基于任意函数地址的ASLR绕过技术研究

doi:10.3969/j.issn.1671-1122.2016.07.008

信息网络安全 ›› 2016, Vol. 16 ›› Issue (7): 47-52.doi: 10.3969/j.issn.1671-1122.2016.07.008

基于任意函数地址的ASLR绕过技术研究

徐鑫¹, 张松年², 胡建伟²

1.中国人民解放军95865部队,北京100000
2.西安电子科技大学,陕西西安710126

收稿日期:2016-05-26 出版日期:2016-07-20 发布日期:2020-05-13
作者简介:
作者简介：徐鑫（1987—）,男,山东,助理工程师,硕士,主要研究方向为信息安全;张松年（1993—）,男,河北,硕士,主要研究方向为Windows系统的漏洞挖掘和漏洞利用;胡建伟（1973—）,男,陕西,副教授,博士,主要研究方向为计算机网络、工业控制系统、网络软硬件设备的安全与攻防对抗。
基金资助:
国家自然科学基金[61301171]

Research on ASLR Bypass Technology Based on Arbitrary Function Address

Xin XU¹, Songnian ZHANG², Jianwei HU²

1.PLA 95865, Beijing 100000, China
2. XIDIAN University, Xi’an Shaanxi 710126, China

Received:2016-05-26 Online:2016-07-20 Published:2020-05-13

摘要/Abstract

摘要：

多年来缓冲区溢出漏洞一直都是网络攻击领域最为重要、危害性最大的一种网络攻击手段。在微软等厂商采用以DEP和ASLR为代表的缓冲区溢出防护技术以前,攻击者在漏洞利用过程中只需要将系统指令寄存器（EIP）跳转到所需要的位置即可。随着DEP和ASLR技术的应用,在当前的缓冲区溢出漏洞利用过程中,绕过ASLR（内存地址空间布局随机化）保护机制是必不可少的环节。几乎所有的漏洞挖掘从业者,都在研究通过何种方式绕过DEP和ASLR。文章从微软Windows操作系统的ASLR保护机制内容入手,分析了当前常用的ASLR绕过技术,提出了一种通过相对偏移绕过ASLR保护机制的方法,并着重分析了CVE-2013-2551的漏洞原理和细节,通过利用CVE-2013-2551漏洞,演示在微软的Windows 8上应用此方法成功绕过微软ASLR保护机制。本方法的缺点在于其能够绕过ASLR的前提是攻击者必须能够读取内存,优点在于攻击者可以获取系统内任意函数的地址。

关键词: 漏洞利用, ASLR保护机制, ROP链, 暴漏基址

Abstract:

For many years buffer overflow vulnerability has been the most important and harmful mean of the field of network attacks. In Microsoft and other vendors did not use the DEP and ASLR on buffer overflow protection technology, the attackers use EIP to jump to the required position to complete the exploits. However, with the application of DEP and ASLR technology, during the current exploit, bypass the ASLR, Address Space Layout Randomization, protection mechanism is an essential part . Almost all of the vulnerabilities mining practitioners and attackers, both in the study through the way to bypass DEP and ASLR. From the content of ASLR protection mechanism, this paper mainly analyzes the current commonly used ASLR bypass technology of the Microsoft’s Windows system. Then, this paper puts forward a through relative offset bypass ASLR protection mechanism, and focuses on the analysis of the cve-2013-2551 vulnerabilities principles and details, and through the use of loopholes in the cve-2013-2551 demonstration in Microsoft's Windows 8 application this method successfully bypass ASLR protection mechanism of the Microsoft. The shortcoming of the method that proposed in this paper is that the attacker must be able to bypass the ASLR to read the memory, and its advantage is that the attacker can obtain the address of any function in the system.

Key words: vulnerability exploiting, ASLR protection mechanism, ROP chain, exposed base address

中图分类号:

TP309

徐鑫, 张松年, 胡建伟. 基于任意函数地址的ASLR绕过技术研究[J]. 信息网络安全, 2016, 16(7): 47-52.

Xin XU, Songnian ZHANG, Jianwei HU. Research on ASLR Bypass Technology Based on Arbitrary Function Address[J]. Netinfo Security, 2016, 16(7): 47-52.

图/表 11

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

参考文献 8

[1]	Wikipedia. Address space layout randomization[EB/OL]..
[2]	YU Yang.DEP ASLR Bypass without ROP JIT[R]. CanSecWest, 2013.
[3]	CHEN Xiaobo. ASLR Bypass Apocalypse in Recent Zero-Day Exploits[EB/OL]. .
[4]	Ollie Whitehouse. An Analysis of Address space Layout Randomization on Windows Vistas [EB/OL]. .
[5]	CVE-2013-3893. Microsoft Internet Explorer 远程代码执行漏洞[EB/OL]..
[6]	CVE-2013-2551. Microsoft Internet Explorer 10 任意代码执行漏洞[EB/OL]..
[7]	Allen Harper,Shon Harris著.灰帽黑客[M].杨明军译. 北京:清华大学出版社,2012.
[8]	CVE-2013-2551漏洞成因与利用分析[EB/OL]..

基于任意函数地址的ASLR绕过技术研究

Research on ASLR Bypass Technology Based on Arbitrary Function Address

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 8

相关文章 6

编辑推荐

Metrics

本文评价

[1]	朱帅, 罗森林, 柯懂湘. Windows Shellcode自动构建方法研究[J]. 信息网络安全, 2017, 17(4): 15-25.
[2]	毛焱颖, 罗森林. 融合多种技术的堆喷射方法研究[J]. 信息网络安全, 2016, 16(6): 48-55.
[3]	. 一种非堆喷射的IE浏览器漏洞利用技术研究[J]. , 2014, 14(6): 39-.
[4]	. 基于端口和编号的漏洞代码匹配方法研究[J]. , 2014, 14(4): 20-.
[5]	. 基于 Windows 的软件安全典型漏洞利用策略探索与实践[J]. , 2014, 14(11): 59-.
[6]	王宜阳;宋苑. 浅谈渗透测试在Web系统防护中的应用[J]. , 2010, (9): 0-0.