堆喷射攻击是如何工作的?
我读过两篇关于堆喷射的文章:Wikiepdia 和 这篇博文。 我了解 shell 代码是如何引入到程序内存中的。但是程序如何跳转/调用位于堆上的地址内存呢?
什么样的崩溃会调用堆?
这种攻击是否需要通过缓冲区溢出攻击来进行?
是否有类似缓冲区溢出的黄金法则,即使用 n 版本的函数(strncpy 而不是 strcpy)?
I've read two articles about heap-spraying: Wikiepdia and this blog post.
I understand how the shell code is introduced in to the program's memory. But how the program is made to jump/call to the address memory located on heap?
What kind of crash makes a call to heap?
Does such attack needs to be conducted with a kind of buffer overflow attack?
Is there any golden rule like the one with buffer overflow ie use the n version of functions (strncpy instead strcpy)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果我理解正确的话
他们谈论的是这样的情况:
当您读入
buffer时,没有溢出保护,您可以直接写入p的内存位置。稍后,当您的代码尝试调用p时,它将跳转到攻击者希望它跳转的位置,大概是他们将可执行代码注入到您的应用程序中的位置。简单修复:不要使用静态缓冲区(首选 std:: 集合类)并始终检查溢出。
If I understand correctly,
They're talking about a situation like this:
And when you read into
bufferthere's no overflow protection, and you can write directly into the memory location forp. Later on when your code tries to callp, it will jump to where the attacker wants it to jump, presumably where they injected executable code into your app.Simple fix: Don't use static buffers (prefer the
std::collection classes) and always check for overflows.