{"id":403,"date":"2010-03-10T20:46:00","date_gmt":"2010-03-10T12:46:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=403"},"modified":"2024-02-17T20:33:04","modified_gmt":"2024-02-17T12:33:04","slug":"buffer-overflow","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/403","title":{"rendered":"buffer overflow"},"content":{"rendered":"\n<p><strong>buffer overflow concepts<\/strong><br>\u9020\u6210\u7de9\u885d\u5340\u6ea2\u4f4d\u7684\u76ee\u7684\u662f\u6539\u8b8a\u7a0b\u5e8f\u6d41\u7a0b\uff0c\u4f7f\u7de9\u885d\u5340\u6ea2\u4f4d\u5f8c\u57f7\u884c\u653b\u64ca\u8005\u7684\u653b\u64ca\u4ee3\u78bc\uff0c\u6b64\u6838\u5fc3\u6280\u8853\u662f\u6ea2\u51fa\u9ede\u7684\u5b9a\u4f4d\u3002<br>\u6210\u529f\u6703\u63a7\u5236EIP\u66ab\u5b58\u5668<br>ps: \u5f88\u4e45\u4ee5\u524d\u5c31\u6709\u7684\u5b89\u5168\u554f\u984c,\u5229\u7528\u7a0b\u5f0f\u8a9e\u8a00\u4e2d\u6307\u6a19\u7684\u5f31\u9ede,\u65b0\u7684\u7a0b\u5f0f\u8a9e\u8a00\u5df1\u6f38\u6f38\u907f\u514d<\/p>\n\n\n\n<p><strong>\u5c0e\u81f4buffer overflow\u539f\u56e0<\/strong><br>bad quality assurance on software produced<br>\u5305\u62ec\u5ba3\u544a\u8b8a\u6578\u6642\u7bc4\u570d\u8a2d\u592a\u5c0f,\u6c92\u6709\u6aa2\u67e5\u4f7f\u7528\u8005\u7684\u8f38\u5165,&#8230;\u7b49<\/p>\n\n\n\n<p><strong>\u5bb9\u6613\u6709\u554f\u984cfunction\u5982<\/strong><br>strcpy(),strcat(),streadd(),sprintf(),vsprintf(),bcopy(),gets(),scanf()<\/p>\n\n\n\n<p><br>reasons for buffer overflow attacks<\/p>\n\n\n\n<p><strong>buffer overflow attacks depend on two thing:<\/strong><br>the lack of boundary testing<br>a machine that can execute a code that resides in the data\/stack segment<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p><strong>knowledge required to program buffer overflow exploits:<\/strong><br>c functions and the stack<br>a little knowledge of assembly\/machine language<br>how system calls are made(at the machine code level)<br>exec() system calls<br>how to guess some key parameters<\/p>\n\n\n\n<p><strong>\u8981\u4e86\u89e3assembly language\u7684\u91cd\u9ede\u6709:<\/strong><br>push:put one item on the top of the stack<br>pop:remove one item from the top of the stack<br>eip(extended instruction pointer):\u5b58\u653e\u4e0b\u4e00\u500bCPU\u6307\u4ee4\u5b58\u653e\u7684\u8a18\u61b6\u9ad4\u4f4d\u7f6e,\u7576cpu\u57f7\u884c\u5b8c\u76ee\u524d\u6307\u4ee4\u5f8c,\u6703\u5f9eeip register\u5167\u8b80\u53d6\u4e0b\u4e00\u689d\u6307\u4ee4\u7684\u8a18\u61b6\u9ad4\u4f4d\u7f6e,\u7136\u5f8c\u7e7c\u7e8c\u57f7\u884c<br>esp(extended stack pointer):\u5b58\u653e\u76ee\u524d\u7dda\u7a0b\u7684stack\u6307\u91dd<br>ebp(extended base pointer):\u4fdd\u5b58\u76ee\u524d\u7dda\u7a0b\u7684base\u6307\u91dd<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p>types of buffer overflows:<br><strong>stack based buffer