Sam Bowne, profile picture
Uploaded bySam Bowne
PDF, PPTX241 views

Ch 5: Introduction to heap overflows

This document discusses heap overflows and exploit development. It explains that the heap is an area of memory used for dynamic allocation via malloc() and freed via free(). When free() is called, it must write to forward and backward pointers, allowing overflow data to potentially control those writes. This makes it possible to write to arbitrary RAM locations, such as the stack return address, global offset table, destructors table, or function pointers, in order to execute code and crash or exploit the program.

Embed presentation

Download as PDF, PPTX
CNIT 127: Exploit Development 
 
 Ch 5: Introduction to Heap Overflows Updated 2-22-22
What is a Heap?
Memory Map • In gdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
Heap and Stack
Heap Structure Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
A Simple Example (Proj ED 205)
A Simple Example
Viewing the Heap in gdb
Exploit and Crash
Crash in gdb
Targeted Exploit
The Problem With the Heap
EIP is Hard to Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
Target RAM Options • Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
Ch 5: Introduction to heap overflows

More Related Content

PDF
127 Ch 2: Stack overflows on Linux
bySam Bowne
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
PDF
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
PDF
CNIT 127: 8: Windows overflows (Part 2)
bySam Bowne
 
PDF
CNIT 127 Ch 8: Windows overflows (Part 1)
bySam Bowne
 
PDF
CNIT 127 Ch 1: Before you Begin
bySam Bowne
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
PDF
Operating systems system structures
byMukesh Chinta
 
127 Ch 2: Stack overflows on Linux
bySam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
CNIT 127: 8: Windows overflows (Part 2)
bySam Bowne
 
CNIT 127 Ch 8: Windows overflows (Part 1)
bySam Bowne
 
CNIT 127 Ch 1: Before you Begin
bySam Bowne
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
Operating systems system structures
byMukesh Chinta
 

What's hot

PPTX
Semophores and it's types
byNishant Joshi
 
PPT
Disk scheduling
byNEERAJ BAGHEL
 
PPTX
Operating system 11 system calls
byVaibhav Khanna
 
PPTX
Code Optimization
byAkhil Kaushik
 
PPTX
Introduction to problem solving in C
byDiwakar Pratap Singh 'Deva'
 
PDF
CNIT 126 5: IDA Pro
bySam Bowne
 
PDF
CNIT 126 5: IDA Pro
bySam Bowne
 
PDF
Unit II - 2 - Operating System - Threads
bycscarcas
 
PPTX
Process management os concept
bypriyadeosarkar91
 
PPTX
Memory Management in OS
byKumar Pritam
 
PDF
Ch4 memory management
byBullz Musetsho
 
PPT
Os Threads
bySalman Memon
 
PPTX
Graph coloring using backtracking
byshashidharPapishetty
 
PPTX
Process Scheduling Algorithms | Interviews | Operating system
byShivam Mitra
 
PDF
Introduction to c++ ppt 1
byProf. Dr. K. Adisesha
 
PDF
Introduction to Parallel Computing
byAkhila Prabhakaran
 
PPTX
queue.pptx
byDr.Shweta
 
PPTX
Multithreading models.ppt
byLuis Goldster
 
PPTX
Critical Section Problem - Ramakrishna Reddy Bijjam
byRamakrishna Reddy Bijjam
 
PPTX
Deadlock ppt
bySweetestangel Kochar
 
Semophores and it's types
byNishant Joshi
 
Disk scheduling
byNEERAJ BAGHEL
 
Operating system 11 system calls
byVaibhav Khanna
 
Code Optimization
byAkhil Kaushik
 
Introduction to problem solving in C
byDiwakar Pratap Singh 'Deva'
 
