SlideShare a Scribd company logo

Final lfh presentation (3)

_
__x86

The document discusses the low fragmentation heap (LFH) used in Windows to improve memory allocation performance. It provides an overview of how the LFH works, including the different memory managers (front-end, back-end), data structures used, and the processes for allocating and deallocating memory. It then discusses techniques for exploiting the determinism of the LFH, such as heap feng shui to control memory layout, and overwriting fields to trigger memory corruption.

TechnologySpiritual
1 of 90
Download to read offline
RSSIL 2012 Exploiting the Low Fragmentation Heap for fun and profit Jeremy Fetiveau @__x86
Introduction ● Why talking about the LFH? ○ heap exploitation ■ what is interesting to overwrite? ■ what if you deallocate twice a chunk of memory? ○ avoiding pray-after-frees ■ because you want to know where your chunks of memory will be ○ a few references
Introduction ● A few talks about the LFH ○ Chris Valasek, Understanding the Low Fragmentation Heap" (BlackHat USA 2010) ○ Steven Seeley, Ghost in the Seven allocator (HITB 2012) ○ Chris Valasek & Tarjei Mandt, Heaps of Doom (Syscan 2012) ● A few related talks ○ Ben hawkes, Attacking the Vista heap (BlackHat USA 2008) ○ Richard Johnson, Windows Vista Exploitation Countermeasures (ToorCon 2006) ● A few references ○ Dr Valasek 's whitepaper ○ Steven Seeley's blog (net-ninja)
Roadmap ● How does it work? ○ Different managers ○ Choosing a manager ○ Overview of the managers ○ Front-End Allocation ○ Front-End Deallocation ○ Back-End Allocation ○ Back-End Deallocation ● How to exploit? ○ Heap Feng Shui ○ SegmentOffset overwrites ○ FreeEntryOffset overwrites ○ Block Zone and subsegment overwrites ○ Double Frees ○ FTH, mitigation and what changed with Windows 8
Three managers Front-End Alloc/Free Back-End VirtualAlloc/VirtualFree
The managers ● A front-end manager : ○ The LFH ○ High performance, low fragmentation ○ Thread safe ○ Manages blocks less than 16k ○ Interesting when doing a lot of (de)allocations ● A back-end manager ○ Manages blocks up to the decommit threshold (0xFE00) ○ Uses HintLists and a global FreeList ● Greater blocks managed using VirtualAlloc and VirtualFree
Memory Commitment ● Reservation ● Commitment ● Releasing ● Decommitting ● Decommit Threshold ● NtAllocateVirtualMemory/NtFreeVirtualMemory
Choosing the manager ● Done within : ○ RtlAllocateHeap ○ RtlFreeHeap ○ Chooses whether to use back-end functions or front- end functions ● Back-end: ○ RtlpAllocateHeap ○ RtlpFreeHeap ● Front-end: ○ RtlpLowFragHeapAllocFromContext ○ RtlpLowFragHeapFree
Choosing the manager ● Allocation: ○ The "blink" field of a ListHint entry must point to a _HEAP_BUCKET structure + 1 ○ So if blink & 1, we have to use the LFH ● Deallocation: ○ If ChunkHeader.UnusedByte & 0x80: use the LFH ○ Otherwise use the back-end ○ If ChunkHeader.UnusedByte==5, we have to readjust the chunk
A little schema to illustrate that... ListHints _HEAP_BUCKET Flink +0 BlocksUnits Blink +1 BlocksUnits use LFH +2 SizeIndex Flink +3 UseAffinity Blink Flink Blink Flink Blink Flink Blink Counter. Ex: 0x10 use back-end Flink Blink Back-End
Enabling the LFH ● Not enabled at the beginning ● Not enabled for every chunk size ● Heap must support serialization: ○ Adds mutual exclusion ○ Prevents corruption when several threads try to alloc/free from the same heap ● Heap must not be debugged (set _NO_DEBUG_HEAP=1) ● Can be enabled using HeapSetInformation ● HeapEnableTerminationOnCorruption set by default
Enabling the LFH LFH enabled for a chunk size when counter for the corresponding ListHint entry is >0x20 Allocations increment the counter Deallocations decrement the counter ● 0x12 consecutive allocations when LFH has never been enabled ● 0x11 when enabled for another bucket
Enabling the LFH ● When counter > 0x20: ○ RtlpGetLFHContext ○ Returns : ■ NULL if LFH has not yet been activated ■ _LFH_HEAP.bucket[size] ○ If context is null : set heap.CompatibilityFlags ○ If context not null : save _HEAP_BUCKET+1 in blink
Front End structures
Back End structures
Front-End Allocation ● RtlAllocateHeap : 1. Get the heap 2. Get the correct BlocksIndex 3. Get the correct ListHints entry 4. Look at blink 5. If blink & 1, use LFH, otherwise use back- end
Front-End Allocation 1. Get _HEAP_BUCKET.sizeIndex 2. Get _LFH_HEAP 3. Get _HEAP_LOCAL_DATA 4. Get the correct _HEAP_SEGMENT_INFO using sizeIndex 5. Get a _HEAP_SUBSEGMENT
Note: There can be actually several LocalData. To choose it, we'll use LocalDataIndex
_HEAP_BUCKET+1 sizeIndex Flink BLink _HEAP_LOCAL_DATA LowFragHeap SegmentInfo[128]
Heap subsegment ● Look at the Hint first ● If first is empty, look at the active subsegment ● If both subsegment are empty, allocate a segment from the back-end manager _HEAP_SEGMENT_INFO Hint 1 ActiveSubsegment 2
Hint and active subsegments ● Hint: ○ Already freed a chunk of that size ● Otherwise use active subsegment ● Subsegment empty : ○ subsegment.AggregateExchg.depth==0
Allocating from subsegment ● A subsegment gives you : ○ An interlock sequence ○ A user block ● User block : ○ Contains committed memory ● Interlock sequence: ○ The number of free chunks ○ The offset in blocks of the first free chunk ○ 1 block = 8 bytes
Allocating A Subsegment ● RtlpLowFragHeapAllocateFromZone : ○ initializes and creates a new _HEAP_SUBSEGMENT ● RtlpSubSegmentInitlialize: ○ creates a new userblock
