The browser supply side and heap spraying techniques are introduced.
"What is the most popular application software on the client side, do you know?" This is a simple question, of course you will not let it go: "Of course it is a browser. IE browser is probably the most used in China. In fact, 360 security browser Aoyou is also based on the IE kernel."
"OK, the browser is the primary target of client-side penetration attacks. Currently, the ASLR mechanism is enabled in IE browsers and other runtimes, so the exploit method for them often uses the heap Spraying technology, so let's first look at the penetration attack technology and examples against browsers."
Browser Penetration Attack Surface
Penetration attacks against browsers mainly include two categories
Penetration attacks on the browser program itself;
Penetration attacks on third-party plug-ins embedded in browsers.
The former mainly uses the security loopholes of the browser program itself, such as the common IE browser, often due to its own security loopholes, attackers can construct malicious webpages for penetration attacks;
The latter is mainly aimed at the security vulnerabilities of third-party plug-ins in browsers. For example, common ActiveX controls are developed and maintained by different third-party companies, and the code quality of the program cannot be guaranteed, resulting in frequent security vulnerabilities. As long as the browser allows these plug-ins to run, attackers can use these plug-ins to attack users even when running the latest browser version. The Metasploit platform currently contains 145 browser penetration attacks against Windows systems. module. The path is [Metasploit installation path]/modules/xploits/windows/browser/.
Heap Spray Utilization
A vulnerability exploitation technique often used in client penetration attacks is heap spraying (Heap Spraying), especially when the attack target is a client program that can support script execution, such as a browser.
Most penetration attacks against browsers involve heap spraying technology, mainly because the attacker needs to execute the Shellcode arranged in the buffer after overflowing the client program, and the address of the Shellcode must be available to the attacker in advance.