Sam Bowne, profile picture
Uploaded bySam Bowne
PDF, PPTX246 views

Ch 5: Introduction to heap overflows

This document discusses heap overflows and exploit development. It explains that the heap is an area of memory used for dynamic allocation via malloc() and freed via free(). When free() is called, it must write to forward and backward pointers, allowing overflow data to potentially control those writes. This makes it possible to write to arbitrary RAM locations, such as the stack return address, global offset table, destructors table, or function pointers, in order to execute code and crash or exploit the program.

Embed presentation

Download as PDF, PPTX
CNIT 127: Exploit Development 
 
 Ch 5: Introduction to Heap Overflows Updated 2-22-22
What is a Heap?
Memory Map • In gdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
Heap and Stack
Heap Structure Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
A Simple Example (Proj ED 205)
A Simple Example
Viewing the Heap in gdb
Exploit and Crash
Crash in gdb
Targeted Exploit
The Problem With the Heap
EIP is Hard to Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
Target RAM Options • Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
Ch 5: Introduction to heap overflows

More Related Content

PDF
127 Ch 2: Stack overflows on Linux
bySam Bowne
 
PDF
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
PDF
CNIT 127 Ch 1: Before you Begin
bySam Bowne
 
PDF
CNIT 127 Ch 5: Introduction to heap overflows
bySam Bowne
 
PDF
CNIT 127 Ch 8: Windows overflows (Part 1)
bySam Bowne
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
PPTX
polymorphism
byImtiaz Hussain
 
127 Ch 2: Stack overflows on Linux
bySam Bowne
 
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
CNIT 127 Ch 1: Before you Begin
bySam Bowne
 
CNIT 127 Ch 5: Introduction to heap overflows
bySam Bowne
 
CNIT 127 Ch 8: Windows overflows (Part 1)
bySam Bowne
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
polymorphism
byImtiaz Hussain
 

What's hot

PPT
Interface in java
byLovely Professional University
 
PPT
Operator & Expression in c++
bybajiajugal
 
PPTX
Interfaces in java
byAbishek Purushothaman
 
PPTX
C++17 std::filesystem - Overview
byBartlomiej Filipek
 
PPT
Process and Threads in Linux - PPT
byQUONTRASOLUTIONS
 
PDF
Scheduling in Android
byOpersys inc.
 
PPTX
Templates presentation
bymalaybpramanik
 
PPT
16717 functions in C++
byLPU
 
PPTX
Linux System Programming - File I/O
byYourHelper1
 
PDF
Object oriented programming c++
byAnkur Pandey
 
PPTX
Polymorphism in C++
byRabin BK
 
PDF
Perl Scripting
byVaradharajan Mukundan
 
PPSX
Complete C++ programming Language Course
byVivek Singh Chandel
 
PPTX
Sisteme de Operare: Planificarea proceselor, IPC
byAlexandru Radovici
 
PPTX
Union in c language
bytanmaymodi4
 
PPT
Chuong12
byna
 
PPTX
Call by value or call by reference in C++
bySachin Yadav
 
PPTX
File Management and manipulation in C++ Programming
byChereLemma2
 
PPT
Branching in C
byPrabhu Govind
 
PPTX
Templates in c++
byMayank Bhatt
 
Interface in java
byLovely Professional University
 
Operator & Expression in c++
bybajiajugal
 
Interfaces in java
byAbishek Purushothaman
 
C++17 std::filesystem - Overview
byBartlomiej Filipek
 
Process and Threads in Linux - PPT
byQUONTRASOLUTIONS
 
Scheduling in Android
byOpersys inc.
 
