Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploits & Mitigations - Memory Corruption Techniques

411 views

Published on

Exploits & Mitigations - Memory Corruption Techniques

Published in: Software
  • Be the first to comment

  • Be the first to like this

Exploits & Mitigations - Memory Corruption Techniques

  1. 1. Exploits and Mitigations Memory Corruption Techniques Sameer Patil CysInfo
  2. 2. Topics to cover • Stack bof, DEP • ROP attacks and Mitigations • Heap Spray • Abusing vptrs • Use After Free • Flash exploitations • Heap Memory Management • Mitigations
  3. 3. Virtual Memory Mapping
  4. 4. Stack BOF • EIP overwrite • Mitigation-> DEP
  5. 5. ROP Attack • Defeat DEP • Shifting the stack location • Chain of small gadgets Stack Pivot
  6. 6. ROP Attack CODE 0x02010000: pop eax ret ... 0x02010020: pop ebx ret ... 0x02010030: add eax, ebx ret ... ACTION eax = 1 ebx = 2 eax = eax + ebx
  7. 7. ROP Mitigations • ASLR • Stack limit check during API call (caller check) • API call using retn instruction • SimExecFlow
  8. 8. Heap Spray • Introduced by skylined • Overwrite EIP • Payload-> NOP + shellcode
  9. 9. Virtual Functions and vptrs
  10. 10. Abusing vptrs
  11. 11. Use after Free • Dangling pointer • Addref() to keep count of direct references • Vulnerability- Replace object with another object
  12. 12. Flash Exploitation (CVE-2014-1776) ROP chain
  13. 13. Heap Memory Management • Front-End Allocators – LookAside Lists – Low Fragmentation Heap • Back End Allocator – FreeLists
  14. 14. Mitigations • Isolated Heap • MemoryProtect • Vector and bytearray objects hardening • ROP mitigations
  15. 15. References • Mechanism behind IE CVE-2014-1776 • Heap Feng Shui in JavaScript • UBIQUITOUS FLASH, UBIQUITOUS EXPLOITS • kBouncer: Efficient and Transparent ROP Mitigation • Bypassing EMET 4.1
  16. 16. Thank You!

×