overflow<\/strong><br>\u7d93\u7531\u8a2d\u5b9a\u904e\u9577\u7684\u8cc7\u6599\u4f86\u8b93stack\u4e2dbuffer\u7684overflow\uff0c\u800c\u4e3b\u8981\u9020\u6210\u7684\u554f\u984c\u662freturn addr\u82e5\u662f\u906d\u5230\u66f4\u6539\uff0c<br>\u5c0d\u65b9\u5c31\u53ef\u4ee5\u628areturn addr\u6307\u5411\u653b\u64ca\u8005\u690d\u5165\u7684\u7a0b\u5f0f\u78bc\uff0c\u7576\u76ee\u524d\u7684\u51fd\u5f0f\u57f7\u884c\u5b8c\uff0c\u5c31\u6703\u53bb\u57f7\u884c\u690d\u5165\u7684\u7a0b\u5f0f\u78bc\u3002<br><strong>heap based buffer overflow<\/strong><br>\u901a\u5e38\u8981\u548cstack overflow\u4f86\u914d\u5408\uff0c\u5165\u4fb5\u8005\u6703\u628a\u7a0b\u5f0f\u78bc\u653e\u5728heap\u4e2d\uff0c<br>\u518d\u5229\u7528stack overflow\u4f86\u6539\u5bebreturn addr\uff0c\u628a\u5b83\u6307\u5411heap\u3002<\/p>\n\n\n\n<p>ps:<br>stack<br>a contiguous block of memory containing data<br>\u7528\u4f86\u5b58\u653efunction return address\u548cfunction\u7684local variables(\u5305\u62ec\u53c3\u6578)\u53ca\u4fdd\u5b58\u66ab\u5b58\u5668\u503c\u7684\u8a18\u61b6\u9ad4\u7a7a\u9593\u3002<br>\u662f\u81ea\u52d5\u5206\u914d\u8b8a\u91cf\uff0c\u4ee5\u53ca\u51fd\u6578\u8abf\u7528\u7684\u6642\u5019\u6240\u4f7f\u7528\u7684\u4e00\u4e9b\u7a7a\u9593\u3002\u5730\u5740\u662f\u7531\u9ad8\u5411\u4f4e\u6e1b\u5c11\u7684\u3002<br>\u5c31\u662f\u6211\u5011\u5e73\u6642\u6240\u8aaa\u7684\u5c40\u90e8\u8b8a\u91cf<br>heap<br>an area of memory utilized by an application and allocated dynamically at runtime<br>\u7a0b\u5f0f\u4e2d\u52d5\u614b\u914d\u7f6e\u8a18\u61b6\u9ad4\u6240\u7528\u7684\u8a18\u61b6\u9ad4\u7a7a\u9593<br>\u662f\u7531malloc\u4e4b\u985e\u51fd\u6578\u5206\u914d\u7684\u7a7a\u9593\u6240\u5728\u5730\u3002\u5730\u5740\u662f\u7531\u4f4e\u5411\u9ad8\u589e\u9577\u7684\u3002<br>\u4f8b\u5982malloc \u8207new\u51fa\u4f86\u7684\u6771\u897f\u7528\u6307\u91dd\u6307\u5411\u4e86\u5b83,\u6240\u6307\u7684\u5730\u65b9\u5c31\u662fheap<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>shellcode<\/strong><br>a method to exploit stack-based overflows<\/p>\n\n\n\n<p><strong>shell code\u5927\u81f4\u5982\u4e0b<\/strong><br>char shellcode[]=&#8221;x31xc0x31xdbxb0x17xcdx80&#8243;<br>&#8220;x31xdbx89xd8xb0x2excdx80xd8xb0x2excdx80&#8221;<br>\u5167\u5bb9\u53ef\u4ee5\u662f\u6307\u4ee4\u6216system call,&#8230;\u7b49,\u901a\u5e38\u662f\u57f7\u884csystem call<br>ps:x\u8868\u793a16\u9032\u4f4d<\/p>\n\n\n\n<p>shellcode creation tool:<br>hellkit<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>null byte:<\/strong><br>when write shellcodes,must avoid null bytes because these will end the string<\/p>\n\n\n\n<p><strong>NOP(no operation)<\/strong><br>\u8981\u6c42\u7cfb\u7d71\u4e0d\u505a\u4efb\u4f55\u4e8b<br>\u5728 shellcode\u524d\u52a0\u5165\u4e00\u4e9bnop\u53ef\u8abf\u6574shellcode\u57f7\u884c\u7684\u66f4\u7cbe\u6e96<br>nop machine code is 0x90&nbsp;,size is 1 byte<br>ps:<br>buffer overflow\u5728ids\u7684log\u53ef\u80fd\u5982\u4e0b<br>ids181\/nops-x86: 