ÃÂ¡ÃÂºÃÂ°Ã‘Â‡ÃÂ°Ã‘Â‚Ã‘ÂŒ - Xakep Online

More documents

Recommendations

Info

ÞÍÈÒÛ ÊÐÅÀÒÈÔÔ ÊÎÄÈÍÃ UNIXOID ÑÖÅÍÀ [ÂÇËÎÌ] ÈÌÏËÀÍÒ PC_ZONE FERRUM ÍÜÞÑÛ Êó÷à ñ ãîðêîé Îñíîâû heap-ïåðåïîëíåíèé ïîä Windows Heap ÅÑËÈ ÏÎÐÛÒÜÑß Â ÑÅÒÈ, ÌÎÆÍÎ ÍÀÉÒÈ ÎÃÐÎÌÍÎÅ ÊÎËÈ×ÅÑÒÂÎ ÌÀÒÅÐÈÀËÎÂ, ÎÏÈÑÛÂÀÞÙÈÕ ÐÀÇ- ËÈ×ÍÛÅ ÌÅÒÎÄÛ ÂÑÅÂÎÇÌÎÆÍÛÕ ÏÅÐÅÏÎËÍÅÍÈÉ. ÏÅÐÅÏÎËÍÅÍÈß Â ÑÒÅÊÅ, BUFFER OVERFLOW, FOR- MAT STRING — ÂÑÅ ÝÒÎ Â ÄÅÒÀËßÕ ÎÏÈÑÀÍÎ ÍÀ ÌÍÎÃÈÕ ÑÀÉÒÀÕ. ÎÄÍÀÊÎ, ÅÑËÈ ÏÐÈÑÌÎÒÐÅÒÜÑß, ÏÎ×- ÒÈ ÂÑÅ ÏÐÈÌÅÐÛ È ÎÏÈÑÀÍÈß ÏÎÏÓËßÐÍÛÕ ÌÅÒÎÄÈÊ ÏÐÈÂÅÄÅÍÛ ÈÌÅÍÍÎ ÄËß UNIX-ÑÈÑÒÅÌ. ËÅÇÒÜ Â ÊÓ×Ó ÑÏÅÖÈÔÈ×ÅÑÊÈÕ ÄËß WINDOWS ÌÎÌÅÍÒÎÂ ÍÈÊÒÎ ÍÅ ÆÅËÀÅÒ. ÏÎ ÝÒÎÉ ÏÐÈ×ÈÍÅ ÌÛ ÐÅØÈËÈ ÏÐÈÃÎÒÎÂÈÒÜ ÄËß ÒÅÁß ÈÍÒÅÐÅÑÍÛÉ ÌÀÒÅÐÈÀË Î ÏÎÏÓËßÐÍÎÌ ÑÐÅÄÈ ÕÀÊÅÐÎÂ È ÂÈÐÌÅÉÊÅÐÎÂ ÏÐÈÅÌÅ, Ñ ÏÎÌÎÙÜÞ ÊÎÒÎÐÎÃÎ ÐÀÑÏÐÎÑÒÐÀÍßÅÒÑß ÄÎÁÐÀß ÏÎËÎÂÈÍÀ ÑÅÒÅÂÛÕ ×ÅÐÂÅÉ, — Î HEAP OVERFLOW | Õàøòàìîâ Àäèëü (adi1@ok.kz) ðèñóíîê 2: çàãîëîâîê ñâîáîäíîãî áëîêà ðèñóíîê 1: çàãîëîâîê áëîêà [÷òî òàêîå heap] Ïðåæäå âñåãî äàâàé ðàçáåðåìñÿ, ÷òî òàêîå heap. Ëþáîé øêîëüíèê òåáå ñêàæåò, ÷òî ñ àíãëèéñêîãî ýòî ñëîâî ïåðåâîäèòñÿ êàê «êó÷à». Â íàøåì æå êîìïüþòåðíîì êîíòåêñòå ñëîâî «heap» îáîçíà÷àåò ñïåöèàëüíóþ îáëàñòü çàðåçåðâèðîâàííîãî àäðåñíîãî ïðîñòðàíñòâà, âûäåëåíèå è îñâîáîæäåíèå ïàìÿòè â êîòîðîì ðåàëèçóåòñÿ ïðè ïîìîùè ñïåöèàëüíûõ ñèñòåìíûõ ôóíêöèé. Ïðè ðàáîòå ñ êó÷åé ïðîãðàììèñòàì äîñòóïíî ñîáñòâåííîå îãðîìíîå âèðòóàëüíîå àäðåñíîå ïðîñòðàíñòâî, ïî åìêîñòè çíà÷èòåëüíî ïðåâîñõîäÿùåå îáúåì ðåàëüíîé ôèçè÷åñêîé ïàìÿòè, óñòàíîâëåííîé â êîìïüþòåðå. Âñå îñíîâíûå ôóíêöèè ïî ðàáîòå ñ êó÷åé (âûäåëåíèå, îñâîáîæäåíèå è ñîçäàíèå áëîêîâ ïàìÿòè) ðàñïîëîæåíû â ñèñòåìíîé áèáëèîòåêå ntdll.dll. Èçíà÷àëüíî êàæäîìó ïðèëîæåíèþ â Windows âûäåëÿåòñÿ îäíà ìåãàáàéòíàÿ êó- ÷à, à äàëåå óæå, ïî ìåðå