This document discusses Windows 2003 heap exploitation techniques. It begins with an overview of heaps and the Windows 2003 heap structure. It then covers the heap management structure, free lists, lookaside lists, and techniques for manipulating various heap structures like the free list bitmap and size field to enable overwriting arbitrary memory locations. Key points covered include safe unlinking, cookie checks, and how overwriting links in free lists or lookaside lists can lead to memory corruption.
The document discusses the benefits of meditation for reducing stress and anxiety. Regular meditation practice can calm the mind and body by lowering heart rate and blood pressure. Meditation may also have psychological benefits like improving mood and reducing negative thoughts.
Benjamin Bouckenooghe ingénieur support senior se propose afin de traverser en 1h IPV6, son implémentation, les bonnes pratiques et un tour sur les retours support autour d'IPV6.
SAP SD LSMW -Legacy System Migration Workbencharun_bala1
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive functioning. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...kfdjkskdmm
This document provides a parts list and exploded diagram for the Massey Ferguson MF 283 tractor, with part numbers and descriptions for various systems including the cylinder block, crankshaft, cylinder head, rocker arm, timing gear, and lubricating oil system. It includes 49 line items with information such as part numbers, quantities, descriptions, and notes. The parts list is broken into sections for different systems and includes diagrams showing the assembly of components.
This document provides steps to setup a Cisco WSA 9.2 appliance from the factory default configuration including: configuring interfaces, downloading the OS, setting the default username/password, installing a license, setting the clock, and completing the initial GUI setup. The WSA has 5 interfaces - M1 for management, P1/P2 for traffic, and T1/T2 for traffic monitoring. The initial setup covers configuring the M1 interface, loading a license file, setting the date/time, and navigating the GUI configuration wizard.
Allstate is the largest personal insurer in the US, founded in 1931 with $35.2 billion in revenue. It offers auto, home, and life insurance through over 12,000 agencies across the US. Allstate's target market includes older adults aged 30-60, affluent individuals, and homeowners. It has a large social media presence with over 454,000 Facebook likes and 68,000 Twitter followers. Allstate's online marketing strategy focuses on SEO, developing new apps and software, and measuring success through metrics like cost per click.
The document describes the IMS session flow between an originating and terminating user in an IP Multimedia Subsystem network. It involves signaling messages being passed between the user equipment and P-CSCF in the visited network, and the home network nodes of I-CSCF, S-CSCF and AS, to setup and terminate a call or session. The process includes invite, response, acknowledgement and release messaging at each stage to establish and end media connectivity between the users.
The document discusses the benefits of meditation for reducing stress and anxiety. Regular meditation practice can calm the mind and body by lowering heart rate and blood pressure. Meditation may also have psychological benefits like improving mood and reducing negative thoughts.
Benjamin Bouckenooghe ingénieur support senior se propose afin de traverser en 1h IPV6, son implémentation, les bonnes pratiques et un tour sur les retours support autour d'IPV6.
SAP SD LSMW -Legacy System Migration Workbencharun_bala1
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive functioning. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...kfdjkskdmm
This document provides a parts list and exploded diagram for the Massey Ferguson MF 283 tractor, with part numbers and descriptions for various systems including the cylinder block, crankshaft, cylinder head, rocker arm, timing gear, and lubricating oil system. It includes 49 line items with information such as part numbers, quantities, descriptions, and notes. The parts list is broken into sections for different systems and includes diagrams showing the assembly of components.
This document provides steps to setup a Cisco WSA 9.2 appliance from the factory default configuration including: configuring interfaces, downloading the OS, setting the default username/password, installing a license, setting the clock, and completing the initial GUI setup. The WSA has 5 interfaces - M1 for management, P1/P2 for traffic, and T1/T2 for traffic monitoring. The initial setup covers configuring the M1 interface, loading a license file, setting the date/time, and navigating the GUI configuration wizard.
Allstate is the largest personal insurer in the US, founded in 1931 with $35.2 billion in revenue. It offers auto, home, and life insurance through over 12,000 agencies across the US. Allstate's target market includes older adults aged 30-60, affluent individuals, and homeowners. It has a large social media presence with over 454,000 Facebook likes and 68,000 Twitter followers. Allstate's online marketing strategy focuses on SEO, developing new apps and software, and measuring success through metrics like cost per click.
The document describes the IMS session flow between an originating and terminating user in an IP Multimedia Subsystem network. It involves signaling messages being passed between the user equipment and P-CSCF in the visited network, and the home network nodes of I-CSCF, S-CSCF and AS, to setup and terminate a call or session. The process includes invite, response, acknowledgement and release messaging at each stage to establish and end media connectivity between the users.
1. The document describes the configuration steps for a lab exercise involving BGP routing. It includes tasks to configure IP addresses, IBGP, HSRP, servers, and BGP routing on multiple routers as shown in the given topology diagram.
2. Key steps are to configure IBGP between routers R1-R4, HSRP between R5-R6, servers on R6, and BGP routing between all routers as specified in the tasks and topology, including IBGP, EBGP, route reflectors, and BGP confederations.
3. The goal is to verify connectivity between loopbacks and servers across the different BGP and IBGP domains as configured.
Jcb js220 tracked excavator service repair manual sn from 2451101 onwardsfjskekqwefsmemm
This service manual provides instructions for servicing and repairing excavators models JS200, JS210, JS220, and JS235. It contains sections on the machine components, including the engine, fuel and exhaust systems, cooling system, driveline, hydraulic system, electrical system, and other components. Safety precautions are provided, and technicians are instructed to fully understand the manual before working on the machine.
This document discusses implementing Ethernet virtual LANs (VLANs) across multiple switches. Section 1 covers how a single VLAN can span multiple switches using VLAN trunking. Section 2 discusses configuring VLANs and VLAN trunks, and routing frames between VLANs. Section 3 addresses potential issues that may arise with VLAN implementations.
The document discusses the Cisco Nexus 7000 series modular datacenter switches. It provides details on:
1) The Nexus product line including the Nexus 1000v, 2000, 3000, 4000, 5000, and 7000 series switches.
2) Key features of the Nexus 7000 including scalable switching capacity beyond 15 terabits per second, unified fabric, and high availability.
3) The principles behind the Nexus 7000's design which focus on infrastructure scalability, operational continuity, and transport flexibility.
This document provides an introduction to IPv6, including an overview of its key features and differences from IPv4. It discusses how IPv6 was developed to address the exhaustion of IPv4 address space and larger routing tables. The summary highlights that IPv6 features a 128-bit address space, stateless and stateful address configuration, built-in security through mandatory IPsec, and more efficient packet routing. Transitioning to IPv6 aims to future-proof internet protocols as network usage grows exponentially.
We introduce the fundamentals of dynamic memory allocation and highlight several exploitable properties. These ideas are put into practice in a set of heap overflow challenges from exploit-exercise.com's Protostar VM. We walk through the first three. Other uses of heap space such as heap spraying are mentioned.
WinDbg is a low-level debugger for Windows that provides features like usermode debugging, kernel debugging, post-mortem debugging, and support for debugging extensions. It can be used to debug crashes, analyze memory leaks, find deadlocks, and investigate other issues when the higher-level Visual Studio debugger is not sufficient. The document provides examples of using WinDbg commands and extensions like SOS to debug memory leaks, analyze crashes based on offset or dump files, and investigate .NET deadlocks.
The document summarizes how to exploit a heap-based buffer overflow vulnerability in the Protostar Heap 3 challenge. It describes using the Doug Lea malloc implementation, modifying chunk size metadata to change program execution, overwriting pointers to hijack control flow, and crafting 12-byte shellcode to jump to a "winner()" function and complete the exploit.
Faster transactions & analytics with the new SQL2016 In-memory technologiesHenk van der Valk
This document contains information about in-memory technologies in Microsoft SQL Server including:
- In-memory OLTP which provides low-latency updates using memory-optimized tables and natively compiled stored procedures.
- Columnstore indexes which provide high data compression and fast analytical queries by storing data in columns.