CNIT 126 5: IDA Pro
bySam Bowne
 
CNIT 126 5: IDA Pro
bySam Bowne
 
Unit II - 2 - Operating System - Threads
bycscarcas
 
Process management os concept
bypriyadeosarkar91
 
Memory Management in OS
byKumar Pritam
 
Ch4 memory management
byBullz Musetsho
 
Os Threads
bySalman Memon
 
Graph coloring using backtracking
byshashidharPapishetty
 
Process Scheduling Algorithms | Interviews | Operating system
byShivam Mitra
 
Introduction to c++ ppt 1
byProf. Dr. K. Adisesha
 
Introduction to Parallel Computing
byAkhila Prabhakaran
 
queue.pptx
byDr.Shweta
 
Multithreading models.ppt
byLuis Goldster
 
Critical Section Problem - Ramakrishna Reddy Bijjam
byRamakrishna Reddy Bijjam
 
Deadlock ppt
bySweetestangel Kochar
 

Similar to Ch 5: Introduction to heap overflows

PDF
CNIT 127 Ch 5: Introduction to heap overflows
bySam Bowne
 
PDF
CNIT 127: Ch 8: Windows overflows (Part 2)
bySam Bowne
 
PPT
Third Generation Exploitation Black .ppt
byKarimAhmed722436
 
PPTX
A survey on Heap Exploitation
byAlireza Karimi
 
PDF
Heap Base Exploitation
byUTD Computer Security Group
 
PPT
exploiting heap overflows
byprimelude
 
PDF
Advanced Windows Exploitation
byUTD Computer Security Group
 
ODP
BufferOverflow - Offensive point of View
byToe Khaing
 
PDF
Heap overflows for humans – 101
byCraft Symbol
 
PPT
Heaps About Heaps - Brett Moore.ppt
bydamesmith
 
ODP
Debugging With Id
byguest215c4e
 
PDF
Low Level Exploits
byhughpearse
 
PDF
wctf LazyFragmentationHeap_slide.pdf
byLittleRavenQQQ
 
PPTX
How Safe is your Link ?
byPeter Hlavaty
 
PDF
Exploitation Crash Course
byUTD Computer Security Group
 
PPTX
Golf teamlearnerlecture
bykairistiona
 
PDF
Windows 10 Nt Heap Exploitation (English version)
byAngel Boy
 
PPTX
Control hijacking
byPrachi Gulihar
 
PDF
Advanced Arm Exploitation
byHimanshu Khokhar Jaat
 
PPT
Buffer Overflows
bySumit Kumar
 
CNIT 127 Ch 5: Introduction to heap overflows
bySam Bowne
 
CNIT 127: Ch 8: Windows overflows (Part 2)
bySam Bowne
 
Third Generation Exploitation Black .ppt
byKarimAhmed722436
 
A survey on Heap Exploitation
byAlireza Karimi
 
Heap Base Exploitation
byUTD Computer Security Group
 
exploiting heap overflows
byprimelude
 
Advanced Windows Exploitation
byUTD Computer Security Group
 
BufferOverflow - Offensive point of View
byToe Khaing
 
Heap overflows for humans – 101
byCraft Symbol
 
Heaps About Heaps - Brett Moore.ppt
bydamesmith
 
Debugging With Id
byguest215c4e
 
Low Level Exploits
byhughpearse
 
wctf LazyFragmentationHeap_slide.pdf
byLittleRavenQQQ
 
How Safe is your Link ?
byPeter Hlavaty
 
Exploitation Crash Course
byUTD Computer Security Group
 
Golf teamlearnerlecture
bykairistiona
 
Windows 10 Nt Heap Exploitation (English version)
byAngel Boy
 
Control hijacking
byPrachi Gulihar
 
Advanced Arm Exploitation
byHimanshu Khokhar Jaat
 
Buffer Overflows
bySumit Kumar
 

More from Sam Bowne

PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
Cyberwar
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
10 RSA
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 

Recently uploaded

PDF
Multimodal and Multimedia AI - by Ms. Oceana Wong
byagenticroom
 
PDF
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
PPTX
Photography Pillar 1 The Subject PowerPoint
bymjb77ny
 
PDF
Past Memories and a New World: Photographs of Stoke Newington from the 70s, 8...
byHistory of Stoke Newington
 
PPTX
Chapter 3. Pharmaceutical Aids (pharmaceutics)
bySharibJamal
 
PPTX
Plant Breeding: Its History and Contribution
bySatyam Sharma
 
PDF
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
PDF
Agentic AI and AI Agents 20251121.pdf - by Ms. Oceana Wong
byagenticroom
 
PPTX
Quarter 3 lesson 2 of English Grade 8.pptx
byMamGamino
 
PPTX
General Wellness & Restorative Tonic: Draksharishta
byDr. Paindla Jyothirmai
 
