Memory Corruption Penetration Testing Patterns
当对原生应用(C/C++/Rust unsafe)进行内存安全渗透测试时加载此 Skill。覆盖栈溢出、堆溢出、UAF、整数溢出等。
Attack Surface Discovery
高风险目标:
- 网络协议解析器:HTTP/2、DNS、TLS、自定义二进制协议
- 文件格式解析:图片(PNG/JPEG)、文档(PDF/Office)、多媒体(MP4/FLV)
- 游戏客户端:自定义数据包解析、排行榜/回放文件处理、RPC 消息
- IoT/嵌入式设备:固件中的 Web 服务器、协议实现
- 浏览器扩展:与原生代码交互的 JS 桥接
- 字符串处理函数:escape/unescape、编码转换
识别信号:
- 应用使用 C/C++ 编写
- 处理不可信的二进制数据输入
- 自定义协议或文件格式解析
- 历史上有过内存安全漏洞的组件
Exploitation Techniques
栈缓冲区溢出:
- 定位溢出点:发送超长输入到输入缓冲区
- 确定偏移量:使用 pattern_create / pattern_offset(Metasploit)
- 覆盖返回地址:跳转到 shellcode 或 ROP gadget
- 绕过保护:ASLR(信息泄露)、DEP/NX(ROP chain)、Stack Canary(信息泄露/fork 暴力破解)
堆溢出 / Use-After-Free:
- 堆喷射(Heap Spray):填充堆空间以控制内存布局
- UAF 触发:释放对象后重新分配同大小块,控制虚表指针
- 类型混淆:利用错误的类型转换访问越界内存
整数溢出:
// 典型模式:size 参数溢出导致小缓冲区分配
size_t total = count * sizeof(element); // 溢出为小值
buffer = malloc(total); // 分配小缓冲区
memcpy(buffer, input, count * sizeof(element)); // 实际写入大量数据
格式字符串漏洞:
# 信息泄露
%x.%x.%x.%x
%p.%p.%p.%p
# 任意写入
%n (写入已输出字节数)
模糊测试方法:
- AFL/AFL++:覆盖引导模糊测试
- libFuzzer:LLVM 集成的进程内模糊测试
- 自定义 harness:针对特定解析函数编写
- ASAN/MSAN/TSAN:编译时插桩检测内存错误
Detection Checklist
Impact Assessment
漏洞利用可达到的效果:
- 远程代码执行:栈溢出/堆溢出 + ROP chain → 完全控制目标系统
- 拒绝服务:NULL 指针解引用、assert 失败 → 应用崩溃
- 信息泄露:越界读取 → 泄露内存中的敏感数据(密钥、session)
- 沙箱逃逸:浏览器/游戏客户端中的 UAF → 逃逸渲染进程沙箱
严重度判断:
- Critical:可远程触发的 RCE(如网络协议解析器中的溢出)
- High:需要用户交互的 RCE(打开恶意文件)、可靠的信息泄露
- Medium:仅 DoS(崩溃)、利用条件苛刻、需要本地访问
Real-World Cases
以下案例来自 HackerOne 公开披露的真实漏洞报告,展示了该类漏洞在实际目标中的表现形式。
Case 1: Brave Software — UAF on JSEthereumProvider
- 严重度: Critical | CWE: Use After Free
- 摘要: A UAF (Use After Free) vulnerability was discovered in the renderer implementation of the Ethereum wallet. This vulnerability allowed an attacker to trigger a crash in the renderer process and potenti...
- 报告: https://hackerone.com/reports/1977252
Case 2: Internet Bug Bounty — CVE-2022-40604: Apache Airflow: Format String Vulnerability
- 严重度: Critical | CWE: Use of Externally-Controlled Format String
- 摘要: There is a format string vulnerability in Apache Airflow versions 2.3.0 through 2.3.4 in the src/airflow/utils/log/file_task_handler.py file. The vulnerability was caused by unnecessary formatting of ...
- 报告: https://hackerone.com/reports/1707287
Case 3: Nintendo — [MK8DX] Improper ranking/replay file parsing
- 严重度: Critical | CWE: Memory Corruption - Generic
- 摘要: The vulnerability in the Mario Kart 8 Deluxe game involved improper ranking and replay file parsing. This allowed for potential exploitation, leading to potentially unintended consequences.
- 报告: https://hackerone.com/reports/1813453
Case 4: HackerOne — HackerOne SAML signup domain enforcement bypass results in unauthorized access to HackerOne PullRequest organization
- 严重度: High | CWE: Improper Null Termination
- 摘要: A vulnerability was discovered where SAML signup domain enforcement for new signups belonging to SAML-enabled organizations could be bypassed by appending control characters, allowing unauthorized acc...
- 报告: https://hackerone.com/reports/2101076
Case 5: Internet Bug Bounty — important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)
- 严重度: High | CWE: NULL Pointer Dereference
- 摘要: important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)
A null pointer dereference vulnerability was discovered in mod_proxy in Apach...
Case 6: Nintendo — [Xenoblade Chronicles X: Definitive Edition] Buffer overflow in string escape function, multiplayer DoS
- 严重度: High | CWE: Classic Buffer Overflow
- 摘要: A buffer overflow vulnerability was discovered in the string escape function of Xenoblade Chronicles X: Definitive Edition, which could have led to a denial-of-service (DoS) issue in the game's multip...
- 报告: https://hackerone.com/reports/3048061
Case 7: Node.js — Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled
- 严重度: High | CWE: Improper Initialization
- 摘要: A flaw in Node.js's buffer allocation logic was discovered, where buffers allocated with
Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous opera...
- 报告: https://hackerone.com/reports/3405778
Case 8: PlayStation — sys_fsc2h_ctrl kernel stack free
- 严重度: High | CWE: Use After Free
- 摘要: The sys_fsc2h_ctrl kernel function can lead to a kernel stack free vulnerability. The vulnerability is caused by a race condition involving multiple threads accessing a local stack buffer. This could ...
- 报告: https://hackerone.com/reports/2900606
Case 9: PlayStation — Remote vulnerabilities in spp
- 严重度: High | CWE: Classic Buffer Overflow
- 摘要: A vulnerability was discovered in the spp (PPPoE) implementation on the PS4/PS5. The vulnerability could allow a malicious PPPoE server to cause a heap buffer overwrite and overread, potentially leadi...
- 报告: https://hackerone.com/reports/2177925