{"id":477439,"date":"2023-08-09T09:14:50","date_gmt":"2023-08-09T09:14:50","guid":{"rendered":""},"modified":"2023-09-05T11:14:42","modified_gmt":"2023-09-05T11:14:42","slug":"heap-spraying","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/vn\/wiki\/heap-spraying\/","title":{"rendered":"phun \u0111\u1ed1ng"},"content":{"rendered":"

Heap Spraying l\u00e0 m\u1ed9t k\u1ef9 thu\u1eadt \u0111\u01b0\u1ee3c c\u00f4ng nh\u1eadn r\u1ed9ng r\u00e3i v\u00e0 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong th\u1ebf gi\u1edbi khai th\u00e1c m\u00e1y t\u00ednh. N\u00f3 ch\u1ee7 y\u1ebfu li\u00ean quan \u0111\u1ebfn vi\u1ec7c l\u00e0m ng\u1eadp m\u1ed9t v\u00f9ng b\u1ed9 nh\u1edb heap c\u1ee7a ti\u1ebfn tr\u00ecnh b\u1eb1ng shellcode \u0111\u1ec3 t\u0103ng kh\u1ea3 n\u0103ng th\u1ef1c thi m\u00e3 t\u00f9y \u00fd khi c\u00e1c l\u1ed7 h\u1ed5ng, nh\u01b0 l\u1ed7i tr\u00e0n b\u1ed9 \u0111\u1ec7m, b\u1ecb khai th\u00e1c.<\/p>\n

L\u1ecbch s\u1eed phun \u0111\u1ed1ng v\u00e0 s\u1ef1 \u0111\u1ec1 c\u1eadp \u0111\u1ea7u ti\u00ean c\u1ee7a n\u00f3<\/h2>\n

Phun \u0111\u1ed1ng l\u1ea7n \u0111\u1ea7u ti\u00ean \u0111\u01b0\u1ee3c c\u00f4ng ch\u00fang ch\u00fa \u00fd trong m\u1ed9t b\u00e0i b\u00e1o v\u1ec1 an ninh do Matt Conover v\u00e0 Oded Horovitz vi\u1ebft, c\u00f3 t\u1ef1a \u0111\u1ec1 \u201cPhun \u0111\u1ed1ng: K\u1ef9 thu\u1eadt ch\u1ed1ng l\u1ea1i c\u00e1c bi\u1ec7n ph\u00e1p an ninh chung\u201d \u0111\u01b0\u1ee3c xu\u1ea5t b\u1ea3n v\u00e0o \u0111\u1ea7u nh\u1eefng n\u0103m 2000. S\u1ef1 ra \u0111\u1eddi c\u1ee7a n\u00f3 \u0111\u01b0\u1ee3c th\u00fac \u0111\u1ea9y b\u1edfi vi\u1ec7c tri\u1ec3n khai ng\u00e0y c\u00e0ng nhi\u1ec1u c\u00e1c c\u01a1 ch\u1ebf b\u1ea3o m\u1eadt \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 ng\u1eabu nhi\u00ean h\u00f3a kh\u00f4ng gian \u0111\u1ecba ch\u1ec9 c\u1ee7a m\u1ed9t quy tr\u00ecnh \u0111ang ch\u1ea1y, do \u0111\u00f3 khi\u1ebfn k\u1ebb t\u1ea5n c\u00f4ng kh\u00f3 d\u1ef1 \u0111o\u00e1n v\u1ecb tr\u00ed shellcode c\u1ee7a ch\u00fang s\u1ebd n\u1eb1m trong b\u1ed9 nh\u1edb.<\/p>\n

M\u1edf r\u1ed9ng ch\u1ee7 \u0111\u1ec1: Phun \u0111\u1ed1ng<\/h2>\n

Phun \u0111\u1ed1ng ch\u1ee7 y\u1ebfu \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 khai th\u00e1c c\u00e1c l\u1ed7 h\u1ed5ng h\u1ecfng b\u1ed9 nh\u1edb. M\u1ee5c \u0111\u00edch c\u1ee7a n\u00f3 l\u00e0 thao t\u00fang \u0111\u1ed1ng quy tr\u00ecnh theo c\u00e1ch sao cho shellcode c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c tr\u1ea3i r\u1ed9ng tr\u00ean m\u1ed9t ph\u00e2n \u0111o\u1ea1n l\u1edbn c\u1ee7a quy tr\u00ecnh. \u0110i\u1ec1u n\u00e0y \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1eb1ng c\u00e1ch t\u1ea1o ra nhi\u1ec1u \u0111\u1ed1i t\u01b0\u1ee3ng ho\u1eb7c th\u1ec3 hi\u1ec7n trong v\u00f9ng heap, m\u1ed7i \u0111\u1ed1i t\u01b0\u1ee3ng mang m\u1ed9t b\u1ea3n sao c\u1ee7a shellcode mong mu\u1ed1n.<\/p>\n

