Open Access  Subscription Access

緩衝區溢位(Buffer Overflow)漏洞是對電腦的安全性威脅相當嚴重的一個問題。因此，當滲透測試(Penetration Testing)進行時須先找到程式是否存在這類漏洞，並想辦法利用一些作業系統或是程式本身的特性來作為滲透測試的切入點，並且測試是否可以達到攻擊的效果。然而，若能利用程式自動化生成可利用某種特性的滲透測試腳本，將有助於降低安全測試的成本。本文將介紹我們所實作的一套系統，讓測試人員在發現緩衝區溢位漏洞時，可以透過圖形化操作，在不須探究攻擊手法的情況下，自動化生成可利用Windows SEH (結構化異常處理)機制的滲透測試腳本。不但降低測試人員編寫滲透測試腳本的時間，並可以快速測試腳本是否能成功達成目標。The vulnerability of buffer overflow is a serious threat for computer security. Therefore, it is necessary to test whether the target program has this kind of vulnerability and find the entry point for breaking as the penetration testing process being carried out. Finally, the tester also needs to understand the attacking effects when exploiting the vulnerability. However, if the penetration testing script can be automatically generated by a program tool, it can reduce the cost of development of the exploits by the tester. This article introduces an implementation of the system that can automatically generate the penetration testing script by using Windows SHE (Structured Exception Handling) mechanism. The system can be executed through GUI interface and the tester even needs not to investigate details of attacking skills. Thus, the proposed system not only can reduce the development time of generating testing script but also can help the tester understand whether the generated scripts can successfully reach the purposes.

滲透測試; 自動化腳本生成; 緩衝區溢位; 安全漏洞; 結構化異常處理; Penetration Test; Automatic Script Generation; Buffer Overflow; Vulnerability; Structured Exception Handling