2009年3月14日星期六
Heap spraying From WIKI
In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The term is also used to describe the part of the source code of an exploit that implements this technique. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process' heap and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run.
在计算机安全领域,heap spraying在exploit中用来任意代码执行。这个素语也用来指代实施这一技术的exploit的部分代码。一般来说,用来spray heap的代码试图通过在目标进程的堆上分配大量的块,并用正确的值来填充这些块,将特定序列的字节放置到目标进程的预定位置。这样做的理论基础是每次heap spray运行的时候,这些堆块在同样的位置。
Heap sprays have been used occasionally in exploits since at least 2001[1], but the technique started to see widespread use in exploits for web browsers soon after the release a series of exploits that used it when exploiting a wide range of bugs in Internet Explorer[2][3][4][5][6]. The heap sprays used in all these exploits were very similar, which showed its versatility and ease of use without need for major modifications between exploits. It proved simple enough to understand and use to allow novice hackers to quickly write reliable exploits for many types of vulnerabilities in web browsers and web browser plug-ins. Many web browser exploits that use heap spraying consist only of a heap spray that is copy-pasted from a previous exploit combined with a small piece of script or HTML that triggers the vulnerability.
Even though the technique was proven to work on other web browsers[7][8], it has not seen the same widespread use as seen for Internet Explorer.
Heap spray从2001年才开始使用,但是这种技术在exploit的大规模使用,是在利用IE漏洞的一系列exploit发布之后。在这些exploit中,heap spray的使用都很类似,这都证明了heap spray使用的多样化和简单化,exploit不用进行大的修改就可以再使用。利用heap spray,新手黑客可以很快写出利用浏览器和浏览器插件弱点的可靠的exploit。许多使用heap spray的浏览器exploit仅需要从先前的exploit拷贝过来的heap spray,再加上一段脚本或HTML来出发弱点。
已经证明在别的浏览器这种技术也适用,但是没有发现大规模使用。
JavaScript
Heap sprays for web browsers are commonly implemented in JavaScript and spray the heap by creating large Unicode strings with the same character repeated many times by starting with a string of one character and concatenating it with itself over and over. This way, the length of the string can grow exponentially up to the maximum length allowed by the scripting engine. When the desired string length is reached a shellcode is put at the end of the string. The heap spraying code makes copies of the long string with shellcode and stores these in an array, up to the point where enough memory has been sprayed to cover the area that the exploit targets. VBScript is sometimes (though very rarely) used to create strings as well because it is made easy by the String function.
浏览器heap spray技术主要通过javascript实施,用同样的字符的unicode string重复很多次来spray the heap。这样该串的长度会指数级增长,到脚本引擎允许的最大长度。如果想要的长度达到了,shellcode放置在该串的末尾。heap spraring生成了包括shellcode的长串,存放在数组中,直到exploit需要的足够内存已经被spray over。
Though it has been proven that heap-spraying can be done through other means, for instance by loading image files into the process[9], this has not seen widespread use (as of August 2008).
heap spraying可以通过其他方式实现,如把图片load到进程中,但是这种做法不通用。
在计算机安全领域,heap spraying在exploit中用来任意代码执行。这个素语也用来指代实施这一技术的exploit的部分代码。一般来说,用来spray heap的代码试图通过在目标进程的堆上分配大量的块,并用正确的值来填充这些块,将特定序列的字节放置到目标进程的预定位置。这样做的理论基础是每次heap spray运行的时候,这些堆块在同样的位置。
Heap sprays have been used occasionally in exploits since at least 2001[1], but the technique started to see widespread use in exploits for web browsers soon after the release a series of exploits that used it when exploiting a wide range of bugs in Internet Explorer[2][3][4][5][6]. The heap sprays used in all these exploits were very similar, which showed its versatility and ease of use without need for major modifications between exploits. It proved simple enough to understand and use to allow novice hackers to quickly write reliable exploits for many types of vulnerabilities in web browsers and web browser plug-ins. Many web browser exploits that use heap spraying consist only of a heap spray that is copy-pasted from a previous exploit combined with a small piece of script or HTML that triggers the vulnerability.
Even though the technique was proven to work on other web browsers[7][8], it has not seen the same widespread use as seen for Internet Explorer.
Heap spray从2001年才开始使用,但是这种技术在exploit的大规模使用,是在利用IE漏洞的一系列exploit发布之后。在这些exploit中,heap spray的使用都很类似,这都证明了heap spray使用的多样化和简单化,exploit不用进行大的修改就可以再使用。利用heap spray,新手黑客可以很快写出利用浏览器和浏览器插件弱点的可靠的exploit。许多使用heap spray的浏览器exploit仅需要从先前的exploit拷贝过来的heap spray,再加上一段脚本或HTML来出发弱点。
已经证明在别的浏览器这种技术也适用,但是没有发现大规模使用。
JavaScript
Heap sprays for web browsers are commonly implemented in JavaScript and spray the heap by creating large Unicode strings with the same character repeated many times by starting with a string of one character and concatenating it with itself over and over. This way, the length of the string can grow exponentially up to the maximum length allowed by the scripting engine. When the desired string length is reached a shellcode is put at the end of the string. The heap spraying code makes copies of the long string with shellcode and stores these in an array, up to the point where enough memory has been sprayed to cover the area that the exploit targets. VBScript is sometimes (though very rarely) used to create strings as well because it is made easy by the String function.
浏览器heap spray技术主要通过javascript实施,用同样的字符的unicode string重复很多次来spray the heap。这样该串的长度会指数级增长,到脚本引擎允许的最大长度。如果想要的长度达到了,shellcode放置在该串的末尾。heap spraring生成了包括shellcode的长串,存放在数组中,直到exploit需要的足够内存已经被spray over。
Though it has been proven that heap-spraying can be done through other means, for instance by loading image files into the process[9], this has not seen widespread use (as of August 2008).
heap spraying可以通过其他方式实现,如把图片load到进程中,但是这种做法不通用。
标签: heap spraying
// 发贴者:放牛娃的春天 @ 三月 14, 2009 
订阅 博文 [Atom]