16 bytes Allocation Example UserBlock Interlock Sequence header Depth=5 FreeEntryOffset=2 Free next: 0x4 Free Size of the header : 16 bytes next: 0x6 FreeEntryOffset=2 block * 8 bytes = 16 bytes Free next: 0x8 Free next: 0xA Note: under windows 8, the default Free FreeEntryOffset is randomized next: 0xFF
16 bytes Allocation Example UserBlock Interlock Sequence header Depth=4 FreeEntryOffset=4 Busy Free Size of the header : 16 bytes next: 0x6 FreeEntryOffset=4 block * 8 bytes = 32 bytes Free next: 0x8 Free next: 0xA Free next: 0xFF
16 bytes Allocation Example UserBlock Interlock Sequence header Depth=3 FreeEntryOffset=6 Busy Busy Size of the header : 16 bytes FreeEntryOffset=6 block * 8 bytes = 48 bytes Free next: 0x8 Free next: 0xA Free next: 0xFF
16 bytes Allocation Example UserBlock Interlock Sequence header Depth=2 FreeEntryOffset=8 Busy Busy Size of the header : 16 bytes FreeEntryOffset=8 block * 8 bytes = 64 bytes Busy Free next: 0xA Free next: 0xFF
Front-End Deallocation ● If chunkHeader.UnusedBytes == 0x5 : ○ header must be readjusted ○ SegmentOffset used for readjusting ● If chunkHeader.UnusedBytes & 0x80 ○ RtlpLowFragHeapFree ○ Don't forget the chunk may have been readjusted! ● Otherwise, use RtlpFreeHeap
Front-End Deallocation ● RtlpLowFragHeapFree: ○ Readjustment : ■ ChunkHeader - 8 * SegmentOffset ■ What if you overwrote SegmentOffset? ○ Set UnusedBytes to 0x80 ○ Set SegmentOffset to 0 ○ If interlock.depth==subsegment.blockCount : ■ Userblock is full, you have to use another subsegment or allocate a user block
Front-End Deallocation ● Depth incremented ● FreeEntryOffset updated ● Sequence is updated ● If user block is full : ○ Sequence set to 3 ○ User block will be freed by the back-end ○ PerformSubgSegmentMaintenance() ○ RtlpFreeUserBlock
16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=2 FreeEntryOffset=8 Busy Busy Chunk we want to free Busy Free next: 0xA Free next: 0xFF
16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=3 FreeEntryOffset=2 Free next: 0x8 Busy Size of the header : 16 bytes FreeEntryOffset=2 block * 8 bytes = 16 bytes Busy Free next: 0xA Free next: 0xFF
16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=3 FreeEntryOffset=2 Free next: 0x8 Busy Chunk we want to free Busy Free next: 0xA Free next: 0xFF
16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=4 FreeEntryOffset=6 Free next: 0x8 Busy Size of the header : 16 bytes FreeEntryOffset=6 block * 8 bytes = 48 bytes Free next: 0x2 Free next: 0xA Free next: 0xFF
16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=4 FreeEntryOffset=6 Free next: 0x8 Busy Chunk we want to free Free next: 0x2 Free next: 0xA Free next: 0xFF
16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=5 FreeEntryOffset=4 Free next: 0x8 Free Size of the header : 16 bytes next: 0x6 FreeEntryOffset=6 block * 8 bytes = 48 bytes Free next: 0x2 Free next: 0xA Free next: 0xFF
Now the Back-End! Everything's okay? Any questions before continuing?
Back-End Allocation : do you recall?
Back-End Allocation ● Get the _HEAP ● Get the BlocksIndex ● It's a _HEAP_LIST_LOOKUP ● Contains an extended lookup ● Contains a ListHints
Back-End Allocation ● Is chunkSize < ArraySize? ● If so, use this ListHints ● Otherwise if no extendedLookup: ○ use ListHints[ArraySize-1] ● If there is an extendedLookup ○ is chunkSize < extended.ArraySize? ● If so, use this ListHints ● Otherwise, use extended.ListHints[ArraySize- 1]
ListsInUseUlong : The Bitmap ● Now that we have the ListHints : ○ Find the correct sized entry ○ Check whether this entry is populated or not ○ ListsInUseUlong allows that ● ListsInUseUlong: ○ 4 byte integer ○ Each bit corresponds to an entry ○ 1 = some free chunk available ○ 0 = no free chunk available
Back-End Allocation ● If the entry corresponding to the requested size is populated ○ Safe unlink the first free chunk pointed to by flink ● Otherwise navigate through FreeList ○ Safe unlink the first chunk that is large enough to fit the request ● If no chunk can fit the request : ○ RtlpExtendHeap ● Then the bitmap is updated
24 bytes Allocation Example The user requested 16 bytes. 16 bytes + 8 bytes of header = 24 bytes 3*8=24 bytes. +0x00 Bitmap indicates that ListHints[3] contains free chunks +0x03 ... ListsInUseUlong : +0x7F 0 0 0 1 ... 0 0
24 bytes Allocation Example +0x00 +0x03 ... ListsInUseUlong : +0x7F 0 0 0 1 ... 0 0
24 bytes Allocation Example +0x00 +0x03 ... ListsInUseUlong : +0x7F 0 0 0 0 ... 0 0
Another 24 bytes Allocation Example Problem : No chunk available at ListHints[3] +0x00 +0x03 ... +0x7F
Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... Large enough! +0x7F
Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
It's time for exploitation! Everything's okay? Any questions before continuing?
Exploiting heap determinism ● Now that you understand the LFH, you can predict what is going to happen ● Heap Feng Shui : making alloc/dealloc to reorganize the heap layout in the desired way ● Useful if you want to overflow into a particular heap chunk
Fragmentation problems Depth: 5 Busy Busy Free Busy FreeEntryOffset: 6 next=12 Busy Free Busy Free ● 2 consecutive allocations won't give adjacent next=16 next=18 blocks! ● We need to defragment memory: ○ fill the holes Free Busy Busy Busy ○ fill the subsegment so that a new one is next=30 created ○ now consecutive allocations will give adjacent blocks Busy Busy Free Busy next=0xFF