Templates presentation
bymalaybpramanik
 
16717 functions in C++
byLPU
 
Linux System Programming - File I/O
byYourHelper1
 
Object oriented programming c++
byAnkur Pandey
 
Polymorphism in C++
byRabin BK
 
Perl Scripting
byVaradharajan Mukundan
 
Complete C++ programming Language Course
byVivek Singh Chandel
 
Sisteme de Operare: Planificarea proceselor, IPC
byAlexandru Radovici
 
Union in c language
bytanmaymodi4
 
Chuong12
byna
 
Call by value or call by reference in C++
bySachin Yadav
 
File Management and manipulation in C++ Programming
byChereLemma2
 
Branching in C
byPrabhu Govind
 
Templates in c++
byMayank Bhatt
 

Similar to Ch 5: Introduction to heap overflows

PDF
CNIT 127: Ch 8: Windows overflows (Part 2)
bySam Bowne
 
PDF
CNIT 127: 8: Windows overflows (Part 2)
bySam Bowne
 
PPT
Third Generation Exploitation Black .ppt
byKarimAhmed722436
 
PPTX
A survey on Heap Exploitation
byAlireza Karimi
 
PDF
Heap Base Exploitation
byUTD Computer Security Group
 
PPT
exploiting heap overflows
byprimelude
 
PDF
Advanced Windows Exploitation
byUTD Computer Security Group
 
ODP
BufferOverflow - Offensive point of View
byToe Khaing
 
PDF
Heap overflows for humans – 101
byCraft Symbol
 
PPT
Heaps About Heaps - Brett Moore.ppt
bydamesmith
 
ODP
Debugging With Id
byguest215c4e
 
PDF
Low Level Exploits
byhughpearse
 
PDF
wctf LazyFragmentationHeap_slide.pdf
byLittleRavenQQQ
 
PPTX
How Safe is your Link ?
byPeter Hlavaty
 
PDF
Exploitation Crash Course
byUTD Computer Security Group
 
PPTX
Golf teamlearnerlecture
bykairistiona
 
PDF
Windows 10 Nt Heap Exploitation (English version)
byAngel Boy
 
PPTX
Control hijacking
byPrachi Gulihar
 
PDF
Advanced Arm Exploitation
byHimanshu Khokhar Jaat
 
PPT
Buffer Overflows
bySumit Kumar
 
CNIT 127: Ch 8: Windows overflows (Part 2)
bySam Bowne
 
CNIT 127: 8: Windows overflows (Part 2)
bySam Bowne
 
Third Generation Exploitation Black .ppt
byKarimAhmed722436
 
A survey on Heap Exploitation
byAlireza Karimi
 
Heap Base Exploitation
byUTD Computer Security Group
 
exploiting heap overflows
byprimelude
 
Advanced Windows Exploitation
byUTD Computer Security Group
 
BufferOverflow - Offensive point of View
byToe Khaing
 
Heap overflows for humans – 101
byCraft Symbol
 
Heaps About Heaps - Brett Moore.ppt
bydamesmith
 
Debugging With Id
byguest215c4e
 
Low Level Exploits
byhughpearse
 
wctf LazyFragmentationHeap_slide.pdf
byLittleRavenQQQ
 
How Safe is your Link ?
byPeter Hlavaty
 
Exploitation Crash Course
byUTD Computer Security Group
 
Golf teamlearnerlecture
bykairistiona
 
Windows 10 Nt Heap Exploitation (English version)
byAngel Boy
 
Control hijacking
byPrachi Gulihar
 
Advanced Arm Exploitation
byHimanshu Khokhar Jaat
 
Buffer Overflows
bySumit Kumar
 

More from Sam Bowne

PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
Cyberwar
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
10 RSA
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 

Recently uploaded

PPTX
bundle of care.pptx Priti Bala @ BRD med
bypritibala13
 
PDF
Fast Followers Project, Embedding Net Zero into Wakefield Metropolitan Distri...
byAssociation for Project Management
 
PPTX
Setting Up and Processing Down Payments in Odoo 18 Sales
byCeline George
 
PPTX
Day 2 ppt english.powerpoint presentation ppt
byJeahMaeMedez
 
PDF
ĐỀ MINH HỌA KỲ THI TỐT NGHIỆP TRUNG HỌC PHỔ THÔNG NĂM 2026 MÔN TIẾNG ANH 2026...
byNguyen Thanh Tu Collection
 
PDF
McDowell Technical Community College Early Childhood Program Equitable Workfo...
byEducationNC
 
PPTX
Poster Based Ethical Reflection - Dharma and Values Poster.pptx
byRajshreeBeneymadoo
 
PPTX
Nanomaterials and its types - Dr.M.Jothimuniyandi
byJothimuniyandi
 
PDF
VIVA or SHORT ANSWER QUESTIONS or 2 MARKS QUESTIONS CHILD HEALTH NURSING.pdf
byPRADEEP ABOTHU
 
PDF
GIÁO ÁN KẾ HOẠCH BÀI DẠY NĂNG LỰC SỐ MÔN TIẾNG ANH LỚP 12 CẢ NĂM - GLOBAL SUC...
byNguyen Thanh Tu Collection
 
