不了解堆溢出文章
[英]Not understanding heap overflow article
问题描述
Hi I'm trying to understand how heap overflows work and I've been reading this article which seems very foggy to me. 
嗨,我试图了解堆溢出是如何工作的,我一直在阅读这篇对我来说似乎很模糊的文章。 Below is the page of the article that I am stuck on. 以下是我停留的文章页面。
http://www.h-online.com/security/features/A-Heap-of-Risk-747224.html http://www.h-online.com/security/features/A-Heap-of-Risk-747224.html
My understanding ceases after the second half of page 4 in the link. 在链接的第4页的下半部分之后,我的理解停止了。 They implement their own heap manager on page 2 which may also be useful. 他们在第2页上实现了自己的堆管理器,这可能也很有用。 The figure bellow represents the heap data structure after string copy to image data (hopefully this is right). 下图表示将字符串复制到图像数据后的堆数据结构(希望这是正确的)。
Root = Hdr Free Memory
_________________ ________________
|*Next = 0xF |----------->0xF|*Next = "AAAA" |
------------------- ------------------
|*Previous = NULL | |*Previous="AAAA"|
------------------- ------------------
|Size = 0 | |Size = "AAAA" |
------------------- ------------------
|Used = 0 | |Used = "AAAA" |
------------------- ------------------
|Free Mem Data |
(Let Root start at 0x0. Also each field is 32 bits and thus 4 bytes wide. "AAAA" stands for the string "AAAA" where each 'A' is a character and therefor one byte of memory.) (让根从0x0开始。每个字段也是32位,因此是4个字节宽。“ AAAA”代表字符串“ AAAA”,其中每个“ A”是一个字符,因此是一个字节的存储空间。)
From the tutorial they say that when memory is supposedly freed, the function Free_Heap() will want to read from the address "AAAA" = 0x4141414d. 他们从教程中说,应该释放内存时,函数Free_Heap()将要从地址“ AAAA” = 0x4141414d读取。 There explanation is that the "used" field is an offset of 12 bytes from the beginning of the header section and thus 0x41414141 + 0xc = 0x4141414d. 此处的解释是“已使用”字段与标头部分的开头之间有12个字节的偏移,因此0x41414141 + 0xc = 0x4141414d。 To me that explanation makes no sense for the following reasons. 在我看来,由于以下原因,这种解释没有任何意义。
A) Why would Free_Heap() even try to read from the address in the "used" field when that value only tells Free_Heap() whether or not the data on the heap structure is being used. A)为什么当该值仅告诉Free_Heap()是否正在使用堆结构上的数据时,Free_Heap()甚至尝试从“已使用”字段中的地址读取。 Unless the "used" field is a pointer to the actual data being written (which is not mentioned in the tutorial), this would not make any sense to me. 除非“ used”字段是指向要写入的实际数据的指针(本教程中未提及),否则这对我来说没有任何意义。
B) Assuming that the used field in the heap struct really is a pointer to the data that may be written to, why would the offset have anything to do with from where the heap should be read from? B)假设堆结构中的used字段确实是指向可写入数据的指针,为什么偏移量与应该从何处读取堆有关? May be if the data section was located right after "used" pointer field (like in a stack), then that would mean that data should be placed at an offset of 0xf and not 0xc so that the data does not overwrite the "used" field. 可能是如果数据部分位于“已使用”指针字段之后(例如在堆栈中),则这意味着数据应放置在偏移量为0xf而不是0xc的位置,以便数据不会覆盖“已使用”领域。
Thanks for any helpful input to clear this up. 感谢您提供任何有用的信息来清除此问题。
1 个解决方案
解决方案1
1 已采纳 2012-04-18 12:02:53
That part of the article seems either wrong or just really badly written. 文章的该部分似乎是错误的,或者只是写得不好。 Although it will read hdr->next->used to check whether the follow-on memory object is in use, as you say, its used and size fields will be 0x41414141, so we won't try to merge with it. 尽管它将读取 hdr->next->used以检查是否使用了后续内存对象,但是正如您所说的,它的used和size字段将为0x41414141,因此我们不会尝试与其合并。 Still, the setup is fine, you will shortly afterwards dereference one of those pointers: when freeing the 'line' memory object (the one whose header we stomped), it will attempt to check if its next and prev memory blocks are in use. 尽管如此,设置是好的,你亦会在稍后取消引用这些指针之一:释放的“线”内存中的对象(后者的头球,我们踩的)时,它会试图检查其next和prev内存块都在使用。 Dereferencing either of those pointer fields will crash or be actively exploited. 取消引用这些指针字段中的任何一个将崩溃或被积极利用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.