Region 1 on the heap

Source: Internet
Author: User

Overflow is a very interesting topic, and overflow is the most common situation. If the zookeeper area is placed on the heap region, causing overflow, it may be a wonderful situation. For example, the program will crash your shellcode and Gogo!

First, let's look at the basic principles.

Everyone is familiar with the heap, so I won't talk about it here. Let's take a look at the program's function/process usage. The function/process is completed through the heap operation. The reason is that the program sends a response to the function used by the operation, when there are no hosts, they cannot be stored. At the same time, they can be stored using heap hosts, this expert should be familiar with the function data to be used or resume from the middle heap after the process is completed, the computer architecture, the micro-computer technology, and the operating system programming plane have all passed.

Let's take a look at this process.

First look at the following generation:

void func_1(void){    int i = func_2(50);       printf("Done!\n");       return;}


Function func_1 uses function func_2, returns 50 to it, and stores the result in variable I.

Here, I is the local variation, and the local variation is placed in the heap replica set. When func_1 uses func_2, perform the following operations in sequence:

1. Adjust the number of input records, usually from the right to the left, that is, if the number of input records is multiple, such as func (var1, var2, var3 ), that is, var3 first enters the primary, then var2, and then var1;

2. Save the return address (PC register value ). That is to say, after reading the complete function, we need to continue with the preparation. In this case, it is printf ("done/N"); the instruction address of this sentence;

3. Save the base address of the parent stack (value of the EBP register ). After the slave database is used, it will be used to restore the heap of the slave database. The method for saving the EBP register value is register;

4. Jump to the address of the sent data to upload the row. In this case, the function func_2 contains two rows.

When the function is returned, the opposite process of the rows is returned:

1. Put the returned value in eax. If not, place the address;

2. Restore the current site. Zookeeper;

3. Jump to the "next command to begin a line before" to begin a line. It can also be implemented through dynamic regression.

Check the token.

Example 1: a heap of data manipulation


Now let's take a look at the problem of overflow. The overflow refers to cross-border overwriting. This is a very serious event, not because your local things have been destroyed by you. This will cause two problems:

1. Break down others' things;

2. You may not be able to find your own things.

Here, I think the first question is important. Let's take a look at the problem just now. If something with local variation 1 changes the local variation 2, but the program does not know, so it takes the partial Variation 2 to use the result so that it will cause unavailability.

Let's take a look at the next generation. Is there a problem?

# Include <stdio. h>
# Include <stdlib. h>
# Include <windows. h>

Int main (void)
// The message that is printed upon exit
Char info [] = "exiting ...";

// Operate the region
Char buffer [8] =... {0 };

// Printf ("login_passwd = 0x % P info = 0x % P insert = 0x % P", login_passwd, info, insert );

Printf ("processing ...");
Strcpy (buffer, "Administrator: 123456 ");

Printf ("% s", Info );

Return true;


The intention of this generation is to use the primary name and password of the Administrator in the buffer of the primary region, and then exit. Unfortunately, the heap overflow occurs. The problem is very clear. strcpy refers to a large region to a small region, as a result, the memory in the "back" section of this small memory area is overwritten. This memory is exactly the data group info, therefore, the Administrator's password is printed out.

Let's look at Example 2. This is the case for heap attacks.

Heap failover

A heap sequence is first allocated to the things that are first identified, so that info is above the buffer (x86 sequence is backward growth ). However, you may be surprised that strcpy should overwrite the memory behind the buffer, which means that the memory is behind the buffer, in fact, the changes in front of it are suffering, because the heap growth is long.

Okay. After reading this example, let's go back and check the example 1. You may wonder: what is the purpose of regional overflow? I think that unless you do not care about it, it is actually something else. However, I don't think it's anything else, for example, just a story... if the returned address is changed, the system will not wait... hey hey: when sending a response using another function, the response line jumps "accidentally" to another location, for example, what is the shutdown function. Think about it, this is indeed not impossible, for example, let the "local variation 1" of beiyi overflow and pass the "saved EBP" to the "return address" of the function, after this function is used up, the content in the "return address" will be written into the EIP register. In order to demonstrate this possibility, we have come to the next generation. However, in the code generation, I do not intend to let the local variation overflow from and break through and return the address-because in this way, the old EBP is also broken. Here, I directly go through the computation of the specified parameter, and "website" is directed to the return address, and then override it.

# Include <stdio. h>
# Include <stdlib. h>
# Include <windows. h>

Void bad (void)
Printf ("Haha ");

Int prblm (INT input)
Printf ("input = % d", input );

Int * P = & input;
Printf ("P = % P", P );

// Redirect the entire pointer to the return address of the function.
P + = 7;

// Override
* P = (INT) bad;

Printf ("exiting func ...");
Return true;

Int main (void)
Printf ("start ...");
Prblm (0x100 );

Printf ("end! ");
Return true;


Let's look at example 3. We must look at example 3.

When 3, the heap is covered with a notice

In this example, the input data is input, and P is used to point to it in the substitution class. Then, a single bit (4 characters) is moved downward ), in this case, P uses an integer to avoid subsequent attempts. The moved P points to the address returned by the saved function and changes it! Replace the content with the bad address. This is, of course, our deliberate act of substitution. We recommend that you operate it to see what will happen...

The bad letter number was accidentally written! In the program, there is no replacement for the number of bad letters, but the number of bad letters does, this is because the address returned by the function prblm (the address of the next generation after the function prblm is used in the main function) is overwritten into the address of the bad function, so the program will jump to the bad function after the sending function prblm completes.

This is the most common heap overflow. The principle of heap overflow is very simple, but it is not easy to implement it effectively. For example, if you want to implement a heap overflow line for a program, you want to perform the following:

First, this program should have overflow points, that is, the places where the program design defects exist. For example, the number of incoming data records does not have the maximum length of query, this may allow you to generate an overlong number of data records;

2. The primary region is the number of partial auto changes. only partial auto changes are in the heap region;

Third, there is a token in the program that you want to upload rows. If the program has a token that you want to upload rows that overflows with the intent, no, it's just a program for others, for example, if the peer program has a function such as adduser (username, password), you can directly skip to this field. If the peer program does not have the generation you want to perform, the problem becomes more complex: you have to create a generation, then I want to implant the program into the memory. In this way, the program must first have a machine that receives the stored records, so that you can put the token on it. For example, it provides you with an input box, the content in the input box will be placed in memory (variable) of a certain region, and this place should be merged: whether your substitution includes 0, it will be considered as the end of the string. Is the accept box large? Your generation has 200 characters, and it only allows you to write 100 words?

Fourth, you can locate your desired line of code, whether it's the built-in line of code or the embedded line of code, if you want to keep them online, you must obtain their addresses. Can you do this?

In this case, it seems that "do some articles" on heap overflow can be harsh, however, we are still able to win the prize because some comrades did not pay attention to it and left us a chance. In the next article, we would like to see how "Opportunities" are produced and how "opportunities are grasped ".

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.