下面的关于计算机内存组织形式的解释,可以很好的解释exploit的原理。
2.1 Memory organization
The basic exploitation techniques can be methodically categorized, like any other technical issue. Before going further, however, the reader must be aware of the basic process of memory organization [ref 2]. A process running in memory has the following sub-structures:
Data and BSS are writable segments containing the static, global, initialized and un-initialized data segments and variables.
Stack is a data structure based on Last-In-First-Out ordering. Items are pushed and popped from the top of the stack. A Stack Pointer (SP) is a register which points to the top of the stack (in most cases). When data is pushed on the stack, SP points to (the top of the stack). Stack grows towards negative memory addresses. It is used for storing the context of a process. A process pushes all its local and dynamic data on to the stack. Instruction Pointer (IP) is a register used to point to the address of the next instruction to be executed. The processor looks at IP each time to find the next instruction to be executed. When an abrupt program redirection takes place (generally due to jmp or call) the address of the next instruction, after returning back from redirection, can be lost. In order to overcome this problem the program stores the address of the next instruction to be executed (after returning from jmp or call) on the stack, and it is called the return address (implemented through assembly instruction RET). This is how a normal program containing many function calls and goto instructions keeps track of right path of execution.
Heap is basically the rest of the memory space assigned to the process. It stores data which have a lifetime in between the global variables and local variables. The allocator and deallocator work to assign space to dynamic data and free heap memory respectively [ref 3].
Code is the read-only segment that contains the compiled executable code of the program.
This was a brief fly-over on the basics of process organization. Now I describe some techniques recurrently used to abuse the harmony of process organization.
2.2 Buffer overflows
The word gives goose bumps to any person who has dealt with them, be it a coder, an application tester or the security administrator. Some say it's the biggest security risk of the decade [ref 4]. The technique of exploitation is straightforward and lethal. The stack of the program stores the data in order whereby the parameters passed to the function are stored first, then the return address, then the previous stack pointer and subsequently the local variables. If variables (like arrays) are passed without boundary checks, they can be overflowed by shoving in large amounts of data, which corrupts the stack, leading to the overwrite of the return address and consequently a segmentation fault. If the trick is craftily done we can modify the buffers to point to any location, leading to capricious code execution [ref 5].
2.3 Heap overflows
The allocated memory in a heap is organized as a doubly linked list. By performing an overflow we can modify the pointers of the linked list to point into memory. Heap overflows are hard to exploit and are more common in Windows as they contain more prominent data which can be exploited. In the case of a malloc memory allocation system, the information regarding the free and allocated memory is stored within the heap. An overflow can be triggered by exploiting this management information such that we can write to random memory areas afterwards, which can lead to code execution [ref 6].
So how is the overflow triggered? There are many weapons in the stockpile like strings and string functions, format strings, null pointers, integer overflows, signed issues and race conditions which can be a help to generate exceptional conditions in a process [ref 7].
I stress the fact that this article was not meant to be a definitive guide to various exploitation techniques. We only provide a quick overview of what is important, in order to get a solid understanding of the things to come in subsequent parts of this article. They just act as pointers for further reference.
5. Here It Comes!
Enter the Metasploit Framework (MSF)! According to the MSF User Crash Course [ref 10] guide,:
-
"The Metasploit Framework is a complete environment for writing,
testing, and using exploit code. This environment provides a solid
platform for penetration testing, shellcode development, and
vulnerability research."
In my words, the Metasploit Framework is a singular solution to all the above discussed problems. The framework has matured itself to quite an extent in the 2.0 release version. It's more stable, has very attractive features and a very instinctive user interface for exploit development.
The major features which give an edge to MSF over other options are:
- It is primarily written in Perl (with some parts in assembly, Python and C), which means clean efficient code and rapid plug-in development.
- Pre-packaged support for extensible tools, libraries and features like debugging, encoding, logging, timeouts and random nops and SSL.
- An intelligible, intuitive, modular and extensible exploit API and environment.
- Highly optimized muti-platform, mutli-featured payloads which are dynamically loadable.
- Enhanced handler and callback support, which really shortens the exploit code.
- Support for various networking options and protocols which can be used to develop protocol dependent code.
- Supplementary exploits are included, which help us to test out exploitation techniques and sample exploits developed.
- It is Open Source Software and has a dedicated developer community for support.
- Support for advanced features and third party tools like InlineEgg, Impurity, UploadExec and chainable proxies.
It's clear that MSF is definitely a tool the penetration-tester must get acquaintained with. It gives the art of exploitation a whole new paradigm.
http://www.symantec.com/connect/articles/metasploit-framework-part-1