íåîáõîäèìîñòè, îáúåì âûäåëÿåìîé ïàìÿòè àâòîìàòè÷åñêè óâåëè÷èâàåòñÿ. Â ñâîþ î÷åðåäü, ïðèëîæåíèå ìîæåò ñîçäàâàòü ñîáñòâåííîå àäðåñíîå ïðîñòðàíñòâî ñ ïîìîùüþ ñïåöèàëüíûõ ôóíêöèé. Ïàìÿòü â êó÷å âûäåëÿåòñÿ îáëàñòÿìè, ïðè÷åì â êàæäîé îáëàñòè ìîæíî ñîçäàòü áëîêè ïàìÿòè, êîòîðûå áóäóò ðàñïîëîæåíû â ñåãìåíòàõ. Äëÿ óïðàâëåíèÿ êàæäûì òàêèì áëîêîì ñîçäàåòñÿ ñâîé ñïåöèàëüíûé çàãîëîâîê, êîòîðûé èçîáðàæåí íà ðèñóíêå 1. Çäåñü Size îáîçíà÷àåò ðàçìåð áëîêà, Previous Size — ðàçìåð ïðåäûäóùåãî áëîêà, Segment Index — èíäåêñ ñåãìåíòà, â êîòîðîì ðàñïîëîæåí áëîê, Unused — êîëè÷åñòâî íåèñïîëüçóåìûõ áàéò â áëîêå, Tag Index — èíäåêñ ìåòêè, à Flags — ôëàã áëîêà. Ôëàãè ìîãóò áûòü ñëåäóþùèìè: 0x01 — HEAP_ENTRY_BUSY 0x02 — HEAP_ENTRY_EXTRA_PRESENT 0x04 — HEAP_ENTRY_FILL_PATTERN 0x08 — HEAP_ENTRY_VIRTUAL_ALLOC 0x10 — HEAP_ENTRY_LAST_ENTRY 0x20 — HEAP_ENTRY_SETTABLE_FLAG1 0x40 — HEAP_ENTRY_SETTABLE_FLAG2 0x80 — HEAP_ENTRY_SETTABLE_FLAG3 Íà íàøåì äèñêå òû íàéäåøü ïîëíûå âåðñèè ïðîãðàìì, îïèñàííûõ â ýòîé ñòàòüå, ïîäîïûòíîå ïðèëîæåíèå Server.exe äëÿ ýêñïåðèìåíòîâ è ñïëîèò äëÿ ïðîãðàììû — â îçíàêîìèòåëüíûõ öåëÿõ. Ïðè îñâîáîæäåíèè áëîêà ïàìÿòè îí ïðèíèìàåò âèä, èçîáðàæåííûé íà ðèñóíêå 2. Çäåñü Flink — óêàçàòåëü íà ñëåäóþùèé îñâîáîæäåííûé áëîê, à Blink — óêàçàòåëü íà ïðåäûäóùèé îñâîáîæäåííûé áëîê. [äðóãàÿ ðàçìåòêà] Äëÿ óïðîùåíèÿ óïðàâëåíèÿ ñâîáîäíûìè áëîêàìè èñïîëüçóåòñÿ òàêæå ðàçìåòêà ïî êîëè÷åñòâó åäèíèö âûäåëåíèÿ. Åäèíèöû ìîæíî âûñ÷èòàòü òàêèì îáðàçîì. Îáúåì êàæäîãî âûäåëÿåìîãî áëîêà ïàìÿòè ðàâåí 8. Ê ïðèìåðó, åñëè ïðèëîæåíèå âûäåëÿåò áëîê ðàçìåðîì â 64 áàéòà, òîãäà åäèíèö àäðåñàöèè ïîëó÷èòñÿ 64/8 = 8. Êàæäàÿ êó÷à ñòàðòóåò ñî ñòðóêòóðû èç 128 ìàññèâîâ LIST_ENTRY, êîòîðóþ ìîæíî ïîñìîòðåòü â