Fragmentation problems Enable the LFH The next alloc will return the address of array2[0], the second one will return the address of array2[4]. (LFH is kind of LIFO) Defragment and allocate a new subsegment Now, the object is after our "user controlled" buffer
More details next: 16 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: next: 30 ● alloc B ● alloc next: 0x22 next=16 next: 2 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next: 10 next=0xFF chunk we chose it the correct order.
More details next: 2 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: next: 30 ● alloc B ● alloc next: 0x22 next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next: 10 next=0xFF chunk we chose it the correct order.
More details next: 30 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next: 0x22 next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next: 10 next=0xFF chunk we chose it the correct order.
More details next: 10 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next: 0x22 next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next=0xFF chunk we chose it the correct order.
More details next: 22 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next=0xFF chunk we chose it the correct order.
More details next: 12 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next: 22 next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next=0xFF chunk we chose it the correct order.
More details next: 22 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next=0xFF chunk we chose it the correct order.
Remarks ● Be aware that new/delete and HeapAlloc/HeapFree don't use the same heap ● Of course this example is very simple, but its purpose is only to show that you can manipulate the heap layout
SegmentOffset overwrites ● Introduces user-after-frees or double-frees ○ You can overflow a chunk so as to put its UnusedBytes to 5 and set SegmentOffset so as to point to an interesting chunk ○ Thus we could free a C++ object for exemple ○ Then we allocate a chunk and get ... the C++ object ○ We can overwrite what we want: VPTR, variables etc.
SegmentOffset overwrites
FreeEntryOffset overwrites ● During front-end allocation, FreeEntryOffset is updated : ○ Each chunk managed by a user block contains an offset stored within its first 2 bytes (part of the data) ○ If you overflow this so as to point to your desired object, you'll end-up by modifying aggregateExchg. freeEntryOffset so as to points to it ○ The next allocated block will be at the desired address ● Introduces use-after-frees or double-frees
FreeEntryOffset overwrites You may have to reorganize the heap layout. Who tells you that the overflowed free chunk is the next chunk to be allocated?
FreeEntryOffset overwrites We modified the FreeEntryOffset so that bazinga is the same as bla
Double Free 1.free(foo) 2.alloc(bar) // bar==foo 3.free(foo) // == free(bar) 4.alloc(dawg) // dawg==foo ● Thus dawg=>foo and bar=>foo ● ex: dawg is a c++ object and bar user controlled ● using bar, we could change bar's VPTR
Example
Calls virtual function VPTR
Subsegment overwrite ● If you overwrite Userblocks pointer of a _HEAP_SUBSEGMENT you've got a "write- what-where"
Block zones _LFH_BLOCK_ZONE _LFH_BLOCK_ZONE _LFH_BLOCK_ZONE ListEntry ListEntry ListEntry Limit Limit Limit FreePointer FreePointer FreePointer _HEAP_SUBSEGMENT _HEAP_SUBSEGMENT _HEAP_SUBSEGMENT
Block zones overwrites What happened ? ● We filled the userblock ● We overwrote the block zone ● The next allocation can't be done using the userblock previously used ● So another one is allocated... ● ...from our overwritten block zone
_HEAP_UCR_DESCRIPTOR ● UCR = "UnCommitted Range" ● Static offset from the first allocation in a segment ● Points to the next reserved region
_HEAP_UCR_DESCRIPTOR _HEAP_UCR_DESCRIPTOR ListEntry SegmentEntry Address Size _HEAP_UCR_DESCRIPTOR Overflowed buffer
Overwriting heap base ● If you can control the heap base, you've won ○ functions pointers ○ pointers to LFH/back-end structures ○ canaries ○ etc
Fault Tolerant Heap ● Monitors crashes ● Part of the "Diagnostic Policy Service" ● Enabled after a certain heuristic has occured ● Prevents corruptions like double frees or heap overruns ● HKLMSoftwareMicrosoftFTH : ○ CrashVelocity is the number of crashes that has to occur within CrashWindowInMinutes to enable the FT ○ Enabled ○ ExclusionList ○ MaximumTrackedApplications (128) ○ MaximumTrackedProcesses (4) ○ CheckPointPeriod ( 7 days)
Mitigations ● Heap base randomization ● Part of the chunk headers are encoded (size, flags and smallTagIndex) ● Safe (un)link ● Heap cookies ● Encoding of function pointers present in the heap base ● Termination on heap corruption ● Algorithm variation
What's new with Windows 8? ● Blinks are no longer used to point to a _HEAP_BUCKET +1 ● Allocations from the LFH are now made in a random order ● FreeEntryOffset is no longer used ● BlockZones integrity is now checked ● Guard pages between userblocks ● Segment Offset protection ● Fast failing with NtStopProfile
Greetings Special thanks to Ivanlefou for helping me and reviewing my presentation. And thanks a lot to Chris Valasek and Steven Seeley for their work. Thanks to 0verclok for his review. Thanks to Tetrane for his sponsor
Questions? Thank you for your attention!

