如何利用缓冲区溢出来攻击计算机?

发布于 2024-07-12 07:29:21 字数 370 浏览 14 评论 0原文

如何利用缓冲区溢出来利用计算机?

如何仅通过导致 堆栈溢出?

我知道程序内存的一部分被覆盖了不应该的,但我不明白这如何导致人们执行自己的代码。 另外,第 3 方的恶意代码是否必须用目标处理器的汇编语言编写?

How are buffer overflows used to exploit computers?

How is one able to execute arbitrary code simply by causing stack or heap overflows?

I understand that portions of the programs memory are overwritten that aren't supposed to be, but I don't see how this leads to one executing their own code. Also, must the 3rd party's malicious code be written in the target processors assembly language?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

迷途知返 2024-07-19 07:29:21

这是关于该主题最广为人知的文档:Smashing the Stack for Fun and Profit

但是,'堆栈溢出与缓冲区溢出无关。 堆栈溢出通常只是错误代码中的一种错误情况,不能被用于崩溃 (DoS) 之外的任何情况。

编辑:您还询问了堆溢出问题。 这是关于该主题的一个很好的文档:http://www.w00w00.org/files/文章/heaptut.txt

This is the most widely known document on the subject: Smashing the Stack for Fun and Profit

However, 'stack overflows' have nothing to do with buffer overflows. Stack overflows are generally just an error case in bad code that can't be exploited for anything outside of a crash (DoS).

Edit: You also asked about heap overflows. This is a good document on the subject: http://www.w00w00.org/files/articles/heaptut.txt

是伱的 2024-07-19 07:29:21

当您跳转到子程序时,堆栈包含数据和返回地址。 如果您设法在返回地址所在的堆栈上放置一个特定地址,则可以强制 CPU 跳转到特定的内存位置,即您放置自己的代码的位置。 那是为了缓冲区溢出。 堆溢出有点不同,而且更难利用。

堆栈溢出只是表明您已经用完了堆栈空间(通常更有限,尤其是在内核中)。

The stack contains both data and return address when you jump into a subroutine. If you manage to put a specific address on the stack where the return address is, you can force the CPU to jump to a particular memory location, the one where y ou put your own code. That's for buffer overflows. Heap overflows is a bit different and more difficult to exploit.

Stack overflows are just indication that you've run out of stack space (which is generally more limited, especially in the kernel).

黄昏下泛黄的笔记 2024-07-19 07:29:21

想象一下街上有两栋房子。 一栋是你朋友的房子,一栋是他的邪恶偏执邻居的房子,隔三扇门。 邪恶的偏执邻居从未进出,他的住所也被锁得很紧。

现在,你的朋友是一个非常值得信任的好朋友,他会让你把任何东西存放在他的地方,从一堵墙开始,一个接一个地放下盒子。 事实上,他是一个很好的朋友,他会一个接一个地放下盒子,不检查是否撞到墙上,直到它们继续在半空中飞行,最后穿过街上的另外两栋房子,进入邪恶的偏执邻居的房子。 但你的朋友相信你不会这样做,因为他喜欢你(而且他有点天真)。

所以你有机会利用你值得信赖的好朋友,把一些东西放进邪恶的偏执邻居的房子里。


替换以下术语,您将看到与缓冲区溢出攻击的类比:

  • “您朋友的房子” --> “程序的一部分不检查缓冲区溢出”
  • “他邪恶的偏执邻居的房子”--> “程序的另一部分应该是安全的”
  • “盒子”--> “不检查缓冲区溢出的程序的参数/参数”

只有当有人弄清楚内存的安全区域在哪里以及必须将什么作为参数传递给相关程序时,这才是成功的,这将是最终到达安全区域,以达到预期的效果。 (无论是数据,还是导致漏洞利用者的代码被执行的代码)

Imagine two houses on the street. One is your friend's house and one is his evil paranoid neighbor's house three doors down. The evil paranoid neighbor never enters or leaves, and his place is locked up tight.

Now, your friend is such a good trusting friend, he'll let you store anything in his place, putting down boxes one after the other, starting at one wall. In fact, he's such a good friend that he'll keep putting down boxes one after the other, without checking to see if he's hit the wall, until they keep going in midair and finally pass right through two other houses on the street and into the evil paranoid neighbor's house. But your friend trusts you won't do that because he likes you (and he's a little naive).