- Resource governor which allows binding databases to resource pools to control CPU and memory usage.
- Various server hardware configurations recommended for in-memory workloads.
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxchristinemaritza
Chapter 8 <1>
Digital Design and Computer Architecture, 2nd Edition
Chapter 8
David Money Harris and Sarah L. Harris
Chapter 8 <2>
Chapter 8 :: Topics
• Introduction
• Memory System Performance
Analysis
• Caches
• Virtual Memory
• Memory-Mapped I/O
• Summary
Chapter 8 <3>
Processor Memory
Address
MemWrite
WriteData
ReadData
WE
CLKCLK
• Computer performance depends on:
– Processor performance
– Memory system performance
Memory Interface
Introduction
Chapter 8 <4>
In prior chapters, assumed access memory in 1 clock
cycle – but hasn’t been true since the 1980’s
Processor-Memory Gap
Chapter 8 <5>
• Make memory system appear as fast as
processor
• Use hierarchy of memories
• Ideal memory:
– Fast
– Cheap (inexpensive)
– Large (capacity)
But can only choose two!
Memory System Challenge
Chapter 8 <6>
Memory Hierarchy
Technology Price / GB
Access
Time (ns)
Bandwidth
(GB/s)
Cache
Main Memory
Virtual Memory
Capacity
S
p
e
e
d
SRAM $10,000 1
DRAM $10 10 - 50
SSD $1 100,000
25+
10
0.5
0.1HDD $0.1 10,000,000
Chapter 8 <7>
Exploit locality to make memory accesses fast
• Temporal Locality:
– Locality in time
– If data used recently, likely to use it again soon
– How to exploit: keep recently accessed data in higher
levels of memory hierarchy
• Spatial Locality:
– Locality in space
– If data used recently, likely to use nearby data soon
– How to exploit: when access data, bring nearby data
into higher levels of memory hierarchy too
Locality
Chapter 8 <8>
• Hit: data found in that level of memory hierarchy
• Miss: data not found (must go to next level)
Hit Rate = # hits / # memory accesses
= 1 – Miss Rate
Miss Rate = # misses / # memory accesses
= 1 – Hit Rate
• Average memory access time (AMAT): average time
for processor to access data
AMAT = tcache + MRcache[tMM + MRMM(tVM)]
Memory Performance
Chapter 8 <9>
• A program has 2,000 loads and stores
• 1,250 of these data values in cache
• Rest supplied by other levels of memory
hierarchy
• What are the hit and miss rates for the cache?
Memory Performance Example 1
Chapter 8 <10>
• A program has 2,000 loads and stores
• 1,250 of these data values in cache
• Rest supplied by other levels of memory
hierarchy
• What are the hit and miss rates for the cache?
Hit Rate = 1250/2000 = 0.625
Miss Rate = 750/2000 = 0.375 = 1 – Hit Rate
Memory Performance Example 1
Chapter 8 <11>
• Suppose processor has 2 levels of hierarchy:
cache and main memory
• tcache = 1 cycle, tMM = 100 cycles
• What is the AMAT of the program from
Example 1?
Memory Performance Example 2
Chapter 8 <12>
• Suppose processor has 2 levels of hierarchy:
cache and main memory
• tcache = 1 cycle, tMM = 100 cycles
• What is the AMAT of the program from
Example 1?
AMAT = tcache + MRcache(tMM)
= [1 + 0.375(100)] cycles
= 38.5 cycles
Memory Performance Example 2
Chapter 8 <13>
• Amdahl’s Law: the
effort spent incr ...
The document discusses the Windows kernel pool and how it can be exploited. It provides an overview of the kernel pool structures like pool descriptors and lookaside lists. It describes the allocation and freeing algorithms, including splitting and merging of chunks. It then gives an example of exploiting a kernel pool overflow bug, MS08-001, by overwriting structures in the pool to achieve code execution.
This document provides an overview of physical memory analysis techniques. It begins with prerequisites and an agenda, then covers topics like dump generation, memory spaces, common commands, and analysis patterns. Memory analysis can be challenging due to the vast memory space and multiple processes. A pattern-driven approach is recommended to methodically identify and resolve problems. Common patterns include blocked threads, wait chains, resource consumption, and corruption signs. Examples are provided to illustrate specific patterns.
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)Dave Stokes
MySQL 8 has many new features and this presentation covers the new data dictionary, improved JSON functions, roles, histograms, and much more. Updated after SunshinePHP 2018 after feedback
This document summarizes several myths about database redo, undo, commit, and rollback operations. It presents test cases and analysis to debunk the myths. The author is an experienced Oracle DBA who specializes in performance tuning and internals. Sample redo records are displayed and analyzed to explain how operations like rollback do generate redo. The document aims to clarify misunderstandings about the internal workings of Oracle's transaction and redo logging.
MySQL 8.0 New Features -- September 27th presentation for Open Source SummitDave Stokes
MySQL 8.0 has many new features that you probably need to know about but don't. Like default security, window functions, CTEs, CATS (not what you think), JSON_TABLE(), and UTF8MB4 support.
The document discusses buffer cache waits in Oracle. It describes how Oracle uses a hash table to quickly locate blocks in the buffer cache by file number and block number. It discusses how latches protect the hash buckets and linked lists that maintain the blocks in each bucket. The document also covers consistent read blocks, how they can cause contention, and how to identify hot blocks and SQL causing buffer cache chain latch waits.
The document discusses best practices for using Oracle Database In-Memory. It provides an overview of In-Memory and describes how to configure and populate the In-Memory Column Store. It also discusses how the optimizer utilizes In-Memory statistics and hints to optimize queries for In-Memory. Several examples of queries that benefit from In-Memory, such as aggregation queries and queries with predicates, are also provided.
The document discusses iOS development with blocks and Grand Central Dispatch (GCD). It introduces blocks as a way to encapsulate code similar to functions but with additional features. It describes how to define, call and pass blocks. It then discusses how blocks can be used to replace callbacks, handle notifications, enable concurrent enumeration and sorting. The document concludes with an introduction to GCD, describing it as an open-source threading library that automatically optimizes threading using queues, timers and handlers.
1. The document describes the configuration steps for a lab exercise involving BGP routing. It includes tasks to configure IP addresses, IBGP, HSRP, servers, and BGP routing on multiple routers as shown in the given topology diagram.
2. Key steps are to configure IBGP between routers R1-R4, HSRP between R5-R6, servers on R6, and BGP routing between all routers as specified in the tasks and topology, including IBGP, EBGP, route reflectors, and BGP confederations.
3. The goal is to verify connectivity between loopbacks and servers across the different BGP and IBGP domains as configured.
Jcb js220 tracked excavator service repair manual sn from 2451101 onwardsfjskekqwefsmemm
This service manual provides instructions for servicing and repairing excavators models JS200, JS210, JS220, and JS235. It contains sections on the machine components, including the engine, fuel and exhaust systems, cooling system, driveline, hydraulic system, electrical system, and other components. Safety precautions are provided, and technicians are instructed to fully understand the manual before working on the machine.
This document discusses implementing Ethernet virtual LANs (VLANs) across multiple switches. Section 1 covers how a single VLAN can span multiple switches using VLAN trunking. Section 2 discusses configuring VLANs and VLAN trunks, and routing frames between VLANs. Section 3 addresses potential issues that may arise with VLAN implementations.
The document discusses the Cisco Nexus 7000 series modular datacenter switches. It provides details on:
1) The Nexus product line including the Nexus 1000v, 2000, 3000, 4000, 5000, and 7000 series switches.
2) Key features of the Nexus 7000 including scalable switching capacity beyond 15 terabits per second, unified fabric, and high availability.
3) The principles behind the Nexus 7000's design which focus on infrastructure scalability, operational continuity, and transport flexibility.
This document provides an introduction to IPv6, including an overview of its key features and differences from IPv4. It discusses how IPv6 was developed to address the exhaustion of IPv4 address space and larger routing tables. The summary highlights that IPv6 features a 128-bit address space, stateless and stateful address configuration, built-in security through mandatory IPsec, and more efficient packet routing. Transitioning to IPv6 aims to future-proof internet protocols as network usage grows exponentially.