Recommended

When AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode VWhen AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode VAnge Albertini
 
Unpack mechanism of the msgpack-c
Unpack mechanism of the msgpack-cUnpack mechanism of the msgpack-c
Unpack mechanism of the msgpack-cTakatoshi Kondo
 
Performance
PerformancePerformance
PerformanceYonatan Levin
 
Python programming language
Python programming languagePython programming language
Python programming languageEbrahim Shakhatreh
 
Programming in Python
Programming in Python Programming in Python
Programming in Python Tiji Thomas
 
Porting to Python 3
Porting to Python 3Porting to Python 3
Porting to Python 3Lennart Regebro
 
Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyDefconRussia
 
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...Maulik Borsaniya
 

Recommended

When AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode VWhen AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode VAnge Albertini
 
Unpack mechanism of the msgpack-c
Unpack mechanism of the msgpack-cUnpack mechanism of the msgpack-c
Unpack mechanism of the msgpack-cTakatoshi Kondo
 
Performance
PerformancePerformance
PerformanceYonatan Levin
 
Python programming language
Python programming languagePython programming language
Python programming languageEbrahim Shakhatreh
 
Programming in Python
Programming in Python Programming in Python
Programming in Python Tiji Thomas
 
Porting to Python 3
Porting to Python 3Porting to Python 3
Porting to Python 3Lennart Regebro
 
Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyDefconRussia
 
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...Maulik Borsaniya
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Heaps
HeapsHeaps
HeapsHoang Nguyen
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against JavaMoabi.com
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Poolguest215c4e
 

More Related Content

Viewers also liked

ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against JavaMoabi.com
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 

Viewers also liked (20)

ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Heaps
HeapsHeaps
Heaps
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 

Similar to Final lfh presentation (3)

Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary ExploitationFlorian Müller
 
Exploiting Cryptographic Misuse - An Example
Exploiting Cryptographic Misuse - An ExampleExploiting Cryptographic Misuse - An Example
Exploiting Cryptographic Misuse - An ExampleDharmalingam Ganesan
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Practical Code & Data Design
Practical Code & Data DesignPractical Code & Data Design
Practical Code & Data DesignHenryRose9
 
