对 Windows 的缓冲区溢出攻击导致访问冲突 [英] A buffer overflow attack on Windows results in access violation

问题描述

我刚刚开始研究缓冲区溢出攻击的工作原理，并尝试模拟对Windows 7 使用Visual C 2010.缓冲区溢出攻击非常做作，它只是将返回地址覆盖为缓冲区"局部变量的地址.缓冲区保存着 shellcode 字符串.

无论我是否在 Visual Studio 2010 Debug 中运行程序，程序都会跳转到 shellcode 并几乎开始执行它，但我收到访问冲突错误，并且程序不会继续执行shellcode.

为什么我会收到这个错误?这是针对 Windows 中缓冲区溢出的某种保护吗?

你如何让程序执行缓冲区中的shellcode?

汉斯(答案)是正确的.这在 Windows Internals 5th 的安全章节中讨论过，错误的原因是微软对 Executable 的实现空间保护.

如果这个问题对任何人有帮助，我们将不胜感激.

void execute_my_shellcode(){字符缓冲区[24]；memcpy(缓冲区，\x6A\x21\xFF\x15\x40\x62\x40\x00\x83\xC4\x04\x6A\x0A\xFF\x15\x40\x62\x40\x00\x83\xC4\x04\xC3", 24);printf("当前返回地址:%p\n", *(int*)((char*)&buffer + 24 + 4));*(int*)((char*)&buffer + 24 + 4) = (int)&buffer;printf("返回地址现在是:%p\n\n", (int*)*(int*)((char*)&buffer + 24 + 4) );}

解决方案

这在 10 年前可能行得通.这些明显的安全漏洞已被修补，处理器现在支持的无执行位是其中之一.对策.

I just started looking into how buffer overflow attacks work, and tried simulating an attack on Windows 7 using Visual C 2010. The buffer overflow attack is very contrived, it just overwrites the return address to the address of the "buffer" local variable. The buffer holds the string of shellcode.

Whether I run the program in Visual Studio 2010 Debug or not, the program will jump to the shellcode and almost begins execution of it, but I get an Access Violation error, and the program will not continue executing the shellcode.

Why am I getting this error? Is this some sort of protection against buffer overflows in Windows?

How would you get the program to execute the shellcode in the buffer?

edit:

Hans (answer) is correct. This is discussed within the Security chapter of Windows Internals 5th, and the cause of the error is Microsoft's implementation of Executable Space Protection.

If this question helped anyone, any up-votes would be appreciated.

void execute_my_shellcode()
{
    char buffer[24];
    memcpy(buffer, "\x6A\x21\xFF\x15\x40\x62\x40\x00\x83\xC4\x04\x6A\x0A\xFF\x15\x40\x62\x40\x00\x83\xC4\x04\xC3", 24); 
    printf("current return address: %p\n", *(int*)((char*)&buffer + 24 + 4));   
    *(int*)((char*)&buffer + 24 + 4) = (int)&buffer; 
    printf("return address is now : %p\n\n", (int*)*(int*)((char*)&buffer + 24 + 4) );
}

解决方案

This might have worked 10 years ago. These obvious security holes have been patched, the no-execute bit that processors support nowadays are one of the counter-measure.

这篇关于对 Windows 的缓冲区溢出攻击导致访问冲突的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！