We introduce the fundamentals of dynamic memory allocation and highlight several exploitable properties. These ideas are put into practice in a set of heap overflow challenges from exploit-exercise.com's Protostar VM. We walk through the first three. Other uses of heap space such as heap spraying are mentioned.
WinDbg is a low-level debugger for Windows that provides features like usermode debugging, kernel debugging, post-mortem debugging, and support for debugging extensions. It can be used to debug crashes, analyze memory leaks, find deadlocks, and investigate other issues when the higher-level Visual Studio debugger is not sufficient. The document provides examples of using WinDbg commands and extensions like SOS to debug memory leaks, analyze crashes based on offset or dump files, and investigate .NET deadlocks.
The document summarizes how to exploit a heap-based buffer overflow vulnerability in the Protostar Heap 3 challenge. It describes using the Doug Lea malloc implementation, modifying chunk size metadata to change program execution, overwriting pointers to hijack control flow, and crafting 12-byte shellcode to jump to a "winner()" function and complete the exploit.
Faster transactions & analytics with the new SQL2016 In-memory technologiesHenk van der Valk
This document contains information about in-memory technologies in Microsoft SQL Server including:
- In-memory OLTP which provides low-latency updates using memory-optimized tables and natively compiled stored procedures.
- Columnstore indexes which provide high data compression and fast analytical queries by storing data in columns.
- Resource governor which allows binding databases to resource pools to control CPU and memory usage.
- Various server hardware configurations recommended for in-memory workloads.
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxchristinemaritza
Chapter 8 <1>
Digital Design and Computer Architecture, 2nd Edition
Chapter 8
David Money Harris and Sarah L. Harris
Chapter 8 <2>
Chapter 8 :: Topics
• Introduction
• Memory System Performance
Analysis
• Caches
• Virtual Memory
• Memory-Mapped I/O
• Summary
Chapter 8 <3>
Processor Memory
Address
MemWrite
WriteData
ReadData
WE
CLKCLK
• Computer performance depends on:
– Processor performance
– Memory system performance
Memory Interface
Introduction
Chapter 8 <4>
In prior chapters, assumed access memory in 1 clock
cycle – but hasn’t been true since the 1980’s
Processor-Memory Gap
Chapter 8 <5>
• Make memory system appear as fast as
processor
• Use hierarchy of memories
• Ideal memory:
– Fast
– Cheap (inexpensive)
– Large (capacity)
But can only choose two!
Memory System Challenge
Chapter 8 <6>
Memory Hierarchy
Technology Price / GB
Access
Time (ns)
Bandwidth
(GB/s)
Cache
Main Memory
Virtual Memory
Capacity
S
p
e
e
d
SRAM $10,000 1
DRAM $10 10 - 50
SSD $1 100,000
25+
10
0.5
0.1HDD $0.1 10,000,000
Chapter 8 <7>
Exploit locality to make memory accesses fast
• Temporal Locality:
– Locality in time
– If data used recently, likely to use it again soon
– How to exploit: keep recently accessed data in higher
levels of memory hierarchy
• Spatial Locality:
– Locality in space
– If data used recently, likely to use nearby data soon
– How to exploit: when access data, bring nearby data
into higher levels of memory hierarchy too
Locality
Chapter 8 <8>
• Hit: data found in that level of memory hierarchy
• Miss: data not found (must go to next level)
Hit Rate = # hits / # memory accesses
= 1 – Miss Rate
Miss Rate = # misses / # memory accesses
= 1 – Hit Rate
• Average memory access time (AMAT): average time
for processor to access data
AMAT = tcache + MRcache[tMM + MRMM(tVM)]
Memory Performance
Chapter 8 <9>
• A program has 2,000 loads and stores
• 1,250 of these data values in cache
• Rest supplied by other levels of memory
hierarchy
• What are the hit and miss rates for the cache?
Memory Performance Example 1
Chapter 8 <10>
• A program has 2,000 loads and stores
• 1,250 of these data values in cache
• Rest supplied by other levels of memory
hierarchy
• What are the hit and miss rates for the cache?
Hit Rate = 1250/2000 = 0.625
Miss Rate = 750/2000 = 0.375 = 1 – Hit Rate
Memory Performance Example 1
Chapter 8 <11>
• Suppose processor has 2 levels of hierarchy:
cache and main memory
• tcache = 1 cycle, tMM = 100 cycles
• What is the AMAT of the program from
Example 1?
Memory Performance Example 2
Chapter 8 <12>
• Suppose processor has 2 levels of hierarchy:
cache and main memory
• tcache = 1 cycle, tMM = 100 cycles
• What is the AMAT of the program from
Example 1?
AMAT = tcache + MRcache(tMM)
= [1 + 0.375(100)] cycles
= 38.5 cycles
Memory Performance Example 2
Chapter 8 <13>
• Amdahl’s Law: the
effort spent incr ...
The document discusses the Windows kernel pool and how it can be exploited. It provides an overview of the kernel pool structures like pool descriptors and lookaside lists. It describes the allocation and freeing algorithms, including splitting and merging of chunks. It then gives an example of exploiting a kernel pool overflow bug, MS08-001, by overwriting structures in the pool to achieve code execution.
This document provides an overview of physical memory analysis techniques. It begins with prerequisites and an agenda, then covers topics like dump generation, memory spaces, common commands, and analysis patterns. Memory analysis can be challenging due to the vast memory space and multiple processes. A pattern-driven approach is recommended to methodically identify and resolve problems. Common patterns include blocked threads, wait chains, resource consumption, and corruption signs. Examples are provided to illustrate specific patterns.
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)Dave Stokes
MySQL 8 has many new features and this presentation covers the new data dictionary, improved JSON functions, roles, histograms, and much more. Updated after SunshinePHP 2018 after feedback
This document summarizes several myths about database redo, undo, commit, and rollback operations. It presents test cases and analysis to debunk the myths. The author is an experienced Oracle DBA who specializes in performance tuning and internals. Sample redo records are displayed and analyzed to explain how operations like rollback do generate redo. The document aims to clarify misunderstandings about the internal workings of Oracle's transaction and redo logging.
MySQL 8.0 New Features -- September 27th presentation for Open Source SummitDave Stokes
MySQL 8.0 has many new features that you probably need to know about but don't. Like default security, window functions, CTEs, CATS (not what you think), JSON_TABLE(), and UTF8MB4 support.
The document discusses buffer cache waits in Oracle. It describes how Oracle uses a hash table to quickly locate blocks in the buffer cache by file number and block number. It discusses how latches protect the hash buckets and linked lists that maintain the blocks in each bucket. The document also covers consistent read blocks, how they can cause contention, and how to identify hot blocks and SQL causing buffer cache chain latch waits.
The document discusses best practices for using Oracle Database In-Memory. It provides an overview of In-Memory and describes how to configure and populate the In-Memory Column Store. It also discusses how the optimizer utilizes In-Memory statistics and hints to optimize queries for In-Memory. Several examples of queries that benefit from In-Memory, such as aggregation queries and queries with predicates, are also provided.
The document discusses iOS development with blocks and Grand Central Dispatch (GCD). It introduces blocks as a way to encapsulate code similar to functions but with additional features. It describes how to define, call and pass blocks. It then discusses how blocks can be used to replace callbacks, handle notifications, enable concurrent enumeration and sorting. The document concludes with an introduction to GCD, describing it as an open-source threading library that automatically optimizes threading using queues, timers and handlers.
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Dmitry Vostokov
This document provides an overview and agenda for a training on complete crash and hang memory dump analysis. The training will cover basics of dump generation and memory spaces, common analysis challenges, and commands. It will then discuss pattern-driven analysis, providing examples of common patterns like blocked threads, wait chains, resource consumption, corruption signs, and special processes. The agenda indicates there will be an exercise and discussions of additional techniques and tools.