Data efficiency on BEAM - Choose the right data representation by Dmytro Lyto...
Data efficiency on BEAM - Choose the right data representation by Dmytro Lyto...Data efficiency on BEAM - Choose the right data representation by Dmytro Lyto...
Data efficiency on BEAM - Choose the right data representation by Dmytro Lyto...Magnus Sedlacek
 
Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)RichardWarburton
 

Similar to Final lfh presentation (3) (10)

Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Pool
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation
 
Exploiting Cryptographic Misuse - An Example
Exploiting Cryptographic Misuse - An ExampleExploiting Cryptographic Misuse - An Example
Exploiting Cryptographic Misuse - An Example
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
Practical Code & Data Design
Practical Code & Data DesignPractical Code & Data Design
Practical Code & Data Design
 
Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?
 
Data efficiency on BEAM - Choose the right data representation by Dmytro Lyto...
Data efficiency on BEAM - Choose the right data representation by Dmytro Lyto...Data efficiency on BEAM - Choose the right data representation by Dmytro Lyto...
Data efficiency on BEAM - Choose the right data representation by Dmytro Lyto...
 
Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)
 
Cryptography 202
Cryptography 202Cryptography 202
Cryptography 202
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

Final lfh presentation (3)

  • 1. RSSIL 2012 Exploiting the Low Fragmentation Heap for fun and profit Jeremy Fetiveau @__x86
  • 2. Introduction ● Why talking about the LFH? ○ heap exploitation ■ what is interesting to overwrite? ■ what if you deallocate twice a chunk of memory? ○ avoiding pray-after-frees ■ because you want to know where your chunks of memory will be ○ a few references
  • 3. Introduction ● A few talks about the LFH ○ Chris Valasek, Understanding the Low Fragmentation Heap" (BlackHat USA 2010) ○ Steven Seeley, Ghost in the Seven allocator (HITB 2012) ○ Chris Valasek & Tarjei Mandt, Heaps of Doom (Syscan 2012) ● A few related talks ○ Ben hawkes, Attacking the Vista heap (BlackHat USA 2008) ○ Richard Johnson, Windows Vista Exploitation Countermeasures (ToorCon 2006) ● A few references ○ Dr Valasek 's whitepaper ○ Steven Seeley's blog (net-ninja)
  • 4. Roadmap ● How does it work? ○ Different managers ○ Choosing a manager ○ Overview of the managers ○ Front-End Allocation ○ Front-End Deallocation ○ Back-End Allocation ○ Back-End Deallocation ● How to exploit? ○ Heap Feng Shui ○ SegmentOffset overwrites ○ FreeEntryOffset overwrites ○ Block Zone and subsegment overwrites ○ Double Frees ○ FTH, mitigation and what changed with Windows 8
  • 5. Three managers Front-End Alloc/Free Back-End VirtualAlloc/VirtualFree
  • 6. The managers ● A front-end manager : ○ The LFH ○ High performance, low fragmentation ○ Thread safe ○ Manages blocks less than 16k ○ Interesting when doing a lot of (de)allocations ● A back-end manager ○ Manages blocks up to the decommit threshold (0xFE00) ○ Uses HintLists and a global FreeList ● Greater blocks managed using VirtualAlloc and VirtualFree
  • 7. Memory Commitment ● Reservation ● Commitment ● Releasing ● Decommitting ● Decommit Threshold ● NtAllocateVirtualMemory/NtFreeVirtualMemory
  • 8. Choosing the manager ● Done within : ○ RtlAllocateHeap ○ RtlFreeHeap ○ Chooses whether to use back-end functions or front- end functions ● Back-end: ○ RtlpAllocateHeap ○ RtlpFreeHeap ● Front-end: ○ RtlpLowFragHeapAllocFromContext ○ RtlpLowFragHeapFree
  • 9. Choosing the manager ● Allocation: ○ The "blink" field of a ListHint entry must point to a _HEAP_BUCKET structure + 1 ○ So if blink & 1, we have to use the LFH ● Deallocation: ○ If ChunkHeader.UnusedByte & 0x80: use the LFH ○ Otherwise use the back-end ○ If ChunkHeader.UnusedByte==5, we have to readjust the chunk
  • 10. A little schema to illustrate that... ListHints _HEAP_BUCKET Flink +0 BlocksUnits Blink +1 BlocksUnits use LFH +2 SizeIndex Flink +3 UseAffinity Blink Flink Blink Flink Blink Flink Blink Counter. Ex: 0x10 use back-end Flink Blink Back-End
  • 11. Enabling the LFH ● Not enabled at the beginning ● Not enabled for every chunk size ● Heap must support serialization: ○ Adds mutual exclusion ○ Prevents corruption when several threads try to alloc/free from the same heap ● Heap must not be debugged (set _NO_DEBUG_HEAP=1) ● Can be enabled using HeapSetInformation ● HeapEnableTerminationOnCorruption set by default
