摘要
多年来缓冲区溢出漏洞一直都是网络攻击领域最为重要、危害性最大的一种网络攻击手段。在微软等厂商采用以DEP和ASLR为代表的缓冲区溢出防护技术以前,攻击者在漏洞利用过程中只需要将系统指令寄存器(EIP)跳转到所需要的位置即可。随着DEP和ASLR技术的应用,在当前的缓冲区溢出漏洞利用过程中,绕过ASLR(内存地址空间布局随机化)保护机制是必不可少的环节。几乎所有的漏洞挖掘从业者,都在研究通过何种方式绕过DEP和ASLR。文章从微软Windows操作系统的ASLR保护机制内容入手,分析了当前常用的ASLR绕过技术,提出了一种通过相对偏移绕过ASLR保护机制的方法,并着重分析了CVE-2013-2551的漏洞原理和细节,通过利用CVE-2013-2551漏洞,演示在微软的Windows 8上应用此方法成功绕过微软ASLR保护机制。本方法的缺点在于其能够绕过ASLR的前提是攻击者必须能够读取内存,优点在于攻击者可以获取系统内任意函数的地址。
For many years buffer overlfow vulnerability has been the most important and harmful mean of the ifeld of network attacks. In Microsoft and other vendors did not use the DEP and ASLR on buffer overflow protection technology, the attackers use EIP to jump to the required position to complete the exploits. However, with the application of DEP and ASLR technology, during the current exploit, bypass the ASLR, Address Space Layout Randomization, protection mechanism is an essential part . Almost all of the vulnerabilities mining practitioners and attackers, both in the study through the way to bypass DEP and ASLR. From the content of ASLR protection mechanism, this paper mainly analyzes the current commonly used ASLR bypass technology of the Microsoft’s Windows system. Then, this paper puts forward a through relative offset bypass ASLR protection mechanism, and focuses on the analysis of the cve-2013-2551 vulnerabilities principles and details, and through the use of loopholes in the cve-2013-2551 demonstration in Microsoft's Windows 8 application this method successfully bypass ASLR protection mechanism of the Microsoft. The shortcoming of the method that proposed in this paper is that the attacker must be able to bypass the ASLR to read the memory, and its advantage is that the attacker can obtain the address of any function in the system.
出处
《信息网络安全》
2016年第7期47-52,共6页
Netinfo Security
基金
国家自然科学基金[61301171]
关键词
漏洞利用
ASLR保护机制
ROP链
暴漏基址
vulnerability exploiting
ASLR protection mechanism
ROP chain
exposed base address