The document discusses various data modification operations and how much redo is generated for each. It shows that inserts, deletes, updates, and DML on indexed tables can generate significant redo, while direct path inserts on NOLOGGING tables can minimize redo generation. The document also explains why some redo is always needed even for temporary changes, to support functions like media recovery and standby databases.
The document discusses direct access to Oracle's shared memory (SGA) using C code. It describes the main regions of the SGA, how information is used automatically and by queries, and reasons for direct access such as reading hidden information or during database hangs. It outlines examining the SGA contents through externalized X$ tables, with most structures in the SGA not directly visible. The document provides a procedure to summarize waits from the V$SESSION_WAIT view by mapping it to the underlying X$KSUSECST table fields and offsets.
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...PriyankaKilaniya
Energy efficiency has been important since the latter part of the last century. The main object of this survey is to determine the energy efficiency knowledge among consumers. Two separate districts in Bangladesh are selected to conduct the survey on households and showrooms about the energy and seller also. The survey uses the data to find some regression equations from which it is easy to predict energy efficiency knowledge. The data is analyzed and calculated based on five important criteria. The initial target was to find some factors that help predict a person's energy efficiency knowledge. From the survey, it is found that the energy efficiency awareness among the people of our country is very low. Relationships between household energy use behaviors are estimated using a unique dataset of about 40 households and 20 showrooms in Bangladesh's Chapainawabganj and Bagerhat districts. Knowledge of energy consumption and energy efficiency technology options is found to be associated with household use of energy conservation practices. Household characteristics also influence household energy use behavior. Younger household cohorts are more likely to adopt energy-efficient technologies and energy conservation practices and place primary importance on energy saving for environmental reasons. Education also influences attitudes toward energy conservation in Bangladesh. Low-education households indicate they primarily save electricity for the environment while high-education households indicate they are motivated by environmental concerns.
Accident detection system project report.pdfKamal Acharya
The Rapid growth of technology and infrastructure has made our lives easier. The
advent of technology has also increased the traffic hazards and the road accidents take place
frequently which causes huge loss of life and property because of the poor emergency facilities.
Many lives could have been saved if emergency service could get accident information and
reach in time. Our project will provide an optimum solution to this draw back. A piezo electric
sensor can be used as a crash or rollover detector of the vehicle during and after a crash. With
signals from a piezo electric sensor, a severe accident can be recognized. According to this
project when a vehicle meets with an accident immediately piezo electric sensor will detect the
signal or if a car rolls over. Then with the help of GSM module and GPS module, the location
will be sent to the emergency contact. Then after conforming the location necessary action will
be taken. If the person meets with a small accident or if there is no serious threat to anyone’s
life, then the alert message can be terminated by the driver by a switch provided in order to
avoid wasting the valuable time of the medical rescue team.
Build the Next Generation of Apps with the Einstein 1 Platform.
Rejoignez Philippe Ozil pour une session de workshops qui vous guidera à travers les détails de la plateforme Einstein 1, l'importance des données pour la création d'applications d'intelligence artificielle et les différents outils et technologies que Salesforce propose pour vous apporter tous les bénéfices de l'IA.
Home security is of paramount importance in today's world, where we rely more on technology, home
security is crucial. Using technology to make homes safer and easier to control from anywhere is
important. Home security is important for the occupant’s safety. In this paper, we came up with a low cost,
AI based model home security system. The system has a user-friendly interface, allowing users to start
model training and face detection with simple keyboard commands. Our goal is to introduce an innovative
home security system using facial recognition technology. Unlike traditional systems, this system trains
and saves images of friends and family members. The system scans this folder to recognize familiar faces
and provides real-time monitoring. If an unfamiliar face is detected, it promptly sends an email alert,
ensuring a proactive response to potential security threats.
Open Channel Flow: fluid flow with a free surfaceIndrajeet sahu
Open Channel Flow: This topic focuses on fluid flow with a free surface, such as in rivers, canals, and drainage ditches. Key concepts include the classification of flow types (steady vs. unsteady, uniform vs. non-uniform), hydraulic radius, flow resistance, Manning's equation, critical flow conditions, and energy and momentum principles. It also covers flow measurement techniques, gradually varied flow analysis, and the design of open channels. Understanding these principles is vital for effective water resource management and engineering applications.
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...Transcat
Join us for this solutions-based webinar on the tools and techniques for commissioning and maintaining PV Systems. In this session, we'll review the process of building and maintaining a solar array, starting with installation and commissioning, then reviewing operations and maintenance of the system. This course will review insulation resistance testing, I-V curve testing, earth-bond continuity, ground resistance testing, performance tests, visual inspections, ground and arc fault testing procedures, and power quality analysis.
Fluke Solar Application Specialist Will White is presenting on this engaging topic:
Will has worked in the renewable energy industry since 2005, first as an installer for a small east coast solar integrator before adding sales, design, and project management to his skillset. In 2022, Will joined Fluke as a solar application specialist, where he supports their renewable energy testing equipment like IV-curve tracers, electrical meters, and thermal imaging cameras. Experienced in wind power, solar thermal, energy storage, and all scales of PV, Will has primarily focused on residential and small commercial systems. He is passionate about implementing high-quality, code-compliant installation techniques.
2. Windows 2003
: Windows 2003 SP2
: Still most widely used windows server OS
: Still not a lot of heap exploits released
: Still not a lot of heap research released
: Vista -> Ben Hawkes BHUS08
Heap Explotation
: How the heap works
: Freelists vs Lookaside
: Exploitation Techniques
Heap Exploit Walkthrough
: From start to finish
This Talk Covers
3. Multiple Heaps
: Process has default heap
: Can create separate heaps for different uses
: Some loaded .dll create their own heap
: Some .dlls hold pointer to the heap they use
State Of The Heap
: Server restart
: Service restart
: First request
: Long time live, multiple previous requests
Things That Matter
: Everything, IP address, server name, day of the week
Windows Heap
4. Safe Unlinking
: On unlink, coalesce, relink from freelist
: Causes the link/unlink to fail if addresses readable
: Raises a handled exception, execution proceeds
: Chunk address still returned to caller
Cookie Check
: Cookie checked on free
: Invalid cookie prevents relinking of chunk
HeapSetInformation()
: HeapEnableTerminateOnCorruption()
: Windows Vista and Windows Server 2008
Heap Exploit Difficulties
Need To Get Creative In Exploitation Methods
5. Initial Heap
Heap Management
Last Free Chunk
Header
Last Free Chunk
Space
A Heap In Motion
The heap object initially starts as an empty
contiguous block of memory.
Two structures are written into the heap.
The Heap Management structure contains
information regarding the heap object, and
tracks the heap chunks.
There is always one Free Chunk in the heap
object and it points to the free space at the end
of the heap.
6. Initial Heap
Heap Management
Last Free Chunk
Header
Last Free Chunk
Space
The Heap In Motion
Allocated A,B,C
Heap Management
Chunk A Header
Chunk A Space
Chunk B Header
Chunk B Space
Chunk C Header
Chunk C Space
Last Free Chunk
Header
Last Free Chunk
Space
After the allocation of three
memory chunks, the heap layout
now looks like this
7. Initial Heap
Heap Management
Last Free Chunk
Header
Last Free Chunk
Space
The Heap In Motion
Allocated A,B,C
Heap Management
Chunk A Header
Chunk A Space
Chunk B Header
Chunk B Space
Chunk C Header
Chunk C Space
Last Free Chunk
Header
Last Free Chunk
Space
Free B
Heap Management
Chunk A Header
Chunk A Space
Free Chunk Header
Free Chunk Space
Chunk C Header
Chunk C Space
Last Free Chunk
Header
Last Free Chunk
Space
Freeing a
chunk in
between two
busy chunks,
creates a Free
Chunk
8. Initial Heap
Heap Management
Last Free Chunk
Header
Last Free Chunk
Space
The Heap In Motion
Allocated A,B,C
Heap Management
Chunk A Header
Chunk A Space
Chunk B Header
Chunk B Space
Chunk C Header
Chunk C Space
Last Free Chunk
Header
Last Free Chunk
Space
Free B
Heap Management
Chunk A Header
Chunk A Space
Free Chunk Header
Free Chunk Space
Chunk C Header
Chunk C Space
Last Free Chunk
Header
Last Free Chunk
Space
Free A
Heap Management
Free Chunk Header
Free Chunk Space
Chunk C Header
Chunk C Space
Last Free Chunk
Header
Last Free Chunk
Space
Free chunks that sit next to
each other are joined
(Coalesced) together.
9. Heap Management Structure
Heap Management
Address Value Description
00360000 Base Address
0036000C 00000002 Flags
00360010 00000000 ForceFlags
00360014 0000FE00 VirtualMemoryThreshold
00360050 00360050 VirtualAllocatedBlocks List
00360158 00000000 FreeList Bitmap
00360178 00361E90 FreeList[0]
00360180 00360180 FreeList[n]
00360578 00360608 HeapLockSection
0036057C 00000000 Commit Routine Ptr
00360580 00360688 FrontEndHeap
00360586 00000001 FrontEndHeapType
00360678 00361E88 Last Free Chunk
00360688 00000000 Lookaside[n]
All offsets are from the
base of the Heap Object
These Flags hold settings
such as isDebug, Exception
Raising, and Executable
Heap
The maximum size of an
allocation before a Virtual
Memory allocation is
performed
Linked list of blocks
allocated from Virtual
Memory
A four DWORD bitmask
with each bit set if the
corresponding FreeList[n] is
populated
Pointer to the first chunk in
FreeList[0]
FreeList[0] is used to store
Free Chunks > 1016 bytes
Start of double linked lists
to store Free Chunks
Pointer to CriticalSection
that is used to lock the
heap during changes
Pointer to Function() that is
called when the heap is
expanded and more pages
committed
Pointer to the front end
allocator.
This is a pointer to the
Lookaside
Flag that stores settings
about the front end
allocator
Pointer to the Last Free
Chunk in the heap
Start of the 48 byte
Lookaside list headers
10. Heap Management Structure - Virtual Memory Allocation
Heap Management
Address Value Description
00360014 0000FE00 VirtualMemoryThreshold
00360050 00360050 VirtualAllocatedBlocks List
00360050 FLINK
00360054 BLINK
7C82AE14 CMP EDI,DWORD PTR DS:[EBX+14]
7C82AE17 JBE ntdll.7C82A2FC
...
7C82AE8E LEA EAX,DWORD PTR DS:[EBX+50]
...
7C82AE97 MOV EDX,DWORD PTR DS:[EAX+4]
...
7C82AEA0 MOV DWORD PTR DS:[ECX],EAX
7C82AEA2 MOV DWORD PTR DS:[ECX+4],EDX
7C82AEA5 MOV DWORD PTR DS:[EDX],ECX
7C82AEA7 MOV DWORD PTR DS:[EAX+4],ECX
EBX is set to Base Address
Check threshold
Load BLINK
Write @NewChunk to
@BLINK+4
ECX is @NewChunk
If the VirtualAllocatedBlocks->BLINK can be overwritten then the address of
the NewChunk can be written to an arbitrary location
11. Heap Management Structure - FreeList Bitmap
Heap Management
Address Value Description
00360158 00000000 FreeList Bitmap
7C82A291 LEA ESI,DWORD PTR DS:[EBX+EDX*4+158]
...
7C82A2A8 AND EAX,DWORD PTR DS:[ESI]
...
7C82A2B8 JNZ ntdll.7C82CB46
7C82A2BE TEST EAX,EAX
7C82A2C0 JNZ ntdll.7C82C8C9
7C82A2C6 MOV EAX,DWORD PTR DS:[ESI]
Bitmap is checked when
looking for a FreeList[n]
that fits the request
Bitmap is populated when
chunk added to FreeList[n]
If a match is found then the
corresponding FreeList[n] is
used for the allocation.
If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can
be returned, allowing the overwrite of management structures. [nico]
80 00 00 02 00 00 80 00 00 00 00 00 00 00 00 00
0-7 24-31 48-55
12. Heap Management Structure - FreeList Bitmap
Heap Management
Address Value Description
00360158 00000000 FreeList Bitmap
If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can
be returned, allowing the overwrite of management structures. [nico]
80 00 00 02 00 00 80 00 00 00 00 00 00 00 00 00
FreeList[7] is
populated
FreeList[16] is
empty
FreeLists
Address Value Description
003601B0 00364D78 FreeList[7]
... ... ...
003601F8 003601F8 FreeList[16]
Request for block 16 will
create a new block and
return it
Modify bitmap
Request for block 16 will
return 003601F8
80 00 01 02 00 00 80 00 00 00 00 00 00 00 00 00
FreeLists
Address Value Description
003601B0 00364D78 FreeList[7]
... ... ...
003601F8 XXXXXXXX Overwrite
XXXXXXXX Overwrite
XXXXXXXX Overwrite
XXXXXXXX Overwrite
XXXXXXXX Overwrite
13. Heap Management Structure - FreeList Bitmap
If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can
be returned, allowing the overwrite of management structures. [nico]
Part Of The Bitmap Loading Code
7C82C8AB MOVZX EAX,AH
7C82C8AE MOVSX EAX,BYTE PTR DS:[EAX+7C82BAB8]
7C82C8B5 ADD EAX,8
7C82C8B8 JMP ntdll.7C82C830
7C82C8BD MOVSX EAX,BYTE PTR DS:[ECX+7C82BAB8]
7C82C8C4 JMP ntdll.7C82C830
7C82C8C9 LEA EDX,DWORD PTR DS:[EBX+178]
7C82C8CF JMP ntdll.7C82C808
7C82C8D4 SHR EAX,18
7C82C8D7 MOVSX EAX,BYTE PTR DS:[EAX+7C82BAB8]
7C82C8DE ADD EAX,18
7C82C8E1 JMP ntdll.7C82C830
[ 7C82BAB8 ]
A Static Pointer To A Bit
Mask Table That Can Be
Modified To Manipulate
The Bitmap Result
14. Heap Management Structure – FreeList[n]
Heap Management
Address Value Description
00360178 00361e90 FreeList[0]
00360180 00360180 FreeList[n]
FreeList[0] is similar to
FreeList[n] but holds
chunks > 1016 bytes
00360180 FLINK
00360184 BLINK
Free Chunk Header
Header Self Size Prev Size CK FL UN SI
Links FLINK BLINK
Free Chunk Header
Header Self Size Prev Size CK FL UN SI
Links FLINK BLINK
Double Linked List
connects free
chunks together
15. Heap Management Structure - Commit Routine Pointer
Heap Management
Address Value Description
0036057C 00000000 Commit Routine Ptr
7C833BF9 MOV ECX,DWORD PTR DS:[EAX+57C]
7C833BFF TEST ECX,ECX
7C833C01 JNZ ntdll.7C852C9E
...
7C852C9E PUSH EBX
7C852C9F LEA EDX,DWORD PTR SS:[EBP+14]
7C852CA2 PUSH EDX
7C852CA3 PUSH EAX
7C852CA4 CALL ECX
Initially set to nothing
Custom function() called
when committing more
memory to the Heap
This is a static pointer that can be overwritten to gain execution control
Loaded into ECX and called
16. Heap Management Structure – Lookaside[n]
Heap Management
Address Value Description
00360688 00000000 Lookaside[n]
003606E8 Lookaside[2]
Lookaside[0] and
Lookaside[1] are not used
48 byte structure
Lookaside List Header
Address Description
+00 Pointer To First Chunk
+04 Depth
+06 Max Depth
+08
Allocation tracking for
automatic Lookaside
Fine Tuning
+0C
+10
...
Lookaside Chunk Header
Header Self Size Prev Size CK FL UN SI
Links FLINK
Lookaside Chunk Header
Header Self Size Prev Size CK FL UN SI
Links FLINK
17. Heap Chunks
Chunk On Lookaside
Header Self Size Prev Size CK FL UN SI
Links FLINK
Data
A Used Chunk
Header Self Size Prev Size CK FL UN SI
Data
Chunk On FreeList
Header Self Size Prev Size CK FL UN SI
Links FLINK BLINK
Data
Chunk Flags
00 Free
01 Busy
02 Extra Present
04 Fill Pattern
08 Virtual Alloc
10 Last Entry
20 FFU1
40 FFU2
80 No Coalesce
18. Lookaside Lists
Lookaside[n]
FLINK 00000000
Lookaside Starts
Empty
Address FLINK
003620D0 00000000
Lookaside[n]
FLINK 003620D0
Chunk Added To
Top Of Lookaside
Address FLINK
003620E8 003620D0
Lookaside[n]
FLINK 003620E8
Chunk Added To
Top Of Lookaside
Address FLINK
003620D0 00000000
Address FLINK
00362100 003620E8
Lookaside[n]
FLINK 00362100
Chunk Added To
Top Of Lookaside
Address FLINK
003620E8 003620D0
Address FLINK
003620D0 00000000
About To Allocate From The
Lookaside[n]
This Value Gets
Copied
Address FLINK
00362100 003620E8
Lookaside[n]
FLINK 00362100
Address FLINK
003620E8 003620D0
Address FLINK
003620D0 00000000
Chunk Removed From
Top Of Lookaside
Lookaside[n]
FLINK 003620E8
Address FLINK
003620E8 003620D0
Address FLINK
003620D0 00000000
Copied To Here
There is no Safe Unlinking or Cookie check for Lookaside Lists
Well known attack is to overwrite the FLINK of a chunk on a Lookaside. This
will populate the Lookaside[n]->FLINK with an arbitrary value to be returned
at allocation.
Overwrite the FLINK of the
top chunk
Lookaside[n]
FLINK 003620E8
Address FLINK
003620E8 XXXXXXXX
Address FLINK
003620D0 00000000
Lookaside[n]->FLINK
is corrupted
Lookaside[n]
FLINK XXXXXXXX
19. Freelist[n] Lists
Lookaside[n]
FLINK 00000000
Freelist Starts
Empty
Lookaside[n]
FLINK 003620D0
Lookaside[n]
FLINK 003620E8
Lookaside[n]
FLINK 00362100
Lookaside[n]
FLINK 00362100
Lookaside[n]
FLINK 003620E8
Safe Unlinking and Cookie checks will prevent Unlinking
Overwriting the Freelist[n]->BLINK will cause the address of the Free’d Chunk
to be written to an arbitrary location
Lookaside[n]
FLINK 003620E8
Freelist[n]
Address FLINK BLINK
00360190 00360190 00360190
Address FLINK BLINK
00362130 00360190 00360190
Chunk Added To
Bottom
Freelist[n]
Address FLINK BLINK
00360190 00362130 00362130
Address FLINK BLINK
00362160 00360190 00362130
Chunk Added To
Bottom
Freelist[n]
Address FLINK BLINK
00360190 00362130 00362160
Address FLINK BLINK
00362130 00362160 00360190
Chunk Removed
From Bottom
Freelist[n]
Address FLINK BLINK
00360190 00362130 00362130
Address FLINK BLINK
00362130 00360190 00360190
Freelist Is Empty
20. Freelist[n] Lists
Freelist Searching
: If a freelist[n] of requested size not available
bitmap is used to find larger populated freelist[n]
Chunk Size
: Size field of the chunk header used as offset to bitmap
: Bitmap is updated on allocate/free if needed
: Size field is used to calculate freelist[n] to free to
Manipulating Size Field
: Allocation can control bitmap flipping
: Free can have chunk free’d to different lookaside/freelist
Header Self Size Prev Size CK FL UN SI
21. Flipping Bitmap On Allocate
Size Is Overwritten
FLINK / BLINK Can Be
Overwritten
7C82C8E6 MOVZX ECX,WORD PTR DS:[ESI] ; Load Self Size
7C82C8E9 MOV EDX,ECX
..
7C82C902 8DBC1A 58010000 LEA EDI,DWORD PTR DS:[EDX+EBX+158]
Calculate Bitmap
Bitmap Attack Explained Earlier
Chunk On FreeList
Header #### Prev Size CK FL UN SI
Links FLINK BLINK
Data
If Last Chunk On Freelist Then Bitmap Updated
If FLINK and BLINK Overwritten with
Valid For Read and
FLINK == BLINK
Then Bitmap Updated
22. Free To Arbitrary Lookaside[n]/FreeList[n]
Size Is Overwritten
Cookie Is Left Intact
Chunk To Be Freed
Header #### Prev Size CK FL UN SI
Data
7C829F1B MOVZX EAX,WORD PTR DS:[ESI] ; Load self size
7C829F1E MOV DWORD PTR SS:[EBP-20],EAX
7C829F21 CMP EAX,80
7C829F26 JNB ntdll.7C82A7BC
7C829F2C PUSH DWORD PTR SS:[EBP+10]
7C829F2F LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; Calculate Lookaside
7C829F32 SHL EAX,4
7C829F35 ADD EAX,ECX
7C829F37 PUSH EAX
7C829F38 CALL ntdll.7C829F8F ; Push to Lookaside
Freeing To
Lookaside[n]
Could This Be Useful When Filling In Gaps?
7C82A84C MOVZX EAX,WORD PTR SS:[EBP-20] ; Load selfsize
7C82A850 LEA EBX,DWORD PTR DS:[EDI+EAX*8+178] ; Calculate
7C82A857 MOV DWORD PTR SS:[EBP-88],EBX
7C82A85D CMP DWORD PTR DS:[EBX],EBX ; Check Freelist
Freeing To
Freelist[n]
Coalescing Is A Problem That Needs To Be Dealt With
23. FreeList[0] - Free
Address FLINK BLINK
00361E90 003622D0 00360178
Freelist[0]
Address FLINK BLINK
00360178 00361E90 00362B60
Address FLINK BLINK
003622D0 00362B60 00361E90
Address FLINK BLINK
00362B60 00360178 003622D0
Populated
Freelist[0]
Load Freelist[0]->FLINK
Check Size Is Larger Than
Chunk Been Free’d
Not Greater, Load
Chunk->FLINK
Check Size Is Great Than
Chunk Been Free’d
If It Is Greater Then
Insert Chunk
Exploitable Condition On Freelist[0] Insert
24. Exploiting FreeList[0] - Free
Exploitable Condition On Freelist[0] Insert
7C82A982 CMP DX,WORD PTR DS:[EAX] ; Compare chunk size
7C82A985 JA ntdll.7C82FDC4 ; To large move to next
7C82A98B LEA EAX,DWORD PTR DS:[ESI+8] ; Header of free’d chunk
7C82A98E MOV DWORD PTR SS:[EBP-7C],EAX
7C82A991 MOV EDX,DWORD PTR DS:[ECX+4] ; Load BLINK of current chunk
7C82A994 MOV DWORD PTR SS:[EBP-84],EDX
7C82A99A MOV DWORD PTR DS:[EAX],ECX ; Set free’d->FLINK == current
7C82A99C MOV DWORD PTR DS:[EAX+4],EDX ; Set free’d->BLINK ==current->BLINK
7C82A99F MOV DWORD PTR DS:[EDX],EAX ; Write @free’d to [current->BLINK]
7C82A9A1 MOV DWORD PTR DS:[ECX+4],EAX ; Set current->BLINK == @free’d
An Overwritten Chunk In Freelist[0] Can Be Exploited To Write The Address
Of The Chunk Being Freed To An Arbitrary Location
25. Exploiting FreeList[0] - Free
Exploitable Condition On Freelist[0] Insert
Chunk To Be Freed @003622D0
8400 Prev Size CK FL UN SI
Overwritten Chunk @00361E90
FFFF ???? ?? 02 ?? ??
FFFFFFFF 00360718
Place Where We Want To Write 003622D0
Could Be A Function Table, This Is A Lookaside
Chunk To Be Freed @003622D0
8400 Prev Size CK FL UN SI
00361E90 00360718 Overwritten Chunk @00361E90
FFFF ???? ?? 02 ?? ??
FFFFFFFF 003622D0
Overwritten Lookaside Now Populated
Three Requests And We Get Our Set Location
Chunk Is Inserted Before The
Overwritting Chunk.
FLINK and BLINK updated
26. FreeList[0] - Allocate
Address FLINK BLINK
00361E90 003622D0 00360178
Freelist[0]
Address FLINK BLINK
00360178 00361E90 00362B60
Address FLINK BLINK
003622D0 00362B60 00361E90
Address FLINK BLINK
00362B60 00360178 003622D0
Populated
Freelist[0]
Load Freelist[0]->BLINK
Check Size Is Large
Enough For Request
Load Freelist[0]->FLINK
Check Size Is Large
Enough For Request
Too Small,
Load Chunk->FLINK
Check Size Is Large
Enough For Request
Large Enough,
Return Chunk
Exploitable Condition On Freelist[0] Allocate
27. Exploiting FreeList[0] - Searching
Exploitable Condition On Freelist[0] Allocate - Searching
Overwritten Chunk @003622C8
0100 ???? ?? ?? ?? ??
00360188 ????????
Fake Chunk @00360180
8001 3600 80 01 36 00
00360188 00360188
Must Be Readable
Must Be Readable
= Requested Size
(+1 block)
Request Made For Size
0x0BF8
FLINK Points To Fake
Chunk
FLINK Points To Fake
Chunk+8
Chunk Returned To Caller
This Address Is In The
Freelists
28. Allocation Relinking
If Chunk Is Larger Than
Request It Will Get Split
Chunk Header
Chunk Space
Chunk Header
Chunk Space
New Chunk Header
New Chunk Space
New Header Is Written
Into The Existing Chunk
Space
Chunk Header
Chunk Space
New Chunk Header
New Chunk Space
Chunk Returned To
Caller
Chunk Inserted Into
FreeLists
29. Exploiting FreeList[0] - Relinking
Exploitable Condition On Freelist[0] Allocate - Relinking
Overwritten Chunk @003622C8
0202 ???? ?? ?? ?? ??
0036057C READ
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXX.....
Request Made For Size
Smaller Than Our Overwrite
Fake Chunk @00360574
7005 3600 08 06 36 00
???????? 00360688
Must Be Read/Write
> Relink Chunk Size
FLINK Points To Fake
Chunk
FLINK Points To Fake
Chunk+8
Relink Chunk Address
Written To 00360580
This Is The FrontEndHeap
(Lookaside Base)
30. When Allocated Chunk Is To Large
: Checked when allocation from other list
: Chunk is cut to size, New header is written
: Chunk is inserted to freelist[n] or freelist[0]
: Size manipulated to put new chunk into arbitrary Freelist
Splitting / Resizing
7C82A3DB CMP EBX,1 ; Larger than one block difference
7C82A3DE JE ntdll.7C82E5A4
7C82A3E4 MOV EAX,DWORD PTR SS:[EBP-48] ; Load requested size
7C82A3E7 LEA EDI,DWORD PTR DS:[ESI+EAX*8] ; Move to create the new chunk
..
7C82A3F3 MOV BYTE PTR DS:[EDI+5],CL ; Store new flag
7C82A3F6 MOV WORD PTR DS:[EDI+2],AX ; Store Prev Size
..
7C82A400 MOV WORD PTR DS:[EDI],BX ; Store new size
7C82A403 TEST CL,10 ; Is chunk new LAST CHUNK
7C82A406 JNZ ntdll.7C82A65E ; Jump if chunk is last chunk
7C82A40C LEA EAX,DWORD PTR DS:[EDI+EBX*8] ; Move to NEXT chunk based on size
7C82A40F MOV DWORD PTR SS:[EBP-50],EAX ; Will try and coalesce with next
Can Skip By
Setting As Last
Chunk
31. When Chunk Is Free’d To Freelist
: Size field is used to locate previous and next chunk
: Requires valid FLINK/BLINK on chunks to colaesce
: An overflow can control all of this to prevent coalesce
Coalesced Chunks
7C82A6F6 JE SHORT ntdll.7C82A702 ; If prev size is 0 jump
7C82A6F8 TEST BYTE PTR DS:[ESI+5],1 ; Is prev chunk BUSY?
7C82A6FC JE ntdll.7C82CA7A ; If not then coalesce
7C82A702 TEST BYTE PTR DS:[EDI+5],10 ; Is our chunk the last chunk?
7C82A706 JNZ ntdll.7C82A7B3 ; If so can't coalesce
7C82A70C MOV EAX,DWORD PTR SS:[EBP+10]
7C82A70F MOV EAX,DWORD PTR DS:[EAX] ; Load our block size
7C82A711 LEA ESI,DWORD PTR DS:[EDI+EAX*8] ; Move to next chunk
7C82A714 TEST BYTE PTR DS:[ESI+5],1 ; Is next chunk BUSY?
7C82A718 JNZ ntdll.7C82A7B3 ; Yup, so don't colaesce
Test Flag Of
Previous
Chunk
Test Flag
Of Next
Chunk
Header Self Size Prev Size CK FL UN SI
32. How To Prevent A Coalesce
: Set the chunk being freed prev size to ZERO
: Set the chunk being freed FLAG to last chunk
: Set the chunk being freed self size > 0xFE00
: Set the prev/next chunks flag to PASS the BUSY check
: Control the size to fake the prev/next chunks location
Why Prevent A Coalesce()
: Coalescing an overwritten chunk normally blows up
: Linking, resizing, and relinking is very complex
Preventing Coalesce
33. Coalesced Chunks
???? ???? ?? ?? ?? ??
DATA
FFFF FFFF FF FF FF FF
DATA
Chunk A
Data Stored In
Chunk B
We Overflowing
BUSY
Chunk
BUSY
Chunk
Chunk A Will Be Free’d
And We Want To
Prevent Coalescing
FFFF FFFF FF 01 FF FF
DATA
Keep The Flag Set
To BUSY
34. Coalesced Chunks
???? ???? ?? ?? ?? ??
DATA
FFFF FFFF FF FF FF FF
DATA
Chunk A
Data Stored In
Chunk B
We Overflowing
BUSY
Chunk
BUSY
Chunk
Chunk B Will Be Free’d
And We Want To
Prevent Coalescing
FFFF FFFF FF 01 FF FF
DATA
0200 0200 FF FF FF FF
DATA
FFFF FFFF FF 01 FF FF
DATA
Create Two Fake Chunks And
Set Size In Header Of Chunk B
To Point To The Fake Chunks
Flag Set To Busy
Create Two Fake Chunks And
Set Size In Header Of Chunk B
To Point To The Fake Chunks
Flag Set To Busy
35. Coalesced Chunks
???? ???? ?? ?? ?? ??
DATA
FFFF FFFF FF FF FF FF
DATA
Chunk A
Data Stored In
Chunk B
We Overflowing
BUSY
Chunk
BUSY
Chunk
Chunk B Will Be Free’d
And We Want To
Prevent Coalescing
FFFF 0000 FF 10 FF FF
DATA
Set The Flag To
Contain The Last
Chunk Flag
36. How To Prevent A Free
: Set the chunks flag to FAIL the BUSY check
Why Prevent A Free()
: Remove chunk from Lookaside
Can be overwritten before allocation
: Remove chunk from Freelist[]
Flag gets reset on allocation
Bypass Cookie Check
: Will cause a heap exception, doesn’t stop execution
Preventing A Free
Move To Chunk
Header
Load Flag and
Test If Busy
37. Example Removing Chunk From Lookaside
Before Allocation
After Free()
Overwrite Flag
Self Size Prev Size CK FL UN SI
0300 0300 06 01 0E 00
Self Size Prev Size CK FL UN SI
0101 0101 01 02 01 01
After Allocation
38. Top Chunk On A Lookaside Is Overwritten
: Flags set to not BUSY, Flink set to 0x00000000
Clearing The Lookaside
Before Allocation
After Overwrite
Allocation And Free Will Clear The Lookaside List
Overwrite Flag And FLINK
Self Size Prev Size CK FL UN SI
0300 0300 06 01 0E 00
00362100
Self Size Prev Size CK FL UN SI
0101 0101 01 02 01 01
00000000
39. The Steps
: Exploit the heap
: Overwrite a function pointer or other to gain execution
: Flip the heap onto the stack to get ret-to-libc style control
: Turn off Data Execution Protection (DEP)
: Return to shellcode
Exploit The Heap
: Application dependant
Overwrite A Function Pointer
: Application dependant?
The Exploitation Process
40. What Is Heap/Stack Flipping
: Exploit data is on the heap
: For fine grained control, it needs to be on the stack
Requirements
: Pointer to exploit data; on stack, in a register, in [reg +/- n]
: Locate instructions to manipulate pointer and pop esp, ret
: Overwrite function pointer to return to instructions
Populate ESP With The Pointer To Exploit Data
Heap / Stack Flipping
PUSH EBX
POP ESP
POP EBP
RET
EBX -> DATA
LEAVE
RET
EBP -> DATA ECX -> DATA
MOV ESP,ECX
RET 8
EAX-> DATA
XCHG EAX,ESP
RET
42. Heap / Stack Flipping
New Stack
Exploit Data
New Registers
Code That We Returned Into
43. Entirely Ret-to-Libc
: Entire shellcode in ‘borrowed’ instructions
: Inject into process that is not DEP enabled
: Very difficult
HeapCreate()
: Create new heap with HEAP_CREATE_ENABLE_EXECUTE
: Allocate new chunk, memcpy shellcode across
: Doable, but sounds like a lot of work
Registry
: 'Image File Execution Options‘
: Would turn it off on a restart
: Not really very helpful
Bypassing DEP
44. SetProcessDEPPolicy()
: Not available on 2003
Copy Shellcode To RWE Memory Page
: Copy shellcode and then return to address
VirtualProtect()
: Use the PAGE_EXECUTE_READWRITE flag to reset heap
: Return to shellcode
Bypassing DEP
45. VirtualAlloc()
: Allocate new memory with PAGE_EXECUTE_READWRITE
: Address is returned in EAX
: Copy shellcode and return to it
NtSetInformationProcess()
: Skape and Skywing ret-to-libc to deactivate DEP
: Easier on windows 2003
Bypassing DEP
NtSetInformationProcess(
NtCurrentProcess(), // (HANDLE)-1
ProcessExecuteFlags, // 0x22
&ExecuteFlags, // ptr to 0x2
sizeof(ExecuteFlags)); // 0x4
47. Step By Step
: The vulnerability
: Reproduction
: Understanding the bug
: Finding an overwrite
: Find a pointer
: Flipping the heap to stack
: Bypassing DEP
: The working
Heap Exploitation
48. The Vulnerability
Citrix
ImaSrv.exe
TCP Port 2512 or 2513
User-supplied -> Memory Allocation
Undersized Allocation
Overflow The Heap Buffer
Citrix
TCP Port 2512 or 2513 User-supplied -> Memory Allocation
ImaSrv.exe
Overflow The Heap Buffer
49. Usual Integer Overflow
: Usual ‘packet size bug’
Usual Basic Fuzz Test
while !crashed
{
inc buffer length
fill buffer with 0xFF
send to TCP 2512
}
Reproducing The Vulnerability
Length Of Data DATA
I Am Listening
On TCP 2512
xFFxFFxFFxFF xFFxFFxFFxFFxFFxFF
50. Reproducing The Vulnerability
A Crash
A Crash
ntdll! RtlAllocateHeap
In the good ‘ol days, it would now be as easy as overwriting the UEF.
But those days are over.
51. Need To Trace From Start To Finish
: bp WSARecv and send overflow again
Understanding The Bug
WSARecv
Stack
Buffer Size Buffer Address
52. Need To Trace From Start To Finish
: After WSARecv our buffer is loaded
Understanding The Bug
53. Trace Through Code To Determine Paths
: This code checks buffer sizes
Understanding The Bug
Load First DWORD Of
Packet Into EAX
Compare Against Size
Of Current Buffer
0x408
Jump If Our Packet
Specified A Size Larger
Than 0x408
54. Trace Through Code To Determine Paths
: Eventually get to here
Understanding The Bug
ESI == First DWORD
From Packet
EAX == ESI + 3C
Is Going To
Allocate A Buffer
Of Size EAX
EAX == ESI + 3C
55. But its not over yet
: Trace down to ntdll!RTLAllocateHeap
Understanding The Bug
Allocate From Heap
00320000
Allocate 3B Bytes
56. Still Thats Just An Undersized Buffer
: Keep tracing the code
Understanding The Bug
Bunch Of Stuff Is Written
Into The New Buffer
This Is A Custom Header
And Is 0x3C Bytes Long
EAX Points To The Newly
Allocated Buffer
57. Finally....
: A memmove instruction overflows the buffer
Understanding The Bug
New Buffer+3C
Packet Data
This Is The Size Of The
Packet That We Sent
KABOOM!
58. The Result
: We can cause the allocation of a size 0x01 – 0x03B
: We can overflow the chunk with 0x408 bytes
The Limitations
: Can only allocate chunk 2 through to 9
That range is FFFFFFC5 == 0x01 == Chunk 2
To FFFFFFFF == 0x3b == Chunk 9
: The first 0x3C bytes are not controlled by us due to the
custom header
Understanding The Bug
59. So Now What?
: We know we can cause an allocation of a lower chunk
: Lets look at the Lookaside lists at the time of the allocation
The Request LifeCycle
WSARecv()
RTLFreeHeap()
RTLAllocateHeap()
memmove()
60. The Lookaside Lists
Lookaside[8] Has A Top Chunk That Sits
After Lookaside[7] Top Chunk On All Runs
AND
The Difference Is Greater Than 0x3C
0x0a871cc8 – 0x0a871c60
= 0x68
0x0a871c38 – 0x0a871bd0
= 0x68
0x0a871d00 – 0x0a871c98
= 0x68
61. First Request
: Request Lookaside[7]
: Overwrite Lookaside[8]
: Free Request
Problem
: If we now had two allocations of Lookaside[8]
: But we only have one
Solution
: Set flag of top chunk of Lookaside[8] to be FREE
: Then when free() is called it will be skipped
Lets Try It
62. First Request
: Request Lookaside[7]
: Overwrite Lookaside[8]
: Free Request
Second Request
: Request Lookaside[8]
: Top Chunk Is Popped
: Free Request
Third Request
: Request Lookaside[8], Our Address Is Returned
Lets Try It
63. Function Pointer
: Trace code looking for pointer
: None found before WSARecv()
What Address To Overwrite
Lucky For Us That Winsock
Uses Static Pointers
0x71C14044 Is A Static Pointer
That Can Be Overwritten
EAX Points To
Stack
64. Winsock
: Holds a structure
: Structure holds pointer to function pointer table on the
default heap
Winsock Structure
Static Pointer
To Handle
Load Address Of
Pointer Table
‘Static Within Heap’
Call Function
65. Pointer Table Address
: 0x142360
Set Lookaside Address
: Need to account for header
: Set lookaside to 0x01431D0
Overwrite The Pointer Table
: We now control execution
Set The Stack
: EAX points to the pointer table
: EAX points to our data
: Search for a heap/stack flip
Return Down The Stack
: Return to Anti-DEP
: Return to shellcode on pointer table
Exploiting The Bug
Heap/Stack Flip Local To
Citrix DLLS
66. Da Greetz
Acknowledgement to those who shared current
information, some of which was used in this presentation
Nico
Caddis
mxatone
Acknowledgement to those who have published
past heap research
0ded
Shok
Sotirov
Sandip Chaudhari
A. Anisimov
N. Falliere
Halvar
Litchfield
+ All Others