64.225.80.12:1351 -&gt; 173.17.2.105:53<\/p>\n\n\n\n<p><strong>polymorphiz shellcode<\/strong><br>\u5c07shellcode\u52a0\u4ee5\u8b8a\u5316\u6b3a\u9a19ids<br>\u901a\u5e38\u505a\u6cd5\u70ba:1xor\u7de8\u78bc,2\u518d\u7528loader\u89e3\u78bc\u5f8c\u57f7\u884c<br>tool \u6709admutate<br>&#8230;<\/p>\n\n\n\n<p>\u7de9\u885d\u5340\u6ea2\u51fa\u653b\u64ca\u7684\u65b9\u6cd5\u985e\u5225<br><strong>\u68e7\u6ea2\u51fa\uff08stack smashing\uff09<\/strong><br>\u672a\u6aa2\u67e5\u8f38\u5165\u7de9\u885d\u5340\u9577\u5ea6\uff0c\u5c0e\u81f4\u9663\u5217\u8d8a\u754c\uff0c\u8986\u84cb\u68e7\u4e2d\u5c40\u90e8\u8b8a\u6578\u7a7a\u9593\u4e4b\u4e0a\u7684\u68e7\u6968\u6307\u6a19%ebp\u4ee5\u53ca\u51fd\u6578\u8fd4\u56de\u4f4d\u5740retaddr\uff0c\u7576\u51fd\u6578\u8fd4\u56de\u57f7\u884cret\u6307\u4ee4 \u6642\uff0cretaddr\u5f9e\u68e7\u4e2d\u5f48\u51fa\uff0c\u4f5c\u70ba\u4e0b\u4e00\u689d\u6307\u4ee4\u7684\u4f4d\u5740\u8ce6\u7d66%eip\u5bc4\u5b58\u5668\uff0c\u7e7c\u800c\u6539\u8b8a\u539f\u7a0b\u5f0f\u7684\u57f7\u884c\u6d41\u7a0b\u6307\u5411\u6211\u5011\u7684shellcode\u3002<br><strong>\u5806\u6ea2\u51fa\uff08malloc\/free heap corruption\uff09<\/strong><br>\u4e00\u7a2e\u662f\u548c\u50b3\u7d71\u7684\u68e7\u6ea2\u51fa\u4e00\u6a23,\u7576\u8f38\u5165\u8d85\u51famalloc()\u9810\u5148\u5206\u914d\u7684\u7a7a\u9593\u5927\u5c0f\uff0c\u5c31\u6703\u8986\u84cb\u6389\u9019\u6bb5\u7a7a\u9593\u4e4b\u5f8c\u7684\u4e00\u6bb5\u5b58\u5132\u5340\u57df\uff0c\u5982\u679c\u8a72\u5b58\u5132\u5340\u57df\u6709\u4e00\u500b\u91cd\u8981\u7684\u8b8a\u6578\u6bd4\u5982 euid\uff0c\u90a3\u9ebc\u6211\u5c31\u53ef\u4ee5\u7528\u5b83\u4f86\u653b\u64ca\u3002\u53e6\u4e00\u7a2e\u662f\u5178\u578b\u7684double-free\u5806\u8150\u6557\uff0c\u5728\u8a18\u61b6\u9ad4\u56de\u6536\u64cd\u4f5c\u4e2d\uff0c\u5408\u4f75\u76f8\u9130\u7a7a\u9592\u584a\u91cd\u65b0\u63d2\u5165\u96d9\u5411\u93c8\u8868\u6642\u6703\u6709\u4e00\u500b\u5beb4\u4f4d \u5143\u7d44\u8a18\u61b6\u9ad4\u7684\u64cd\u4f5c\uff0c\u5982\u679c\u5f31\u9ede\u7a0b\u5f0f\u7531\u65bc\u7de8\u7a0b\u932f\u8aa4free()\u4e00\u500b\u4e0d\u5b58\u5728\u7684\u584a\uff0c\u6211\u5011\u5c31\u53ef\u4ee5\u7cbe\u5fc3\u507d\u9020\u9019\u500b\u584a\uff0c\u5f9e\u800c\u8986\u84cb\u4efb\u4f55\u6211\u5011\u60f3\u8981\u7684\u503c\uff1a\u51fd\u6578\u7684\u8fd4\u56de\u4f4d\u5740\u3001\u5eab\u51fd\u6578 \u7684.plt\u5730\u5740\u7b49<br><strong>\u683c\u5f0f\u5316\u5b57\u5143\u7ac4\u6f0f\u6d1e\uff08format string vulnerability\uff09<\/strong><br>\u5982\u679c\u683c\u5f0f\u7ac4\u7531\u7528\u6236\u5b9a\u5236\uff0c\u653b\u64ca\u8005\u5c31\u53ef\u4ee5\u4efb\u610f\u507d\u9020\u683c\u5f0f\u7ac4\uff0c\u5229\u7528*printf()\u7cfb\u5217\u51fd\u6578\u7684\u7279\u6027\u5c31\u53ef\u4ee5\u7aba\u63a2\u5806\u758a\u7a7a\u9593\u7684\u5167\u5bb9\uff0c\u8d85\u5e38\u8f38\u5165\u53ef\u4ee5\u5f15\u767c\u50b3\u7d71\u7684\u7de9\u885d\u5340\u6ea2\u51fa\uff0c\u6216\u662f\u7528&#8221;%n&#8221;\u8986\u84cb\u6307\u91dd\u3001\u8fd4\u56de\u4f4d\u5740\u7b49\u3002<br><strong>\u6574\u5f62\u8b8a\u6578\u6ea2\u51fa\uff08integer