  • 12. Enabling the LFH LFH enabled for a chunk size when counter for the corresponding ListHint entry is >0x20 Allocations increment the counter Deallocations decrement the counter ● 0x12 consecutive allocations when LFH has never been enabled ● 0x11 when enabled for another bucket
  • 13. Enabling the LFH ● When counter > 0x20: ○ RtlpGetLFHContext ○ Returns : ■ NULL if LFH has not yet been activated ■ _LFH_HEAP.bucket[size] ○ If context is null : set heap.CompatibilityFlags ○ If context not null : save _HEAP_BUCKET+1 in blink
  • 16. Front-End Allocation ● RtlAllocateHeap : 1. Get the heap 2. Get the correct BlocksIndex 3. Get the correct ListHints entry 4. Look at blink 5. If blink & 1, use LFH, otherwise use back- end
  • 17.
  • 18.
  • 19.
  • 20. Front-End Allocation 1. Get _HEAP_BUCKET.sizeIndex 2. Get _LFH_HEAP 3. Get _HEAP_LOCAL_DATA 4. Get the correct _HEAP_SEGMENT_INFO using sizeIndex 5. Get a _HEAP_SUBSEGMENT
  • 21.
  • 22.
  • 23. Note: There can be actually several LocalData. To choose it, we'll use LocalDataIndex
  • 24. _HEAP_BUCKET+1 sizeIndex Flink BLink _HEAP_LOCAL_DATA LowFragHeap SegmentInfo[128]
  • 25. Heap subsegment ● Look at the Hint first ● If first is empty, look at the active subsegment ● If both subsegment are empty, allocate a segment from the back-end manager _HEAP_SEGMENT_INFO Hint 1 ActiveSubsegment 2
  • 26. Hint and active subsegments ● Hint: ○ Already freed a chunk of that size ● Otherwise use active subsegment ● Subsegment empty : ○ subsegment.AggregateExchg.depth==0
  • 27. Allocating from subsegment ● A subsegment gives you : ○ An interlock sequence ○ A user block ● User block : ○ Contains committed memory ● Interlock sequence: ○ The number of free chunks ○ The offset in blocks of the first free chunk ○ 1 block = 8 bytes
  • 28. Allocating A Subsegment ● RtlpLowFragHeapAllocateFromZone : ○ initializes and creates a new _HEAP_SUBSEGMENT ● RtlpSubSegmentInitlialize: ○ creates a new userblock
  • 29. 16 bytes Allocation Example UserBlock Interlock Sequence header Depth=5 FreeEntryOffset=2 Free next: 0x4 Free Size of the header : 16 bytes next: 0x6 FreeEntryOffset=2 block * 8 bytes = 16 bytes Free next: 0x8 Free next: 0xA Note: under windows 8, the default Free FreeEntryOffset is randomized next: 0xFF
  • 30. 16 bytes Allocation Example UserBlock Interlock Sequence header Depth=4 FreeEntryOffset=4 Busy Free Size of the header : 16 bytes next: 0x6 FreeEntryOffset=4 block * 8 bytes = 32 bytes Free next: 0x8 Free next: 0xA Free next: 0xFF
  • 31. 16 bytes Allocation Example UserBlock Interlock Sequence header Depth=3 FreeEntryOffset=6 Busy Busy Size of the header : 16 bytes FreeEntryOffset=6 block * 8 bytes = 48 bytes Free next: 0x8 Free next: 0xA Free next: 0xFF
  • 32. 16 bytes Allocation Example UserBlock Interlock Sequence header Depth=2 FreeEntryOffset=8 Busy Busy Size of the header : 16 bytes FreeEntryOffset=8 block * 8 bytes = 64 bytes Busy Free next: 0xA Free next: 0xFF
  • 33. Front-End Deallocation ● If chunkHeader.UnusedBytes == 0x5 : ○ header must be readjusted ○ SegmentOffset used for readjusting ● If chunkHeader.UnusedBytes & 0x80 ○ RtlpLowFragHeapFree ○ Don't forget the chunk may have been readjusted! ● Otherwise, use RtlpFreeHeap
  • 34. Front-End Deallocation ● RtlpLowFragHeapFree: ○ Readjustment : ■ ChunkHeader - 8 * SegmentOffset ■ What if you overwrote SegmentOffset? ○ Set UnusedBytes to 0x80 ○ Set SegmentOffset to 0 ○ If interlock.depth==subsegment.blockCount : ■ Userblock is full, you have to use another subsegment or allocate a user block
  • 35. Front-End Deallocation ● Depth incremented ● FreeEntryOffset updated ● Sequence is updated ● If user block is full : ○ Sequence set to 3 ○ User block will be freed by the back-end ○ PerformSubgSegmentMaintenance() ○ RtlpFreeUserBlock
  • 36. 16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=2 FreeEntryOffset=8 Busy Busy Chunk we want to free Busy Free next: 0xA Free next: 0xFF
  • 37. 16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=3 FreeEntryOffset=2 Free next: 0x8 Busy Size of the header : 16 bytes FreeEntryOffset=2 block * 8 bytes = 16 bytes Busy Free next: 0xA Free next: 0xFF
  • 38. 16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=3 FreeEntryOffset=2 Free next: 0x8 Busy Chunk we want to free Busy Free next: 0xA Free next: 0xFF
  • 39. 16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=4 FreeEntryOffset=6 Free next: 0x8 Busy Size of the header : 16 bytes FreeEntryOffset=6 block * 8 bytes = 48 bytes Free next: 0x2 Free next: 0xA Free next: 0xFF
  • 40. 16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=4 FreeEntryOffset=6 Free next: 0x8 Busy Chunk we want to free Free next: 0x2 Free next: 0xA Free next: 0xFF
  • 41. 16 bytes Deallocation Example UserBlock Interlock Sequence header Depth=5 FreeEntryOffset=4 Free next: 0x8 Free Size of the header : 16 bytes next: 0x6 FreeEntryOffset=6 block * 8 bytes = 48 bytes Free next: 0x2 Free next: 0xA Free next: 0xFF
  • 42. Now the Back-End! Everything's okay? Any questions before continuing?
  • 43. Back-End Allocation : do you recall?
  • 44. Back-End Allocation ● Get the _HEAP ● Get the BlocksIndex ● It's a _HEAP_LIST_LOOKUP ● Contains an extended lookup ● Contains a ListHints
  • 45. Back-End Allocation ● Is chunkSize < ArraySize? ● If so, use this ListHints ● Otherwise if no extendedLookup: ○ use ListHints[ArraySize-1] ● If there is an extendedLookup ○ is chunkSize < extended.ArraySize? ● If so, use this ListHints ● Otherwise, use extended.ListHints[ArraySize- 1]
  • 46. ListsInUseUlong : The Bitmap ● Now that we have the ListHints : ○ Find the correct sized entry ○ Check whether this entry is populated or not ○ ListsInUseUlong allows that ● ListsInUseUlong: ○ 4 byte integer ○ Each bit corresponds to an entry ○ 1 = some free chunk available ○ 0 = no free chunk available
  • 47. Back-End Allocation ● If the entry corresponding to the requested size is populated ○ Safe unlink the first free chunk pointed to by flink ● Otherwise navigate through FreeList ○ Safe unlink the first chunk that is large enough to fit the request ● If no chunk can fit the request : ○ RtlpExtendHeap ● Then the bitmap is updated
  • 48. 24 bytes Allocation Example The user requested 16 bytes. 16 bytes + 8 bytes of header = 24 bytes 3*8=24 bytes. +0x00 Bitmap indicates that ListHints[3] contains free chunks +0x03 ... ListsInUseUlong : +0x7F 0 0 0 1 ... 0 0
  • 49. 24 bytes Allocation Example +0x00 +0x03 ... ListsInUseUlong : +0x7F 0 0 0 1 ... 0 0
  • 50. 24 bytes Allocation Example +0x00 +0x03 ... ListsInUseUlong : +0x7F 0 0 0 0 ... 0 0
  • 51. Another 24 bytes Allocation Example Problem : No chunk available at ListHints[3] +0x00 +0x03 ... +0x7F
  • 52. Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
  • 53. Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
  • 54. Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
  • 55. Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
  • 56. Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
  • 57. Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
  • 58. Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... Large enough! +0x7F
  • 59. Another 24 bytes Allocation Example _HEAP FreeList +0x00 +0x03 ... +0x7F
  • 60. It's time for exploitation! Everything's okay? Any questions before continuing?
  • 61. Exploiting heap determinism ● Now that you understand the LFH, you can predict what is going to happen ● Heap Feng Shui : making alloc/dealloc to reorganize the heap layout in the desired way ● Useful if you want to overflow into a particular heap chunk
  • 62. Fragmentation problems Depth: 5 Busy Busy Free Busy FreeEntryOffset: 6 next=12 Busy Free Busy Free ● 2 consecutive allocations won't give adjacent next=16 next=18 blocks! ● We need to defragment memory: ○ fill the holes Free Busy Busy Busy ○ fill the subsegment so that a new one is next=30 created ○ now consecutive allocations will give adjacent blocks Busy Busy Free Busy next=0xFF
  • 63. Fragmentation problems Enable the LFH The next alloc will return the address of array2[0], the second one will return the address of array2[4]. (LFH is kind of LIFO) Defragment and allocate a new subsegment Now, the object is after our "user controlled" buffer
  • 64. More details next: 16 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: next: 30 ● alloc B ● alloc next: 0x22 next=16 next: 2 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next: 10 next=0xFF chunk we chose it the correct order.
  • 65. More details next: 2 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: next: 30 ● alloc B ● alloc next: 0x22 next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next: 10 next=0xFF chunk we chose it the correct order.
  • 66. More details next: 30 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next: 0x22 next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next: 10 next=0xFF chunk we chose it the correct order.
