protostar_stack 总结
protostar 是 http://exploit-exercises.com 网站上关于Network,Stack overflows,Format strings,Heap overflows的练习。stack部分,有8个level
stack overflows部分,最核心的,就是通过缓冲区的溢出,覆盖函数的 返回地址
返回地址 可以被重定位到很多地方:缓冲区中,缓冲区溢出的地方,通过libc函数进行重地位,通过代码段的冲定位等等。
栈溢出攻击的防护措施有很多:
stack canaries
canary的意思是金丝雀,在煤矿中,人们用金丝雀来判断是否有有害的气体。在处理栈溢出的问题上,在程序起始的时候,根据某些规则生成一个数(也可以是随机),把这个数放到函数返回地址之前,如果有溢出攻击,那么这个数也会被覆盖,发生错误。
这是GCC在Canary方面的保护的介绍,https://www.ibm.com/developerworks/cn/linux/l-cn-gccstack/
Canary word ,有多种选择:
Terminator canaries,利用特定的终极字符
Random canaries,随机数
Random XOR canaries,由随机数,栈控制信息,返回地址异或而成
GCC有关栈保护的选项:
-fstack-protector:
启用堆栈保护,不过只为局部变量中含有 char 数组的函数插入保护代码。
-fstack-protector-all:
启用堆栈保护,为所有函数插入保护代码。
-fno-stack-protector:
禁用堆栈保护。
如果想跳过canary的保护,需要通过对系统的处理异常的部分(SEH)进行溢出
NX
NX,指的是对一些危险的内存(比如说栈)设置不可以执行的权限。
通过ROP(Return-oriented Programming)来跳过这个保护,http://en.wikipedia.org/wiki/Return-oriented_programming
我们在level 6 和 level 7中 ,完成的就是这个工作。
ASLR
ASLR, Address Space Layout Randomisation.
Address space layout randomization (ASLR) is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.
Address space randomization hinders some types of security attacks by making it more difficult for an attacker to predict target addresses. For example, attackers trying to execute return-to-libc attacks must locate the code to be executed, while other attackers trying to execute shellcode injected on the stack have to find the stack first. In both cases, the system obscures related memory-addresses from the attackers. These values have to be guessed, and a mistaken guess is not usually recoverable due to the application crashing.