PPTX
DEPED MEMORANDUM 089, 2025 PMES guidelines pptx
byRoseBubuli
 
PDF
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
PPTX
Prelims - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
PPTX
kklklklklklklklk;lkpoipor[3rjdkjoe99759893058085
bypreetheshparmar
 
PPTX
ATTENTION - PART 1.pptx cognitive processes -For B.Sc I Sem By Mrs.Shilpa Hot...
bySHILPA HOTAKAR
 
PPTX
Anatomy of the eyeball An overviews.pptx
byMushahidRaza8
 
PPTX
G-Protein-Coupled Receptors (GPCRs): Structure, Mechanism, and Functions
byAnoja Kurian
 
PDF
“Step-by-Step Fabrication of Bipolar Junction Transistors (BJTs)”
byGS Virdi
 
PPTX
Elderly in India: The Changing Scenario.pptx
byMonika
 
PDF
LH_Lecture Note on Spices , AI And Importance in Human Life.pdf
bybisensharad
 
Multimodal and Multimedia AI - by Ms. Oceana Wong
byagenticroom
 
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
Photography Pillar 1 The Subject PowerPoint
bymjb77ny
 
Past Memories and a New World: Photographs of Stoke Newington from the 70s, 8...
byHistory of Stoke Newington
 
Chapter 3. Pharmaceutical Aids (pharmaceutics)
bySharibJamal
 
Plant Breeding: Its History and Contribution
bySatyam Sharma
 
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
Agentic AI and AI Agents 20251121.pdf - by Ms. Oceana Wong
byagenticroom
 
Quarter 3 lesson 2 of English Grade 8.pptx
byMamGamino
 
General Wellness & Restorative Tonic: Draksharishta
byDr. Paindla Jyothirmai
 
DEPED MEMORANDUM 089, 2025 PMES guidelines pptx
byRoseBubuli
 
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
Prelims - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
kklklklklklklklk;lkpoipor[3rjdkjoe99759893058085
bypreetheshparmar
 
ATTENTION - PART 1.pptx cognitive processes -For B.Sc I Sem By Mrs.Shilpa Hot...
bySHILPA HOTAKAR
 
Anatomy of the eyeball An overviews.pptx
byMushahidRaza8
 
G-Protein-Coupled Receptors (GPCRs): Structure, Mechanism, and Functions
byAnoja Kurian
 
“Step-by-Step Fabrication of Bipolar Junction Transistors (BJTs)”
byGS Virdi
 
Elderly in India: The Changing Scenario.pptx
byMonika
 
LH_Lecture Note on Spices , AI And Importance in Human Life.pdf
bybisensharad
 
In this document
Powered by AI

Overview of CNIT 127 course and chapter focused on heap overflow exploitation.

Explanation of what a heap is in the context of memory management.

Description of memory usage in programs, including stacks, heaps, malloc(), and free().

Highlighting the differences between heap and stack memory management.

Breakdown of heap structure including chunk size, pointers, and data organization.

Introduction to a simple project example illustrating heap exploitation.

Continuation of the example, detailing steps and expectations for the project.

Instructions on how to view the heap memory using the gdb debugger.

Discussion on how heap memory can lead to program crashes and potential exploit scenarios.

Utilizing gdb to analyze application crashes related to heap overflows.

Concentration on specific targets within heap memory to carry out exploits.

Challenges and problems associated with heap memory management.

Explains difficulty in controlling EIP values unlike stack, and how heap addresses play a role.

Details on how free() interacts with pointers and the importance of controlling overflow.

Various RAM targeting strategies including return addresses and library functions.

Further details on target options in RAM including exception handlers and function pointers.

Ch 5: Introduction to heap overflows

  • 1.
    CNIT 127: ExploitDevelopment 
 
 Ch 5: Introduction to Heap Overflows Updated 2-22-22
  • 2.
    What is aHeap?
  • 3.
    Memory Map • Ingdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
  • 4.
  • 5.
    Heap Structure Size ofprevious chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
  • 6.
    A Simple Example(Proj ED 205)
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
    EIP is Hardto Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
  • 14.
    Action of Free() •Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
  • 15.
    Target RAM Options •Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
  • 16.
    Target RAM Options •"atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit