Sam Bowne, profile picture
Uploaded bySam Bowne
PDF, PPTX1,998 views

CNIT 127 Ch 5: Introduction to heap overflows

This document provides an introduction to heap overflows and their role in exploit development, detailing the structure of heaps and how memory is managed. It discusses various methods for controlling memory writes through heap manipulation and outlines potential targets for exploitation. Additionally, it includes project walkthroughs that illustrate practical applications of heap overflow techniques.

Embed presentation

Download as PDF, PPTX
CNIT 127: Exploit Development
 
 Ch 5: Introduction to Heap Overflows Updated 2-14-17
What is a Heap?
Memory Map • In gdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
Heap and Stack
Heap Structure Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
A Simple Example
A Simple Example
Viewing the Heap in gdb
Exploit and Crash
Crash in gdb
Targeted Exploit
The Problem With the Heap
EIP is Hard to Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
Target RAM Options • Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
Project Walkthroughs • Proj 8 – Exploiting a write to a heap value • Proj 8x – Taking over a remote server • Proj 5x – Buffer overflow with a canary

More Related Content

PDF
Ch 5: Introduction to heap overflows
bySam Bowne
 
PDF
CNIT 127: 8: Windows overflows (Part 2)
bySam Bowne
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
PPTX
Object oriented programming
bybaabtra.com - No. 1 supplier of quality freshers
 
PPTX
Threads .ppt
bymeet darji
 
PDF
Trace Scheduling
byMin-Yih Hsu
 
PPT
Ch02
byJoe Christensen
 
PPTX
Error managing and exception handling in java
byAndhra University
 
Ch 5: Introduction to heap overflows
bySam Bowne
 
CNIT 127: 8: Windows overflows (Part 2)
bySam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
Object oriented programming
bybaabtra.com - No. 1 supplier of quality freshers
 
Threads .ppt
bymeet darji
 
Trace Scheduling
byMin-Yih Hsu
 
Ch02
byJoe Christensen
 
Error managing and exception handling in java
byAndhra University
 

What's hot

PPTX
Dot net assembly
byDr.Neeraj Kumar Pandey
 
PPT
Introduction and history of linux
bySHUBHA CHATURVEDI
 
PPT
Ooad ch 3
byanujabeatrice2
 
PPT
Message passing interface
byMd. Mahedi Mahfuj
 
PPTX
Constructors & destructors
byForwardBlog Enewzletter
 
PPT
Stream ciphers presentation
bydegarden
 
PPT
Unix File System
bystudent(MCA)
 
PPTX
DLL(dynamic link library)
bypooja_doshi
 
PPTX
Functions in php
byKamal Acharya
 
PPTX
C# Framework class library
byPrem Kumar Badri
 
PPTX
COM1407: Input/ Output Functions
byHemantha Kulathilake
 
PPTX
Java applets
byPihu Goel
 
PPT
Unit 2 python
bypraveena p
 
PPTX
Parallel Distributed Systems and Heterogeneity.pptx
byTayyabHussain032
 
PDF
Remote Procedure Call (RPC) Server creation semantics & call semantics
bysvm
 
PPT
Conventional Encryption NS2
bykoolkampus
 
PPT
Graphics programming in Java
byTushar B Kute
 
PDF
Resource Management for Computer Operating Systems
byinside-BigData.com
 
PPTX
Lesson 2 php data types
byMLG College of Learning, Inc
 
PPTX
Data concepts
bySachidananda M H
 
Dot net assembly
byDr.Neeraj Kumar Pandey
 
Introduction and history of linux
bySHUBHA CHATURVEDI
 
Ooad ch 3
byanujabeatrice2
 
Message passing interface
byMd. Mahedi Mahfuj
 
Constructors & destructors
byForwardBlog Enewzletter
 
Stream ciphers presentation
bydegarden
 
Unix File System
bystudent(MCA)
 
DLL(dynamic link library)
bypooja_doshi
 
Functions in php
byKamal Acharya
 
C# Framework class library
byPrem Kumar Badri
 
COM1407: Input/ Output Functions
byHemantha Kulathilake
 
Java applets
byPihu Goel
 
Unit 2 python
bypraveena p
 
Parallel Distributed Systems and Heterogeneity.pptx
byTayyabHussain032
 
Remote Procedure Call (RPC) Server creation semantics & call semantics
bysvm
 
Conventional Encryption NS2
bykoolkampus
 
Graphics programming in Java
byTushar B Kute
 
Resource Management for Computer Operating Systems
byinside-BigData.com
 
Lesson 2 php data types
byMLG College of Learning, Inc
 
Data concepts
bySachidananda M H
 

Viewers also liked

PDF
CNIT 127 Ch Ch 1: Before you Begin
bySam Bowne
 
PDF
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
bySam Bowne
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
PDF
CNIT 129S: Ch 5: Bypassing Client-Side Controls
bySam Bowne
 
PDF
CNIT 121: 11 Analysis Methodology
bySam Bowne
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
bySam Bowne
 
PDF
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 3)
bySam Bowne
 
PDF
CNIT 40: 6: DNSSEC and beyond
bySam Bowne
 
PDF
CNIT 129S: 8: Attacking Access Controls
bySam Bowne
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
PDF
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
PDF
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
PDF
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
bySam Bowne
 
PDF
CNIT 121: Computer Forensics Ch 1
bySam Bowne
 
PDF
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
bySam Bowne
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
PDF
CNIT 121: 3 Pre-Incident Preparation
bySam Bowne
 
PDF
CNIT 40: 3: DNS vulnerabilities
bySam Bowne
 
CNIT 127 Ch Ch 1: Before you Begin
bySam Bowne
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
bySam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
bySam Bowne
 
CNIT 121: 11 Analysis Methodology
bySam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
bySam Bowne
 