variable overflow\uff09<\/strong><br>\u5229\u7528\u6574\u6578\u7684\u7bc4\u570d\u3001\u7b26\u865f\u7b49\u554f\u984c\u89f8\u767c\u5b89\u5168\u6f0f\u6d1e\uff0c\u5927\u591a\u6578\u6574\u5f62\u6ea2\u51fa\u4e0d\u80fd\u76f4\u63a5\u5229\u7528\uff0c\u4f46\u5982\u679c\u8a72\u6574\u5f62\u8b8a\u6578\u6c7a\u5b9a\u8a18\u61b6\u9ad4\u5206\u914d\u7b49\u64cd\u4f5c\uff0c\u6211\u5011\u5c31\u6709\u53ef\u80fd\u9593\u63a5\u5229\u7528\u8a72\u6f0f\u6d1e\u3002<br><strong>\u5176\u4ed6\u7684\u653b\u64ca\u624b\u6cd5\uff08others\uff09<\/strong><br>\u53ea\u80fd\u7b97\u662f\u624b\u6cd5\uff0c\u4e0d\u80fd\u7b97\u662f\u4e00\u7a2e\u55ae\u7368\u7684\u985e\u5225\u3002\u5229\u7528ELF\u6a94\u683c\u5f0f\u7684\u7279\u6027\u5982\uff1a\u8986\u84cb.plt\uff08\u904e\u7a0b\u9023\u63a5\u8868\uff09\u3001.dtor\uff08\u6790\u69cb\u51fd\u6578\u6307\u6a19\uff09\u3001.got\uff08\u5168\u5c40\u504f\u79fb\u8868\uff09\u3001 return-to-libc\uff08\u8fd4\u56de\u5eab\u51fd\u6578\uff09\u7b49\u7684\u65b9\u5f0f\u9032\u884c\u653b\u64ca\u3002<br>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p>tools to defend buffer overflow<br>RAD(return address defender):\u4fdd\u8b77return address,\u907f\u514d\u88ab\u84cb\u6389<br>stackguard:\u4fdd\u8b77stack\u4e0d\u6703\u88ab\u4e82\u6539,\u5728compiler\u6642\u5c31\u53ef\u4ee5\u505a\u5230,\u56e0\u70ba\u5728compiler\u6642\u5206\u6790\u7a0b\u5f0f\u4e26\u52a0\u5165\u4e00\u4e9bcode\u9032\u53bb\u505a\u4fdd\u8b77<br>lnsure++<br>comodo memory firewall:\u4fdd\u8b77\u8a18\u61b6\u9ad4<br>defenceplus: \u4fdd\u8b77\u8a18\u61b6\u5340\u6bb5\u4e0d\u6703\u88ab\u84cb\u6389<br>buffershield:\u4fdd\u8b77\u8a18\u61b6\u9ad4\u4f4d\u7f6e,\u652f\u63f4ASLR(address space layout randomization)<\/p>\n\n\n\n<p><br>\u7de8\u8b6f\u4fdd\u8b77\u6280\u8853<br><strong>Stackguard<\/strong><br>\u56e0\u70ba\u7de9\u885d\u5340\u6ea2\u51fa\u7684\u901a\u5e38\u90fd\u6703\u6539\u5beb\u51fd\u6578\u8fd4\u56de\u4f4d\u5740\uff0cstackguard\u662f\u500b\u7de8\u8b6f\u5668\u88dc\u4e01\uff0c\u5b83\u7522\u751f\u4e00\u500b&#8221;canary&#8221;\u503c(\u4e00\u500b\u55ae\u5b57)\u653e\u5230\u8fd4\u56de\u4f4d\u5740\u7684\u524d\u9762\uff0c\u5982\u679c\u7576\u51fd\u6578\u8fd4\u56de\u6642\uff0c\u767c\u73fe\u9019\u500bcanary\u7684\u503c\u88ab\u6539\u8b8a\u4e86\uff0c\u5c31\u8b49\u660e\u53ef\u80fd\u6709\u4eba\u6b63\u5728\u8a66\u5716\u9032\u884c\u7de9\u885d\u5340\u6ea2\u51fa\u653b\u64ca\uff0c\u7a0b\u5f0f\u6703\u7acb\u523b\u56de\u61c9\uff0c\u767c\u9001\u4e00\u689d\u5165\u4fb5\u8b66\u544a\u6d88\u606f\u7d66syslogd,\u7136\u5f8c\u7d42\u6b62\u9032\u7a0b\u3002<br>canary\u5305\u542b\uff1aNULL(0x00),CR(0x0d),LF(0x0a),EOF(0xff)\u56db\u500b\u5b57\u7b26\uff0c\u5b83\u5011\u61c9\u8a72\u53ef\u4ee5\u963b\u6b62\u5927\u90e8\u5206\u7684\u5b57\u4e32\u64cd\u4f5c\uff0c\u4f7f\u6ea2\u51fa\u653b\u64ca\u7121\u6548\u3002<br>\u4e00\u500b\u4e82\u6578canary\u5728\u7a0b\u5f0f\u57f7\u884c\u7684\u6642\u5019\u88ab\u7522\u751f\u3002\u6240\u4ee5\u653b\u64ca\u8005\u4e0d\u80fd\u901a\u904e\u641c\u7d22\u7a0b\u5f0f\u7684\u4e8c\u9032\u4f4d\u6a94\u5f97 \u5230\uff02canary\uff02\u503c\u3002<br>\u5982\u679c\/dev\/urandom\u5b58\u5728\uff0c\u4e82\u6578\u5c31\u5f9e\u90a3\u88cf\u53d6\u5f97\u3002\u5426\u5247\uff0c\u5c31\u5f9e\u901a\u904e\u5c0d\u7576\u524d\u6642\u9593\u9032\u884c\u7de8\u78bc\u5f97\u5230\u3002\u5176\u96a8\u6a5f\u6027\u8db3\u4ee5\u963b\u6b62\u7d55\u5927\u90e8\u5206\u7684\u9810\u6e2c\u653b \u64ca\u3002<br>Immunix\u7cfb\u7d71\u70ba\u63a1\u7528stackguard\u7de8\u8b6f\u7684Red Hat Linux,\u4f46stackguard\u6240\u63d0\u4f9b\u7684\u4fdd\u8b77\u4e26\u975e\u7d55\u5c0d\u5b89\u5168\uff0c\u6eff\u8db3\u4e00\u4e9b\u689d\u4ef6\u5c31\u53ef\u4ee5\u7a81\u7834\u9650\u5236\uff1a\u5982\u8986\u84cb\u4e00\u500b\u51fd\u6578\u6307\u6a19\u3001\u53ef\u80fd\u5b58\u5728\u7684exit()\u6216 _exit()\u7cfb\u7d71\u8abf\u7528\u4f4d\u5740\u3001GOT\u7b49\u3002<br><strong>Stackshield<\/strong><br>\u4f7f\u7528\u4e86\u53e6\u5916\u4e00\u7a2e\u4e0d\u540c\u7684\u6280\u8853\u3002\u5b83\u7684\u505a\u6cd5\u662f\u5275\u5efa\u4e00\u500b\u7279\u5225\u7684\u5806\u758a\u7528\u4f86\u5132\u5b58\u51fd\u6578\u8fd4\u56de\u4f4d\u5740\u7684\u4e00\u4efd\u62f7\u8c9d\u3002\u5b83\u5728\u53d7\u4fdd\u8b77\u7684\u51fd\u6578\u7684\u958b\u982d\u548c\u7d50\u5c3e\u5206\u5225\u589e\u52a0 \u4e00\u6bb5\u4ee3\u78bc\uff0c\u958b\u982d\u8655\u7684\u4ee3\u78bc\u7528\u4f86\u5c07\u51fd\u6578\u8fd4\u56de\u4f4d\u5740\u62f7\u8c9d\u5230\u4e00\u500b\u7279\u6b8a\u7684\u8868\u4e2d\uff0c\u800c\u7d50\u5c3e\u8655\u7684\u4ee3\u78bc\u7528\u4f86\u5c07\u8fd4\u56de\u4f4d\u5740\u5f9e\u8868\u4e2d\u62f7\u8c9d\u56de\u5806\u758a\u3002\u56e0\u6b64\u51fd\u6578\u57f7\u884c\u6d41\u7a0b\u4e0d\u6703\u6539\u8b8a\uff0c\u5c07\u7e3d\u662f\u6b63\u78ba \u8fd4\u56de\u5230\u4e3b\u8abf\u51fd\u6578\u4e2d\u3002<br>\u5728\u65b0\u7684\u7248\u672c\u4e2d\u5df2\u7d93\u589e\u52a0\u4e86\u4e00\u4e9b\u65b0\u7684\u4fdd\u8b77\u63aa\u65bd\uff0c\u7576\u8abf\u7528\u4e00\u500b\u4f4d\u5740\u5728\u975e\u6587\u672c\u6bb5\u5167\u7684\u51fd\u6578\u6307\u6a19\u6642\uff0c\u5c07\u7d42\u6b62\u51fd\u6578\u7684\u57f7\u884c\u3002<br>Stackshield\u7121\u6cd5\u9632\u79a6\u53ea\u8986\u84cb%ebp\u7684\u55ae\u5b57\u7bc0\u6ea2\u51fa\uff0c\u540c\u6a23\uff0c\u6211\u5011\u4e5f\u53ef\u4ee5\u901a\u904e\u8986\u84cb\u5176\u4ed6\u7684ELF\u7d50\u69cb\u4f86\u7e5e\u904e\u9650\u5236\u3002<\/p>\n\n\n\n<p>\u5eab\u51fd\u6578\u93c8\u7d50\u4fdd\u8b77<br><strong>Formatguard<\/strong><br>\u662f\u500bGlibc\u7684\u88dc\u4e01\uff0c\u9075\u5faaGPL\uff0c\u5b83\u4f7f\u7528\u7279\u6b8a\u7684CPP\uff08gcc\u9810\u7de8\u8b6f\u7a0b\u5e8f\uff09\u5b8f\u53d6\u4ee3\u539f\u6709\u7684*printf()\u7684\u53c3\u6578\u7d71\u8a08\u65b9\u5f0f\uff0c\u5b83\u6703 \u6bd4\u8f03\u50b3\u905e\u7d66*printf\u7684\u53c3\u6578\u7684\u500b\u6578\u548c\u683c\u5f0f\u7ac4\u7684\u500b\u6578\uff0c\u5982\u679c\u683c\u5f0f\u7ac4\u7684\u500b\u6578\u5927\u65bc\u5be6\u969b\u53c3\u6578\u7684\u500b\u6578\uff0c\u5c31\u5224\u5b9a\u70ba\u653b\u64ca\u884c\u70ba\uff0c\u5411syslogd\u767c\u9001\u6d88\u606f\u4e26\u7d42\u6b62\u9032\u7a0b\u3002<br>\u5982 \u679c\u5f31\u9ede\u7a0b\u5f0f\u8abf\u7528Glibc\u4ee5\u5916\u7684\u5eab\uff0cformatguard\u5c31\u7121\u6cd5\u4fdd\u8b77\u3002<br><strong>Libsafe<\/strong><br>\u662f\u4e00\u500b\u52d5\u614b\u9023\u7d50\u7a0b\u5f0f\u5eab\uff0c\u5728\u6a19\u6e96\u7684C\u5eab\u4e4b\u524d\u88ab\u8f09\u5165\uff0c\u4e3b\u8981\u52a0\u56fa\u4e86gets()\uff0cstrcpy()\uff0cstrcat()\uff0csprintf()&#8230;&#8230;\u7b49 \u5bb9\u6613\u767c\u751f\u5b89\u5168\u554f\u984c\u7684C\u51fd\u6578<br>\u5b83\u8a2d\u8a08\u70ba\u53ea\u91dd\u5c0dstack smashing &amp;&amp; format string\u985e\u578b\u7684\u653b\u64ca\u3002<\/p>\n\n\n\n<p>\u68e7\u4e0d\u53ef\u57f7\u884c<br><strong>Solar designer&#8217;s nonexec kernel patch<\/strong><br>\u5f9e\u540d\u5b57\u53ef\u4ee5\u770b\u51fa\u9019\u662f\u4e00\u500bLinux\u4e0a\u7684\u5167\u6838\u88dc\u4e01\uff0c\u8a72\u88dc\u4e01\u6700\u4e3b\u8981\u7684\u7279\u6027\u662f\uff1a\u7528\u6236\u5340\u5806\u758a\u4e0d\u53ef\u57f7\u884c[Non-executable User Stack]\u7531\u65bcx86 CPU\u4e0a\u4e26\u6c92\u6709\u63d0\u4f9b\u9801\uff08page\uff09\u57f7\u884c\u7684bit\u4f4d\uff0c\u6240\u4ee5\u8a72\u88dc\u4e01\u901a\u904e\u6e1b\u5c0f\u4ee3\u78bc\u6bb5\u7684\u865b\u64ec\u4f4d\u5740\u4f86\u5340\u5206\u8cc7\u6599\u6bb5\u548c\u4ee3\u78bc\u6bb5\uff0c\u7a0b\u5f0f\u57f7\u884c\u6d41\u8fd4\u56de 0xC0000000\u4ee5\u4e0b\u4e00\u6bb5\u7528\u6236\u5806\u758a\u7a7a\u9593\u7684\u64cd\u4f5c\u90fd\u88ab\u8a8d\u70ba\u662f\u7de9\u885d\u5340\u6ea2\u51fa\u653b\u64ca\u884c\u70ba\uff0c\u96a8\u5373\u7522\u751f\u4e00\u500b\u901a\u7528\u4fdd\u8b77\u7570\u5e38\u800c\u7d42\u6b62\u9032\u7a0b\u3002<br>\u9019\u6a23\u628ashellcode \u5b89\u7f6e\u5728buffer\u6216\u74b0\u5883\u8b8a\u6578\uff08\u90fd\u4f4d\u65bc\u5806\u758a\u6bb5\uff09\u7684exploit\u90fd\u6703\u5931\u6548\u3002<br>\u7576\u7136\u5176\u5b89\u5168\u4e5f\u4e0d\u662f\u7d55\u5c0d\u7684\uff0c\u5229\u7528PLT\u8fd4\u56de\u5eab\u51fd\u6578\u7684\u6587\u7ae0\u88cf\u8a73\u7d30\u63cf\u8ff0\u4e86\u7a81\u7834\u8a72\u88dc\u4e01\u7684\u653b\u64ca\u65b9\u6cd5\u3002<br>\u8a72\u88dc\u9084\u6709\u4e00\u4e9b\u5176\u4ed6\u7684\u7279\u6027\uff1a\u52d5\u614b\u9023\u7d50\u7a0b\u5f0f\u5eab\u6620\u5c04\u5230\u4f4d\u5740\u4f4e\u7aef\uff080x00\u958b\u59cb\uff09\u3001\u9650\u5236\u7b26\u865f\u93c8\u7d50\u653b\u64ca\u3001\/tmp\u76ee\u9304\u9650\u5236\u3001\/proc\u76ee\u9304\u9650\u5236\u3001execve\u7cfb\u7d71\u8abf\u7528\u52a0\u56fa\u7b49\u3002<br><strong>Solaris\/SPARC nonexec-stack