在堆溢出中，假设系统未激活ASLR，您将知道在其中使用的内存块(也就是缓冲区)的地址.溢出.

In a heap overflow, supposing that the system does not have ASLR activated, you will know the address of the memory chunks (aka, the buffers) you use in the overflow.

一种选择是将shellcode放置在缓冲区所在的位置，因为您可以控制缓冲区的内容(作为应用程序用户).将shellcode字节放入缓冲区后，只需跳转到该缓冲区地址即可.

One option is to place the shellcode where the buffer is, given that you can control the contents of the buffer (as the application user). Once you have placed the shellcode bytes in the buffer, you only have to jump to that buffer address.

执行该跳转的一种方法是，例如，覆盖.dtors条目.一旦易受攻击的程序完成，将执行放置在缓冲区中的shellcode.复杂的部分是.dtors覆盖.为此，您将不得不使用已发布的堆利用技术.

One way to perform that jump is by, for example, overwriting a .dtors entry. Once the vulnerable program finishes, the shellcode - placed in the buffer - will be executed. The complicated part is the .dtors overwriting. For that you will have to use the published heap exploiting techniques.

先决条件是必须停用ASLR(在执行易受攻击的程序之前要知道缓冲区的地址)，并且放置缓冲区的内存区域必须是可执行的.

The prerequisites are that ASLR is deactivated (to know the address of the buffer before executing the vulnerable program) and that the memory region where the buffer is placed must be executable.

更多的是，步骤2和步骤3是相同的.如果您控制eip，则逻辑上是将其指向shellcode(任意代码).

On more thing, steps 2 and 3 are the same. If you control eip, it's logic that you will point it to the shellcode (the arbitrary code).

P.S .:绕过ASLR比较复杂.

P.S.: Bypassing ASLR is more complex.