K\u1ef9 thu\u1eadt n\u00e0y th\u01b0\u1eddng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng k\u1ebft h\u1ee3p v\u1edbi c\u00e1c c\u00e1ch khai th\u00e1c kh\u00e1c cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u00f9y \u00fd. Tuy nhi\u00ean, v\u1ea5n \u0111\u1ec1 v\u1edbi nh\u1eefng c\u00e1ch khai th\u00e1c n\u00e0y l\u00e0 ch\u00fang th\u01b0\u1eddng y\u00eau c\u1ea7u ki\u1ebfn th\u1ee9c v\u1ec1 v\u1ecb tr\u00ed b\u1ed9 nh\u1edb ch\u00ednh x\u00e1c c\u1ee7a m\u00e3 s\u1ebd \u0111\u01b0\u1ee3c th\u1ef1c thi, \u0111i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 kh\u00f3 x\u00e1c \u0111\u1ecbnh do c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt kh\u00e1c nhau. Vi\u1ec7c phun heap gi\u1ea3i quy\u1ebft v\u1ea5n \u0111\u1ec1 n\u00e0y b\u1eb1ng c\u00e1ch l\u1ea5p \u0111\u1ea7y m\u1ed9t ph\u1ea7n \u0111\u00e1ng k\u1ec3 c\u1ee7a heap b\u1eb1ng shellcode \u0111\u01b0\u1ee3c y\u00eau c\u1ea7u, do \u0111\u00f3 l\u00e0m t\u0103ng v\u1ec1 m\u1eb7t th\u1ed1ng k\u00ea c\u01a1 h\u1ed9i khai th\u00e1c k\u00edch ho\u1ea1t vi\u1ec7c th\u1ef1c thi m\u00e3.<\/p>\n

C\u1ea5u tr\u00fac b\u00ean trong c\u1ee7a phun \u0111\u1ed1ng<\/h2>\n

Ch\u1ee9c n\u0103ng phun \u0111\u1ed1ng th\u00f4ng qua quy tr\u00ecnh hai b\u01b0\u1edbc:<\/p>\n

    \n
  1. \n

    X\u1ecbt n\u01b0\u1edbc<\/strong>: B\u1ed9 nh\u1edb heap ch\u1ee9a nhi\u1ec1u phi\u00ean b\u1ea3n c\u1ee7a shellcode mong mu\u1ed1n. \u0110i\u1ec1u n\u00e0y \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1eb1ng c\u00e1ch t\u1ea1o c\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng ho\u1eb7c th\u1ec3 hi\u1ec7n mang shellcode, sau \u0111\u00f3 \u0111\u01b0\u1ee3c ph\u00e2n b\u1ed5 v\u00e0o c\u00e1c \u0111\u1ecba ch\u1ec9 b\u1ed9 nh\u1edb kh\u00e1c nhau c\u1ee7a v\u00f9ng heap.<\/p>\n<\/li>\n

  2. \n

    C\u00f2 s\u00fang<\/strong>: M\u1ed9t l\u1ed7 h\u1ed5ng b\u1ecb khai th\u00e1c \u0111\u1ec3 th\u1ef1c thi m\u00e3 t\u00f9y \u00fd. V\u00ec b\u1ed9 nh\u1edb \u0111\u00e3 ch\u1ee9a \u0111\u1ea7y c\u00e1c phi\u00ean b\u1ea3n c\u1ee7a shellcode n\u00ean kh\u1ea3 n\u0103ng m\u00e3 \u0111\u01b0\u1ee3c th\u1ef1c thi s\u1ebd l\u00e0 shellcode c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng t\u0103ng l\u00ean \u0111\u00e1ng k\u1ec3.<\/p>\n<\/li>\n<\/ol>\n

    C\u00e1c t\u00ednh n\u0103ng ch\u00ednh c\u1ee7a phun \u0111\u1ed1ng<\/h2>\n

    C\u00e1c t\u00ednh n\u0103ng ch\u00ednh c\u1ee7a phun \u0111\u1ed1ng bao g\u1ed3m:<\/p>\n