So you have the opportunity to put something into the evil paranoid neighbor's house by exploiting your good trusting friend.


Replace the following terms and you'll see the analogy to a buffer overflow attack:

  • "your friend's house" --> "a portion of a program that doesn't check for buffer overflow"
  • "his evil paranoid neighbor's house" --> "another portion of a program that is supposed to be secure"
  • "boxes" --> "arguments/parameters to the program that doesn't check for buffer overflow"

This is successful only if someone figures out where the secure area of memory is, and what would have to be passed as an argument to the program in question, that would end up in the secure area, to have the desired effect. (whether it's data, or code that causes the exploiter's code to be executed)

柳若烟 2024-07-19 07:29:21

实际上,所有现代处理器在调用子例程时,都会将返回地址推送到与本地数据(堆栈)相同的区域。 对于不检查变量上限的例程(特别是 strcpy 函数),可能会发生指令地址重定向(缓冲区溢出)。

void make(char *me)
{
    char sandwich[4]; // local data, this is in stack.  the buffer for data is too small
    strcpy(sandwich, me);
    puts(sandwich);

    // implicit "return;" the return instruction(RET on Intel) instructs the processor to implicitly pop an address from stack then resume execution on that address
}

void main()
{
    // calling a subroutine (CALL on Intel) implicitly instructs the processor to push the next instruction's address(getchar line) on stack before jumping to make.
    make("Love Not War"); 
    getchar();

    puts("This will not execute.  The address to next instruction(getchar) gets overwritten with Not War");

}

“另外,第3方的恶意代码必须用目标处理器的汇编语言编写吗?”

正常运行的程序可能会发生堆栈溢出,例如具有被忽略的终止条件的递归例程(调用自身的函数)。 堆栈区域将填充堆栈上的许多局部变量以及返回地址。

Virtually all modern processors when calling a subroutine, pushes the return address on the same area as the local data(stack). For routines that doesn't check the upper limit of a variable(on particular the strcpy function), instruction address redirection(buffer overflow) can occur.

void make(char *me)
{
    char sandwich[4]; // local data, this is in stack.  the buffer for data is too small
    strcpy(sandwich, me);
    puts(sandwich);

    // implicit "return;" the return instruction(RET on Intel) instructs the processor to implicitly pop an address from stack then resume execution on that address
}

void main()
{
    // calling a subroutine (CALL on Intel) implicitly instructs the processor to push the next instruction's address(getchar line) on stack before jumping to make.
    make("Love Not War"); 
    getchar();

    puts("This will not execute.  The address to next instruction(getchar) gets overwritten with Not War");

}

"Also, must the 3rd party's malicious code be written in the target processors assembly language?" Yes

Stack overflow can occur from normally running program, example is recursive routines(function that calls itself) with overlooked terminating condition. The stack area will get filled with numerous local variables on stack plus the returning addresses.

℉服软 2024-07-19 07:29:21

正常的方法是,您的内存中存在恶意代码。 然后创建缓冲区溢出:这里的神奇之处不是让它只是溢出,而是正如您已经提到的,程序内存的某些部分被覆盖。 由于堆栈不仅包含变量,还包含调用函数时的返回地址,因此有人会尝试用恶意代码的地址覆盖该地址。 当缓冲区溢出的函数返回到其调用者时,该函数不会返回到其原始调用者,而是返回到恶意子例程。 由于现在执行的代码通常具有调用代码的特权,因此尝试在比邪恶代码具有更高权限的代码中查找/创建此溢出(否则您可以通过直接调用邪恶例程来做到这一点)。

The normal approach is that you have somewhere in memory the malicious code. Then you create a buffer overflow: the magic here is not to make it just overflow, but as you already mentioned, that certain parts of the program memory get overwritten. As the the stack contains not only the variables, but also when a function is called the return address, one tries to overwrite this one with the address of you malicious code. When the function with the buffer overflow returns to its caller, the function does not return to its original caller but instead to the malicious subroutine. As the now executed code has usally the privileges of the calling code, one tries to find/create this overflows in code which has higher permission than the evil code (else you could do it by directly calling the evil routine).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文