注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

【收集】The Art of Leaks - read version - Yoyo.pdf  

2014-10-31 13:03:33|  分类: 搜集 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

无心插柳柳成荫,今天看微博碰到一篇好文《The Art of Leaks 》,解决了之前想考虑的问题:UAF如何转变成AAW?

这篇里有介绍。

http://t.cn/8sUBqJd

来自:@ga1ois

 

UAF -> Arbitrary Address Write
UAF->Arbitrary address write is important.
–If  we can transfer a UAF to arbitrary address write, we
can read/write the whole process memory.
How we can transfer a UAF to arbitrary address
write?
–Type confusion.
? Controlling the argument of  Use function(in UAF) by taking
room of  the freed object using the user-controlled data and
change the execution route to the write-opcode
–inc [address] OR mov/add/or [address], reg/constant

 

UAF -> Arbitrary Address Write
Some relative work in UAF->arbitrary address
write
–A browser is only as strong as its weakest byte –
Part 1 - Peter Vreugdenhil / @WTFuzz
–The info leak era on software exploitation - Fermin J.
Serna / @Google 
Difficulty in UAF->arbitrary address write
–Virtual call lead to crash in the transfer process
–Javascript control after Arbitrary Address Write

 

UAF -> Arbitrary Address Write
? Crash after Arbitrary Address Write sometimes
–Access exception caused by tainting of  the user-
controlled data in the freed object
? Javascript control after Arbitrary Address Write
–Create the dead loop and make Use function not
return forever --- No Crash.
–Using javascript multi-thread.
 

UAF -> Arbitrary Address Write
? Javascript multi-thread
–Parent html:
window.open(‘child.html','t2','height=400,width=400
,top=10,left=10');
–Child html:
setTimeout('window.opener.LeakAndControlEip();',
5000);

 

Summary
? Good news?
?Work on most of  UAF
?One bypass all generally and stably
? Bad news?
?Not work in jscript(<=IE8)

  评论这张
 
阅读(64)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017