winnt.h/win.h. Â êàæäûé èíäåêñ ìàññèâà çàïèñûâàåòñÿ ñâîáîäíûé áëîê, íóìåðîâàííûé ïî åäèíèöàì âûäåëåíèÿ. Â íàøåì ïðèìåðå ìû âûäåëèëè áëîê, ðàâíûé 64 áàéòàì, åäèíèö âûäåëåíèÿ ïîëó÷èëîñü 8. Âûõîäèò, ÷òî ïðè îñâîáîæäåíèè áëîêà ïàìÿòè â ìàññèâ FreeList (ìàññèâ ñâîáîäíûõ áëîêîâ) ïîä èíäåêñîì 8 çàïèøåòñÿ íàø îñâîáîæäåííûé áëîê. Ó÷òè, ÷òî ïåðâûé èíäåêñ FreeList íå èñïîëüçóåòñÿ èç-çà òîãî, ÷òî áëîê ðàçìåðîì â 8 áàéò íå ìîæåò ñóùåñòâîâàòü. Íóìåðàöèÿ èíäåêñîâ íà÷èíàåòñÿ ñ 2-õ, íóëåâîé èíäåêñ èñïîëüçóåòñÿ äëÿ õðàíåíèÿ îñâîáîæäåííûõ áëîêîâ ïàìÿòè áîëåå 1016 áàéò. [ôóíêöèè äëÿ ðàáîòû ñ heap] Òåïåðü äàâàé ïîãîâîðèì î ôóíêöèÿõ äëÿ ðàáîòû ñ êó÷åé. ß îïèøó ñàìûå ãëàâíûå ñèñòåìíûå âûçîâû: 1 Ïåðâàÿ ôóíêöèÿ íàçûâàåòñÿ HeapCreate(). Îíà ñëóæèò äëÿ ñîçäàíèÿ ÷àñòíîé îáëàñòè ïàìÿòè. Ó íåå 3 ïàðàìåòðà. Ðàññìîòðèì èõ: – Ôëàã êó÷è, âñåãî èõ äâà. Ïåðâûé ôëàã — HEAP_GENER- ATE_EXCEPTIONS — óêàçûâàåò íà òî, ÷òî â ñëó÷àå îøèáêè áóäåò ñãåíåðèðîâàíà ñòðóêòóðà èñêëþ÷èòåëüíûõ ñèòóàöèé (SEH). Âòîðîé ôëàã — HEAP_NO_SERIALIZE — óêàçûâàåò íà òî, ÷òî áóäåò îòìåíåí ñèíõðîíèçèðîâàííûé äîñòóï ê ïàìÿòè. Äàííóþ îïöèþ ñòîèò ïðèìåíÿòü â òîì ñëó÷àå, åñëè òû óâåðåí, ÷òî äîñòóï ê êó÷å íå èìåþò îäíîâðåìåííî äâà ïîòîêà. – Ðàçìåð êó÷è. – Ðàçìåð ìàêñèìàëüíîãî çíà÷åíèÿ êó÷è. Åñëè ïîñòàâèòü 0, òî áóäåò ñòîÿòü îãðàíè÷åíèå ðàâíîå ìàêñèìàëüíîìó çíà÷åíèþ âñåé âèðòóàëüíîé ïàìÿòè ñèñòåìû (4Ãá). Ôóíêöèÿ â êà÷åñòâå ðåçóëüòàòà ðàáîòû âîçâðàùàåò äåñêðèïòîð, ÷åðåç êîòîðûé â äàëüíåéøåì áóäåò âûäåëÿòüñÿ ïàìÿòü. ×òîáû òåáå áûëî ïðîùå, ïîêàæó íà ïðèìåðå, êàê âûãëÿäèò âûçîâ ýòîé ôóíêöèè: HANDLE Heap1 = HeapCreate(HEAP_GENERATE_EXCEP- TIONS, 700, 0); 2 Âòîðàÿ ôóíêöèÿ èñïîëüçóåòñÿ äëÿ âûäåëåíèÿ áëîêîâ è íàçûâàåòñÿ HeapAlloc(). Îíà èìååò 3 ïàðàìåòðà: – Äåñêðèïòîð îáëàñòè êó÷è (â íàøåì ñëó÷àå ýòî Heap1). – Íåîáÿçàòåëüíûå ôëàãè, äâà èç êîòîðûõ àíàëîãè÷íû ôóíêöèè HeapCreate(), à òðåòèé ôëàã — HEAP_ZERO_MEMORY — óêàçûâàåò íà òî, ÷òî âûäåëåííûé áëîê çàïîëíÿåòñÿ íóëÿìè. – Îáúåì çàïðàøèâàåìîé ïàìÿòè. Ïðèìåð âûçîâà: char *HeapBlock1 = HeapAlloc(Heap1, HEAP_ZERO_MEMORY, 555); 3 Òðåòüÿ ôóíêöèÿ — îñâîáîæäåíèå áëîêà HeapFree(). Îíà èìååò òîæå 3 ïàðàìåòðà. – Äåñêðèïòîð îáëàñòè. – Ôëàã. Ìîæåò áûòü 0 èëè HEAP_NO_SERIALIZE. – Áëîê, êîòîðûé íóæíî îñâîáîäèòü. ß ðàññêàçàë òåáå îá îñíîâíûõ ôóíêöèÿõ äëÿ ðàáîòû ñ êó÷åé â Windows. Ïîíèìàíèå èõ ðàáîòû óæå î÷åíü ñêîðî íàì ïðèãîäèòñÿ, ïîòîìó ÷òî ïåðåõîäèì ê ñàìîìó èíòåðåñíîìó — íåïîñðåäñòâåííî ê Heap Overflow. [ïåðåïîëíåíèå êó÷è] Ïåðåïîëíåíèå êó÷è ñõîæå ñ ïåðåïîëíåíèåì ñòåêà. Îòëè÷èòåëüíàÿ îñîáåííîñòü, êàê è ñëåäîâàëî áû îæèäàòü, çàêëþ÷àåòñÿ â òîì, ÷òî â äàííîì ñëó÷àå ðèñóíîê 4: ñåðâåð â êîìàòîçå Îïèñàííàÿ ìåòîäèêà ÿâëÿåòñÿ ïëàòôîðìîçàâèñèìîé è äëÿ êàæäîé âåðñèè ñèñòåìû íóæíî ñîáèðàòü ñâîé ñïëîèò, óêàçûâàÿ ðàçëè÷íûå àäðåñà ôèëüòðîâ. Êîëè÷åñòâî âûäåëÿåìîé ïàìÿòè â êó÷å óêàçûâàåòñÿ â PE-çàãîëîâêå ýêçåøíèêà è ìîæåò áûòü èçìåíåíî. Ýòà ñòàòüñÿ íàïèñàíà â èññëåäîâàòåëüñêèõ öåëÿõ äëÿ îçíàêîìëåíèÿ ñ ðàñòóùåé óãðîçîé ñî ñòîðîíû ñåòåâûõ ÷åðâåé: âåäü îñòàíîâèòü ïðîäâèæåíèå çàðàçû ìîæíî ëèøü, êàê ñëåäóåò ðàçîáðàâøèñü ñ òåì, êàê îíà ðàñïðîñòðàíÿåòñÿ. Çà íåçàêîííîå ïðèìåíåíèå ïîëó÷åííûõ ñâåäåíèé íåñåøü îòâåòñòâåííîñòü òîëüêî òû ñàì. ìû èìååì äåëî ñ êó÷åé, à íå ñî ñòåêîì :). ×òîáû íå âåñòè àáñòðàêòíûõ ðàçãîâîðîâ, ïðèâåäó ðàñïðîñòðàíåííûé ïðèìåð óÿçâèìîé ïðîãðàììû. Âñìîòðèñü-êà â ýòîò êîä: [óÿçâèìûé êîä ïðîãðàììû] #include #include int main ( int argc, char *argv[] ) { HANDLE Heap1 = HeapCreate(0, 700, 