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
bySam Bowne
 
CNIT 40: 6: DNSSEC and beyond
bySam Bowne
 
CNIT 129S: 8: Attacking Access Controls
bySam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
bySam Bowne
 
CNIT 121: Computer Forensics Ch 1
bySam Bowne
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
bySam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
CNIT 121: 3 Pre-Incident Preparation
bySam Bowne
 
CNIT 40: 3: DNS vulnerabilities
bySam Bowne
 

Similar to CNIT 127 Ch 5: Introduction to heap overflows

PDF
CNIT 127 Ch 5: Introduction to heap overflows
bySam Bowne
 
PDF
CNIT 127: Ch 8: Windows overflows (Part 2)
bySam Bowne
 
PPT
Third Generation Exploitation Black .ppt
byKarimAhmed722436
 
PDF
Advanced Windows Exploitation
byUTD Computer Security Group
 
PDF
Heap Base Exploitation
byUTD Computer Security Group
 
PPTX
A survey on Heap Exploitation
byAlireza Karimi
 
ODP
BufferOverflow - Offensive point of View
byToe Khaing
 
PPT
Heaps About Heaps - Brett Moore.ppt
bydamesmith
 
ODP
Debugging With Id
byguest215c4e
 
PPT
exploiting heap overflows
byprimelude
 
PDF
Heap overflows for humans – 101
byCraft Symbol
 
PPTX
Buffer overflow
byEvgeni Tsonev
 
PPTX
Exploring billion states of a program like a pro. How to cook your own fast a...
byMaksim Shudrak
 
PPTX
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
byPositive Hack Days
 
PPTX
Buffer overflow attack
byKrish
 
PDF
Low Level Exploits
byhughpearse
 
PPTX
Golf teamlearnerlecture
bykairistiona
 
PPSX
Ids 008 buffer overflow
byjyoti_lakhani
 
PDF
Advanced Arm Exploitation
byHimanshu Khokhar Jaat
 
PPTX
Control hijacking
byPrachi Gulihar
 
CNIT 127 Ch 5: Introduction to heap overflows
bySam Bowne
 
CNIT 127: Ch 8: Windows overflows (Part 2)
bySam Bowne
 
Third Generation Exploitation Black .ppt
byKarimAhmed722436
 
Advanced Windows Exploitation
byUTD Computer Security Group
 
Heap Base Exploitation
byUTD Computer Security Group
 
A survey on Heap Exploitation
byAlireza Karimi
 
BufferOverflow - Offensive point of View
byToe Khaing
 
Heaps About Heaps - Brett Moore.ppt
bydamesmith
 
Debugging With Id
byguest215c4e
 
exploiting heap overflows
byprimelude
 
Heap overflows for humans – 101
byCraft Symbol
 
Buffer overflow
byEvgeni Tsonev
 
Exploring billion states of a program like a pro. How to cook your own fast a...
byMaksim Shudrak
 
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
byPositive Hack Days
 
Buffer overflow attack
byKrish
 
Low Level Exploits
byhughpearse
 
Golf teamlearnerlecture
bykairistiona
 
Ids 008 buffer overflow
byjyoti_lakhani
 
Advanced Arm Exploitation
byHimanshu Khokhar Jaat
 
Control hijacking
byPrachi Gulihar
 

More from Sam Bowne

PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
Cyberwar
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
10 RSA
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 

Recently uploaded

PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PDF
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
PPTX
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PPTX
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
PPTX
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
PPTX
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
PDF
Unit-III pdf (Basic listening Skill, Effective Writing Communication & Writin...
bySayyadTarannum
 
PPTX
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
PPTX
Searching in PubMed andCochrane_Practical Presentation.pptx
bySystematic Reviews Network (SRN)
 
PDF
Toward Massive, Ultrareliable, and Low-Latency Wireless Communication With Sh...
byMan_Ebook
 
PPTX
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PPTX
How to use search_read method in Odoo 18
byCeline George
 
PPTX
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
Analyzing the data of your initial survey
byThelma Villaflores
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
Unit-III pdf (Basic listening Skill, Effective Writing Communication & Writin...
bySayyadTarannum
 
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
Searching in PubMed andCochrane_Practical Presentation.pptx
bySystematic Reviews Network (SRN)
 
Toward Massive, Ultrareliable, and Low-Latency Wireless Communication With Sh...
byMan_Ebook
 
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
How to use search_read method in Odoo 18
byCeline George
 
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
In this document
Powered by AI

Overview of heap overflows as part of exploit development, specifically Chapter 5.

Definition of heap, memory mapping, and relationship between heap and stack in program memory.

Detailed structure of the heap showing size and pointers for memory chunks.

Practical examples of heap usage and how to view the heap using gdb.

Discussion on the relationship between heap crashes and exploits, outlining common vulnerabilities.

Challenges in controlling the Execution Instruction Pointer (EIP) on heap and how to exploit it.

Various targeting methods for RAM through heap overflows, including return addresses and function pointers.

Overview of projects illustrating practical applications of heap exploitation techniques.

CNIT 127 Ch 5: Introduction to heap overflows

  • 1.
    CNIT 127: ExploitDevelopment
 
 Ch 5: Introduction to Heap Overflows Updated 2-14-17
  • 2.
    What is aHeap?
  • 3.
    Memory Map • Ingdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
  • 4.
  • 5.
    Heap Structure Size ofprevious chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
    EIP is Hardto Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
  • 14.
    Action of Free() •Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
  • 15.
    Target RAM Options •Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
  • 16.
    Target RAM Options •"atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
  • 17.
    Project Walkthroughs • Proj8 – Exploiting a write to a heap value • Proj 8x – Taking over a remote server • Proj 5x – Buffer overflow with a canary