Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 127 Ch 5: Introduction to heap overflows

643 views

Published on

Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.

Instructor: Sam Bowne

Class website: https://samsclass.info/127/127_S17.shtml

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 127 Ch 5: Introduction to heap overflows

  1. 1. CNIT 127: Exploit Development
 
 Ch 5: Introduction to Heap Overflows Updated 2-14-17
  2. 2. What is a Heap?
  3. 3. Memory Map • In gdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
  4. 4. Heap and Stack
  5. 5. Heap Structure Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
  6. 6. A Simple Example
  7. 7. A Simple Example
  8. 8. Viewing the Heap in gdb
  9. 9. Exploit and Crash
  10. 10. Crash in gdb
  11. 11. Targeted Exploit
  12. 12. The Problem With the Heap
  13. 13. EIP is Hard to Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
  14. 14. Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
  15. 15. Target RAM Options • Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
  16. 16. Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
  17. 17. Project Walkthroughs • Proj 8 – Exploiting a write to a heap value • Proj 8x – Taking over a remote server • Proj 5x – Buffer overflow with a canary

×