0); char* hblock1 = HeapAlloc(Heap1, HEAP_ZERO_MEMORY, 10); strcpy(hblock1, argv[1]); char* hblock2 = HeapAlloc(Heap1, HEAP_ZERO_MEMORY, 20); HeapFree(Heap1, 0, hblock1); HeapFree(Heap1, 0, hblock2); return 0; } Åñëè òû âíèìàòåëüíûé ÷åëîâåê è íåìíîãî ñìûñëèøü â ïðîãðàììèðîâàíèè, òî ìèãîì çàìåòèøü, ÷òî â ýòîé ïðîãðàììå ïðèñóòñòâóåò áàã — ïåðåïîëíåíèå ïðè èñïîëüçîâàíèè ôóíêöèè strcpy(). Ïðè êîïèðîâàíèè ìû íå ó÷èòûâàåì äëèíó âõîäíîãî ïàðàìåòðà, êîòîðûé êîïèðóåòñÿ â ïåðâûé áëîê. Åñëè ââåñòè äîñòàòî÷íî äëèííóþ ñòðîêó, òî êîãäà äàííûå ïåðåïîëíÿò ïåðâûé áëîê, ìû óæå ïîïàäåì âî âëàäåíèÿ âòîðîãî áëîêà è áóäåì èìåòü âîçìîæíîñòü óïðàâëÿòü èì. Ýòî ìîæíî íàãëÿäíî óâèäåòü â ëþáîì îòëàä÷èêå, ÿ áóäó èñïîëüçîâàòü èçâåñòíûé äåáàããåð OllyDbg. Ïîñìîòðè íà ñêðèíøîò ïîä íîìåðîì òðè. Òàì îò÷åòëèâî âèäíî, ÷òî ïðîèñõîäèò ïðè ïåðåïîëíåíèè êó- ÷è. Heap Overflow ïðîèçîøåë ïðè îñâîáîæäåíèè áëîêîâ ïàìÿòè, è òåïåðü óïðàâëÿåì äâóìÿ ðåãèñòðàìè — EAX è ECX. Îáðàòè âíèìàíèå íà ýòîò ó÷àñòîê êîäà â îòëàä÷èêå: MOV DWORD PTR DS:[ECX],EAX MOV DWORD PTR DS:[EAX+4],ECX
Page 4 and 5:
News ÌÅÃÀ-ÍÜÞÑ 4 Ferrum Ý
Page 6 and 7:
[XÀÊÅÐ 09 [81] 05 > ÍÜÞÑÛ
Page 8:
HITECHNEWS HARDNEWS [XÀÊÅÐ 09 [
Page 11 and 12:
HITECHNEWS ÀÂÒÎÏÈËÎÒÈÐÓ
Page 14:
HARDNEWS HITECHNEWS [XÀÊÅÐ 09 [
Page 18 and 19:
ÞÍÈÒÛ ÊÐÅÀÒÈÔÔ ÊÎÄ
Page 20 and 21:
MICROLAB UPS-650D | LIGHTHOUSE BASE
Page 22 and 23:
[XÀÊÅÐ 09 [81] 05 > FERRUM 020]
Page 24 and 25: ÞÍÈÒÛ ÊÐÅÀÒÈÔÔ ÊÎÄ
Page 26 and 27: [XÀÊÅÐ 09 [81] 05 > PC_ZONE 024
Page 28: [XÀÊÅÐ 09 [81] 05 > PC_ZONE 026
Page 31 and 32: ñòàðîì êîìïüþòåðå,
Page 33 and 34: áîòàë, íåîáõîäèìû ä
Page 35 and 36: âûïîëíÿåì êîìàíäó d
Page 38: [XÀÊÅÐ 09 [81] 05 > PC_ZONE 036
Page 41 and 42: PC_ZONE 039] òî÷íûé ïîèñ