protection<\/strong><br>\u5728Solaris\/SPARC\u4e0b\u53ef\u4ee5\u901a\u904e\u53bb\u6389\u5806\u758a\u7684\u57f7\u884c\u8a31\u53ef\u6b0a\u4f86\u7981\u6b62\u5806\u758a\u6bb5\u57f7\u884c\uff0c\u65b9\u6cd5\u5982\u4e0b\uff0c\u5728\/etc\/system\u4e2d\u52a0\u5165\u5169\u689d\u8a9e\u53e5\uff1a<br>Set noexec_user_stack = 1<br>Set noexec_user_stack_log = 1<br>\u7b2c\u4e00\u689d\u7981\u6b62\u5806\u758a\u57f7\u884c\uff0c\u7b2c\u4e8c\u689d\u8a18\u9304\u6240\u6709\u5617\u8a66\u5728\u5806\u758a\u6bb5\u904b\u884c\u4ee3\u78bc\u7684\u6d3b\u52d5\u3002<br>Reboot\u4e4b\u5f8c\u624d\u6703\u751f\u6548\u3002\u6240\u6709\u53ea\u8b93\u68e7\u4e0d\u53ef\u57f7\u884c\u7684\u4fdd\u8b77\u662f\u6709\u9650\u7684\u3002<br>Return- to-libc\u3001fake frame\u4e4b\u985e\u7684\u6280\u8853\u90fd\u53ef\u4ee5\u7a81\u7834\u9650\u5236\uff0c\u4e0d\u904e\u68e7\u4e0d\u53ef\u57f7\u884c\u7684\u4fdd\u8b77\u5df2\u7d93\u6975\u5927\u4e86\u63d0\u5347<\/p>\n\n\n\n<p>\u8cc7\u6599\u6bb5\u4e0d\u53ef\u57f7\u884c<br><strong>kNoX<\/strong><br>Linux\u5167\u6838\u88dc\u4e01\uff0c\u529f\u80fd\uff1a\u8cc7\u6599\u6bb5\u7684\u9801\u4e0d\u53ef\u57f7\u884c\uff0c\u64a4\u92b7\u5171\u7528\u8a18\u61b6\u9ad4\uff0c\u52a0\u5f37\u5c0dexecve\u7cfb\u7d71\u8abf\u7528\u7684\u9650\u5236\uff0c\u5c0d\u6a94\u63cf\u8ff0\u7b260\u30011\u30012\u7684\u7279\u6b8a\u8655\u7406\uff0c\/proc\u76ee\u9304\u7684\u9650\u5236\uff0cFIFO\u9650\u5236\uff0c\u7b26\u865f\u93c8\u7d50\u9650\u5236\uff0c\u8a72\u88dc\u4e01\u53ea\u652f2.2\u5167\u6838\u3002<br><strong>RSX<\/strong><br>Linux\u5167\u6838\u6a21\u7d44\uff0c\u8cc7\u6599\u6bb5\uff08stack\u3001heap\uff09\u4e0d\u53ef\u57f7\u884c<br><strong>Exec shield<\/strong><br>\u5f9e\u5167\u6838\u614b\u986f\u793a\u7684\u8ddf\u8e64\u4e00\u500b\u61c9\u7528\u7a0b\u5f0f\u6240\u5305\u542b\u7684\u53ef\u57f7\u884c\u6620\u5c04\u7684\u6700\u5927\u865b\u64ec\u4f4d\u5740\uff0c\u52d5\u614b\u7684\u7dad\u8b77\u9019\u500b&#8221;\u53ef\u57f7\u884c\u865b\u64ec\u4f4d\u5740\u7684\u6700\u5927\u503c&#8221;\u7a31\u70ba&#8221;\u53ef\u57f7\u884c\u9650 \u754c&#8221;\uff0c\u6bcf\u6b21\u767c\u751f\u9032\u7a0b\u5207\u63db\u7684\u6642\u5019\u8abf\u5ea6\u9032\u7a0b\u5c31\u6703\u7528\u9019\u500b\u503c\u66f4\u65b0\u4ee3\u78bc\u6bb5\u63cf\u8ff0\u7b26\u5beb\u5165GDT\uff0cexec-shield\u52d5\u614b\u7684\u8ddf\u8e64\u6bcf\u500b\u61c9\u7528\u7a0b\u5f0f\uff0c\u6240\u4ee5\u6bcf\u500b\u7a0b\u5f0f\u904b\u884c\u6642\u90fd\u6709 \u4e0d\u540c\u7684&#8221;\u53ef\u57f7\u884c\u9650\u754c&#8221;\uff0c\u56e0\u70ba\u53ef\u57f7\u884c\u9650\u754c\u901a\u5e38\u662f\u500b\u5f88\u4f4e\u7684\u865b\u64ec\u4f4d\u5740\uff0c\u6240\u4ee5\u9664\u4e86stack\u4ee5\u5916mmap()\u6620\u5c04\u7684\u5340\u57df\u4ee5\u53camalloc()\u5206\u914d\u7684\u7a7a\u9593\u90fd\u8655\u5728\u53ef\u57f7 \u884c\u9650\u754c\u4e4b\u4e0a\uff0c\u56e0\u6b64\u90fd\u662f\u4e0d\u53ef\u57f7\u884c\u7684\u3002<br>\u7576\u7136Exec-shield\u7121\u6cd5\u9632\u79a6\u8df3\u8f49\u5230\u4f4e16M\u4f4d\u5740\u7a7a\u9593\u548creturn-to-libc\u7684\u653b\u64ca\uff0c\u4e0d\u904e\u9084\u662f\u80fd\u963b\u6b62\u7d55\u5927\u591a\u6578\u628ashellcode\u5b89\u7f6e\u5728\u8cc7\u6599\u6bb5\u7684\u653b\u64ca\u3002<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p><strong>hardward level prevention of buffer overflow<\/strong><br>intel q965 express chipset<br>amd athlon 64 processors<\/p>\n\n\n\n<p>X86 CPU\u4e0a\u63a1\u75284GB\u5e73\u5766\u6a21\u5f0f\uff0c\u8cc7\u6599\u6bb5\u548c\u4ee3\u78bc\u6bb5\u7684\u7dda\u6027\u4f4d\u5740\u662f\u91cd\u758a\u7684\uff0c\u9801\u9762\u53ea\u8981\u53ef\u8b80\u5c31\u53ef\u4ee5\u57f7\u884c\uff0c\u6240\u4ee5\u4e0a\u9762\u63d0\u5230\u7684\u8af8\u591a\u5167\u6838\u88dc\u4e01\u624d\u6703\u8cbb\u76e1\u5fc3\u6a5f\u8a2d\u8a08\u4e86\u5404\u7a2e\u65b9\u6cd5\u4f86\u4f7f\u8cc7 \u6599\u6bb5\u4e0d\u53ef\u57f7\u884c\u3002<br>\u73fe\u5728Alpha\u3001PPC\u3001PA-RISC\u3001SPARC\u3001SPARC64\u3001AMD64\u3001IA64\u90fd\u63d0\u4f9b\u4e86\u9801\u57f7\u884cbit\u4f4d\u3002<br>Intel \u53caAMD \u65b0\u589e\u52a0\u7684\u9801\u57f7\u884c\u6bd4\u7279\u4f4d\u7a31\u70baNX\u5b89\u5168\u6280\u8853\uff0cWindows XP SP2\u53caLinux Kernel 2.6\u90fd\u652f\u63f4NX\uff0c\u96d6\u7136\u9019\u7a2e\u786c\u9ad4\u7d1a\u7684\u9801\u4fdd\u8b77\u4e0d\u5982PaX\u90a3\u6a23\u5f37\uff0c\u4f46\u786c\u9ad4\u7d1a\u5225\u7684\u652f\u63f4\u7121\u7591\u5927\u5927\u589e\u52a0\u4e86\u8edf\u9ad4\u548c\u4f5c\u696d\u7cfb\u7d71\u7684\u76f8\u5bb9\u6027\uff0c\u80fd\u5920\u4f7f\u7de9\u885d\u5340\u6ea2\u51fa\u7684\u9632\u8b77\u5f97\u5230\u666e\u53ca\u3002<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p><strong>how to detect buffer overflows in a program<\/strong><br>look at the source code:\u4f7f\u7528safe c function\u6aa2\u67e5boundary\u6709\u6c92\u6709\u554f\u984c,\u4e26\u907f\u514d\u6709\u554f\u984c\u7684function<br>feed the application with huge amounts of data and check for the abnormal behavior<\/p>\n\n\n\n<p><strong>defense against buffer overflows<\/strong><br>manual auditing of code:\u6aa2\u67e5\u662f\u5426\u4f7f\u7528\u4e0d\u5b89\u5168\u7684function<br>disabling stack execution:\u5b89\u88ddos-disabling stack execution<br>safer c library support<br>compiler techniques:<\/p>\n\n\n\n<p><strong>use canary defense against buffer overflow attacks<\/strong><br>stackguard:lmmunix<br>ssp\/propolice:freebsd<br>gs:microsoft<\/p>\n","protected":false},"excerpt":{"rendered":"<p>buffer overflow concepts\u9020\u6210\u7de9\u885d\u5340\u6ea2 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[39],"tags":[],"class_list":["post-403","post","type-post","status-publish","format-standard","hentry","category-concept"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/403","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=403"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/403\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}