仍然可以进行跳转到libc样式的攻击-将返回地址覆盖到将可执行的已知函数。

On possibility to run code from heap, yes it's possible. Many platforms now make heap memory non-executable by default which raises the barrier to getting arbitrary code to run. However, you can still do a "jump to libc" style attack - Overwrite the return address to a known function which will be executable.

这篇关于堆溢出攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！