  • 67. More details next: 10 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next: 0x22 next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next=0xFF chunk we chose it the correct order.
  • 68. More details next: 22 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next=0xFF chunk we chose it the correct order.
  • 69. More details next: 12 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next: 22 next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next=0xFF chunk we chose it the correct order.
  • 70. More details next: 22 Objective: ● 2 adjacent chunks ● first block user controlled A Steps: ● alloc B ● alloc next=16 ● alloc ● alloc toOverflow ● free B ● alloc toBeOverflowed next=30 next: 0xFF Result: C Busy The green frame will contain the next=0xFF chunk we chose it the correct order.
  • 71. Remarks ● Be aware that new/delete and HeapAlloc/HeapFree don't use the same heap ● Of course this example is very simple, but its purpose is only to show that you can manipulate the heap layout
  • 72. SegmentOffset overwrites ● Introduces user-after-frees or double-frees ○ You can overflow a chunk so as to put its UnusedBytes to 5 and set SegmentOffset so as to point to an interesting chunk ○ Thus we could free a C++ object for exemple ○ Then we allocate a chunk and get ... the C++ object ○ We can overwrite what we want: VPTR, variables etc.
  • 74. FreeEntryOffset overwrites ● During front-end allocation, FreeEntryOffset is updated : ○ Each chunk managed by a user block contains an offset stored within its first 2 bytes (part of the data) ○ If you overflow this so as to point to your desired object, you'll end-up by modifying aggregateExchg. freeEntryOffset so as to points to it ○ The next allocated block will be at the desired address ● Introduces use-after-frees or double-frees
  • 75. FreeEntryOffset overwrites You may have to reorganize the heap layout. Who tells you that the overflowed free chunk is the next chunk to be allocated?
  • 76. FreeEntryOffset overwrites We modified the FreeEntryOffset so that bazinga is the same as bla
  • 77. Double Free 1.free(foo) 2.alloc(bar) // bar==foo 3.free(foo) // == free(bar) 4.alloc(dawg) // dawg==foo ● Thus dawg=>foo and bar=>foo ● ex: dawg is a c++ object and bar user controlled ● using bar, we could change bar's VPTR
  • 80. Subsegment overwrite ● If you overwrite Userblocks pointer of a _HEAP_SUBSEGMENT you've got a "write- what-where"
  • 81. Block zones _LFH_BLOCK_ZONE _LFH_BLOCK_ZONE _LFH_BLOCK_ZONE ListEntry ListEntry ListEntry Limit Limit Limit FreePointer FreePointer FreePointer _HEAP_SUBSEGMENT _HEAP_SUBSEGMENT _HEAP_SUBSEGMENT
  • 82. Block zones overwrites What happened ? ● We filled the userblock ● We overwrote the block zone ● The next allocation can't be done using the userblock previously used ● So another one is allocated... ● ...from our overwritten block zone
  • 83. _HEAP_UCR_DESCRIPTOR ● UCR = "UnCommitted Range" ● Static offset from the first allocation in a segment ● Points to the next reserved region
  • 84. _HEAP_UCR_DESCRIPTOR _HEAP_UCR_DESCRIPTOR ListEntry SegmentEntry Address Size _HEAP_UCR_DESCRIPTOR Overflowed buffer
  • 85. Overwriting heap base ● If you can control the heap base, you've won ○ functions pointers ○ pointers to LFH/back-end structures ○ canaries ○ etc
  • 86. Fault Tolerant Heap ● Monitors crashes ● Part of the "Diagnostic Policy Service" ● Enabled after a certain heuristic has occured ● Prevents corruptions like double frees or heap overruns ● HKLMSoftwareMicrosoftFTH : ○ CrashVelocity is the number of crashes that has to occur within CrashWindowInMinutes to enable the FT ○ Enabled ○ ExclusionList ○ MaximumTrackedApplications (128) ○ MaximumTrackedProcesses (4) ○ CheckPointPeriod ( 7 days)
  • 87. Mitigations ● Heap base randomization ● Part of the chunk headers are encoded (size, flags and smallTagIndex) ● Safe (un)link ● Heap cookies ● Encoding of function pointers present in the heap base ● Termination on heap corruption ● Algorithm variation
  • 88. What's new with Windows 8? ● Blinks are no longer used to point to a _HEAP_BUCKET +1 ● Allocations from the LFH are now made in a random order ● FreeEntryOffset is no longer used ● BlockZones integrity is now checked ● Guard pages between userblocks ● Segment Offset protection ● Fast failing with NtStopProfile
  • 89. Greetings Special thanks to Ivanlefou for helping me and reviewing my presentation. And thanks a lot to Chris Valasek and Steven Seeley for their work. Thanks to 0verclok for his review. Thanks to Tetrane for his sponsor
  • 90. Questions? Thank you for your attention!