Page 44: [XÀÊÅÐ 08 [80] 05 > PC_ZONE 42]
Page 47 and 48: DVD ñ èíòåðàêòèâíûìè
Page 54 and 55: ×ÒÎ ÏÎÌÎÃËÎ ÌÍÅ ÏÐÈ
Page 58: [XÀÊÅÐ 09 [81] 05 > ÂÇËÎÌ
Page 62 and 63: ÊÐÅÀÒÈÔÔ ÊÎÄÈÍÃ UNIXO
Page 64: êàê ìíîãî þçåðîâ õî
Page 70: [XÀÊÅÐ 09 [81] 05 > ÂÇËÎÌ
Page 73 and 74: [ñîáèðàåì ïàó÷êà] Ä
Page 78: Ýòè ñòðîêè è îçíà÷à
Page 81 and 82: â ãóãëå ïîëíî èíôîð
Page 83 and 84: X-Contest Èãíàòîâ Îëåã a
Page 85 and 86: ñâèñòóëüêà èç êîðî
Page 87 and 88: Ðîáåðò Ìîððèñ Áðàó
Page 89 and 90: Slashdot.com ðîâ ñòàë ïåð
Page 91 and 92: ßí Ãîëäáåðã, îäèí è
Page 93 and 94: www.streetracingmag.ru
Page 98 and 99: [XÀÊÅÐ 09 [81] 05 > ÑÖÅÍÀ
Page 102: êîíêóðñ íà ñêîðîñò
Page 105 and 106: ñòàíäàðòíîå ëîãî â
Page 107 and 108: Core-ôàéë — ýòî ôàéë,
Page 112 and 113: # cd / # chflags noschg kernel # cp
Page 116 and 117: [XÀÊÅÐ 09 [81] 05 > ÊÎÄÈÍ
Page 122: Ýòîò ìåòîä àâòîçàã
Page 126 and 127:
ÞÍÈÒÛ ÊÐÅÀÒÈÔÔ ÊÎÄ
Page 128:
i,dwPointerRva,dwPointsToRva,dwKiSe
Page 131 and 132:
Ñïåöèàëèñòû WebMoney ï
Page 133:
ïðîìåæóòêà ñîçäàíè
Page 137 and 138:
Çàãàäêè Íîñòðàäàìó
Page 139 and 140:
ÒÎÂÀÐÛ * Â ÑÒÈËÅ X * Ý
Page 141 and 142:
ëåé è, ðàñêðûâ ôîðò
Page 143 and 144:
Âèðòóàëüíàÿ Ìîñêâà
Page 145 and 146:
ÏÎÄÏÈÑÍÎÉ ÊÓÏÎÍ Ïð
Page 147 and 148:
-FaQ - unit íî ïîìîãëà á
Page 150 and 151:
-unit Disco [XÀÊÅÐ 09 [81] 05 >
Page 152 and 153:
WINDOWS MULTIMEDIA 1st DVD Ripper 5
Page 154 and 155:
[XÀÊÅÐ 09 [81] 05 > ÞÍÈÒÛ
Page 156 and 157:
UnixwareZ [XÀÊÅÐ 09 [81] 05 >
Page 158 and 159:
X-toolS STCLite Stego 3.1 Win 98/ME
Page 160 and 161:
E- Ïðèåì è îáðàáîòêó
Page 162:
X-Crew ÂÎÒ È ÍÀÑÒÓÏÈËÀ
show all

ÃÂ¡ÃÂºÃÂ°Ã‘Â‡ÃÂ°Ã‘Â‚Ã‘ÂŒ - Xakep Online

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?

ÃÂ¡ÃÂºÃÂ°Ã‘Â‡ÃÂ°Ã‘Â‚Ã‘ÂŒ - Xakep Online