PDF
PHYSICAL-CHEMISTRY-ONE-SHOT-FORMULA-REVISION-SHEETJEEMAINS-AND-NEET.pdf/PREPA...
bySandeep Swamy
 
PDF
ĐỀ MINH HỌA KỲ THI TỐT NGHIỆP TRUNG HỌC PHỔ THÔNG NĂM 2026 MÔN TIẾNG ANH 2026...
byNguyen Thanh Tu Collection
 
PPTX
Powerpoint for testing in embed test with Sway
byjeanpierrefort3
 
PPTX
Ultrasound .pptx by Nagmani ojha (paramedical department)(Radiation technolog...
bynagmaniojha8
 
PPTX
Unit 3- Culture.pptx....................
byAkanksha Kotangale
 
PPTX
YSPH VMOC Special Report - Measles - The Americas 1-18-2026
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
PPTX
28 January 2026 Rebecca Frankum Are high-stakes exams and assessments still r...
byEduSkills OECD
 
PDF
EAPP ACADEMIC WRITING TASK - WRITING A POSITION PAPER.pdf
byAndre Philip Tacderas
 
PPTX
Maja Videnovik - Transforming Cybersecurity Learning into an Adventure
bybvtricks
 
PPTX
2026SlideShare.pptx welcome talk 2026 for peace harmony
byBryanGan8
 
bundle of care.pptx Priti Bala @ BRD med
bypritibala13
 
Fast Followers Project, Embedding Net Zero into Wakefield Metropolitan Distri...
byAssociation for Project Management
 
Setting Up and Processing Down Payments in Odoo 18 Sales
byCeline George
 
Day 2 ppt english.powerpoint presentation ppt
byJeahMaeMedez
 
ĐỀ MINH HỌA KỲ THI TỐT NGHIỆP TRUNG HỌC PHỔ THÔNG NĂM 2026 MÔN TIẾNG ANH 2026...
byNguyen Thanh Tu Collection
 
McDowell Technical Community College Early Childhood Program Equitable Workfo...
byEducationNC
 
Poster Based Ethical Reflection - Dharma and Values Poster.pptx
byRajshreeBeneymadoo
 
Nanomaterials and its types - Dr.M.Jothimuniyandi
byJothimuniyandi
 
VIVA or SHORT ANSWER QUESTIONS or 2 MARKS QUESTIONS CHILD HEALTH NURSING.pdf
byPRADEEP ABOTHU
 
GIÁO ÁN KẾ HOẠCH BÀI DẠY NĂNG LỰC SỐ MÔN TIẾNG ANH LỚP 12 CẢ NĂM - GLOBAL SUC...
byNguyen Thanh Tu Collection
 
PHYSICAL-CHEMISTRY-ONE-SHOT-FORMULA-REVISION-SHEETJEEMAINS-AND-NEET.pdf/PREPA...
bySandeep Swamy
 
ĐỀ MINH HỌA KỲ THI TỐT NGHIỆP TRUNG HỌC PHỔ THÔNG NĂM 2026 MÔN TIẾNG ANH 2026...
byNguyen Thanh Tu Collection
 
Powerpoint for testing in embed test with Sway
byjeanpierrefort3
 
Ultrasound .pptx by Nagmani ojha (paramedical department)(Radiation technolog...
bynagmaniojha8
 
Unit 3- Culture.pptx....................
byAkanksha Kotangale
 
YSPH VMOC Special Report - Measles - The Americas 1-18-2026
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
28 January 2026 Rebecca Frankum Are high-stakes exams and assessments still r...
byEduSkills OECD
 
EAPP ACADEMIC WRITING TASK - WRITING A POSITION PAPER.pdf
byAndre Philip Tacderas
 
Maja Videnovik - Transforming Cybersecurity Learning into an Adventure
bybvtricks
 
2026SlideShare.pptx welcome talk 2026 for peace harmony
byBryanGan8
 

Ch 5: Introduction to heap overflows

  • 1.
    CNIT 127: ExploitDevelopment 
 
 Ch 5: Introduction to Heap Overflows Updated 2-22-22
  • 2.
    What is aHeap?
  • 3.
    Memory Map • Ingdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
  • 4.
  • 5.
    Heap Structure Size ofprevious chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
  • 6.
    A Simple Example(Proj ED 205)
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
    EIP is Hardto Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
  • 14.
    Action of Free() •Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
  • 15.
    Target RAM Options •Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
  • 16.
    Target RAM Options •"atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit