发布时间:2011-06-26 04:07:08作者:知识屋
Alexander Sotirov 和 Mark Dowd 这次在BlackHat的paper果然内容很丰富,链接就不加了, google一下应该就有。
这次paper里没啥新的东西,基本上是关于绕过GS/SAFESEH/HEAP/DEP/ASLR等技巧的一些总结。不过文章非常具有系统性,很多细节的地方讲的都很清楚。
比如关于GS保护,原来和编译器的关系如此紧密,而vs2005为了修补一些编译器里遗漏的地方而增强了安全性:
Since the C language has no native string type, the compiler defines a string buffer as an array
of 1 or 2 byte elements with a total size of at least 5 bytes. The GS protection is applied to all
functions with arrays that match this description.
......
Visual Studio 2005 SP1 introduced a new compiler directive that enables more aggressive GS
heuristics. If #pragma strict_gs_check is turned on, the compiler adds a GS cookie to all
functions that use arrays, dereference data through pointer arithmetic or pass the address of any
local variable to another function. This results in a much more complete protection at the
expense of runtime performance.
而SafeSEH有一个细节:
By default, in processes with DEP enabled there are only two types of exception handlers that
are considered valid by the exception dispatcher:
1. handler found in the SafeSEH table of an image without the NO_SEH flag
2. handler on an executable page in an image without the NO_SEH flag, without a SafeSEH
table and without the .NET ILonly flag
In processes with DEP disabled there are have three valid cases:
1. handler found in the SafeSEH table of an image without the NO_SEH flag
2. handler in an image without the NO_SEH flag, without a SafeSEH table and without the
.NET ILonly flag
3. handler on a non-image page, but not on the stack of the current thread
这两种情况让我想起来了我在前段时间调试dir溢出时候遇到的那个RPWT,在我的xpsp2上死活不跳转,如果根据这里的说法,应该就是我当时开了DEP有关。
原来safeseh的跳转和DEP还有关系,这是void在分析safeseh的tips里没有提到的。
绕过DEP还是用的uniform里的skape的文章,以前我也写过文章来验证。
[Tips]Bypass Hardware DEP Tips
而关于ASLR,原来还有这么个注册表项来控制开关:
This behaviour is controlled using the registry key
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory
ManagementMoveImages, which by default does not exist. The following behaviour is defined
for this key:
1 If the value is set to 0, never randomize image bases in memory, always honour the base
address
2 If set to -1, randomize any image regardless of whether they have elected to take part in
ASLR or not (providing they are relocatable).
3 If set to any other value, randomize only images that have elected to take part in
randomization. This is the default behaviour.
那这个开关就和Redhat下的 /proc/sys/kernel/randomize_va_space 这个参数差不多了,可以控制ASLR
第二部分是关于一些介绍保护机制缺陷的内容。都是在写exploit的时候可以用到的一些高级技巧。
比如绕过GS的时候,选择部分覆盖(Partial Overwrites),以前我在写一个mail方面的exp的时候就曾经用过这种技巧,结果就是写出来的exp非常之通用,与平台和语言都无关了。
而infoleaks 这种漏洞在绕过ASLR的时候是最爽快的。以前写imail exp的时候,就曾经用到过这种技巧,把当前栈的基址读了出来,然后再去写精确定位的exp。 另外一个例子就是在the Month of PHP Bugs 的时候出过一个读PHP内存里内容的bug,结果后来 [Paper]Advanced Heap Spray Technique -- Heap Spray in Java
2011-07-02
黑客基础教程之如何查看论坛隐藏贴(怎么查看论坛隐藏贴)
一个黑客所需的基本技能
黑客基础教程之如何查看电脑配置(怎么查看自己的电脑配置)
怎么取消开机密码
什么是肉鸡,如何避免电脑成为肉鸡?
一名初级黑客所必须掌握的基本技能
电脑常见安全隐患,你知道吗?
黑客基础教程之黑客入侵渗透教程
【注意】QQ密码本地破解的原理和方法