SlideShare a Scribd company logo

Heaps About Heaps - Brett Moore.ppt

Download as PPT, PDF
D
damesmith

This document discusses Windows 2003 heap exploitation techniques. It begins with an overview of heaps and the Windows 2003 heap structure. It then covers the heap management structure, free lists, lookaside lists, and techniques for manipulating various heap structures like the free list bitmap and size field to enable overwriting arbitrary memory locations. Key points covered include safe unlinking, cookie checks, and how overwriting links in free lists or lookaside lists can lead to memory corruption.

Engineering
1 of 66
UT HEAPS HEAPS ABO
Windows 2003 : Windows 2003 SP2 : Still most widely used windows server OS : Still not a lot of heap exploits released : Still not a lot of heap research released : Vista -> Ben Hawkes BHUS08 Heap Explotation : How the heap works : Freelists vs Lookaside : Exploitation Techniques Heap Exploit Walkthrough : From start to finish This Talk Covers
Multiple Heaps : Process has default heap : Can create separate heaps for different uses : Some loaded .dll create their own heap : Some .dlls hold pointer to the heap they use State Of The Heap : Server restart : Service restart : First request : Long time live, multiple previous requests Things That Matter : Everything, IP address, server name, day of the week Windows Heap
Safe Unlinking : On unlink, coalesce, relink from freelist : Causes the link/unlink to fail if addresses readable : Raises a handled exception, execution proceeds : Chunk address still returned to caller Cookie Check : Cookie checked on free : Invalid cookie prevents relinking of chunk HeapSetInformation() : HeapEnableTerminateOnCorruption() : Windows Vista and Windows Server 2008 Heap Exploit Difficulties Need To Get Creative In Exploitation Methods
Initial Heap Heap Management Last Free Chunk Header Last Free Chunk Space A Heap In Motion The heap object initially starts as an empty contiguous block of memory. Two structures are written into the heap. The Heap Management structure contains information regarding the heap object, and tracks the heap chunks. There is always one Free Chunk in the heap object and it points to the free space at the end of the heap.
Initial Heap Heap Management Last Free Chunk Header Last Free Chunk Space The Heap In Motion Allocated A,B,C Heap Management Chunk A Header Chunk A Space Chunk B Header Chunk B Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space After the allocation of three memory chunks, the heap layout now looks like this
Initial Heap Heap Management Last Free Chunk Header Last Free Chunk Space The Heap In Motion Allocated A,B,C Heap Management Chunk A Header Chunk A Space Chunk B Header Chunk B Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Free B Heap Management Chunk A Header Chunk A Space Free Chunk Header Free Chunk Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Freeing a chunk in between two busy chunks, creates a Free Chunk
Initial Heap Heap Management Last Free Chunk Header Last Free Chunk Space The Heap In Motion Allocated A,B,C Heap Management Chunk A Header Chunk A Space Chunk B Header Chunk B Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Free B Heap Management Chunk A Header Chunk A Space Free Chunk Header Free Chunk Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Free A Heap Management Free Chunk Header Free Chunk Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Free chunks that sit next to each other are joined (Coalesced) together.
Heap Management Structure Heap Management Address Value Description 00360000 Base Address 0036000C 00000002 Flags 00360010 00000000 ForceFlags 00360014 0000FE00 VirtualMemoryThreshold 00360050 00360050 VirtualAllocatedBlocks List 00360158 00000000 FreeList Bitmap 00360178 00361E90 FreeList[0] 00360180 00360180 FreeList[n] 00360578 00360608 HeapLockSection 0036057C 00000000 Commit Routine Ptr 00360580 00360688 FrontEndHeap 00360586 00000001 FrontEndHeapType 00360678 00361E88 Last Free Chunk 00360688 00000000 Lookaside[n] All offsets are from the base of the Heap Object These Flags hold settings such as isDebug, Exception Raising, and Executable Heap The maximum size of an allocation before a Virtual Memory allocation is performed Linked list of blocks allocated from Virtual Memory A four DWORD bitmask with each bit set if the corresponding FreeList[n] is populated Pointer to the first chunk in FreeList[0] FreeList[0] is used to store Free Chunks > 1016 bytes Start of double linked lists to store Free Chunks Pointer to CriticalSection that is used to lock the heap during changes Pointer to Function() that is called when the heap is expanded and more pages committed Pointer to the front end allocator. This is a pointer to the Lookaside Flag that stores settings about the front end allocator Pointer to the Last Free Chunk in the heap Start of the 48 byte Lookaside list headers
Heap Management Structure - Virtual Memory Allocation Heap Management Address Value Description 00360014 0000FE00 VirtualMemoryThreshold 00360050 00360050 VirtualAllocatedBlocks List 00360050 FLINK 00360054 BLINK 7C82AE14 CMP EDI,DWORD PTR DS:[EBX+14] 7C82AE17 JBE ntdll.7C82A2FC ... 7C82AE8E LEA EAX,DWORD PTR DS:[EBX+50] ... 7C82AE97 MOV EDX,DWORD PTR DS:[EAX+4] ... 7C82AEA0 MOV DWORD PTR DS:[ECX],EAX 7C82AEA2 MOV DWORD PTR DS:[ECX+4],EDX 7C82AEA5 MOV DWORD PTR DS:[EDX],ECX 7C82AEA7 MOV DWORD PTR DS:[EAX+4],ECX EBX is set to Base Address Check threshold Load BLINK Write @NewChunk to @BLINK+4 ECX is @NewChunk If the VirtualAllocatedBlocks->BLINK can be overwritten then the address of the NewChunk can be written to an arbitrary location
Heap Management Structure - FreeList Bitmap Heap Management Address Value Description 00360158 00000000 FreeList Bitmap 7C82A291 LEA ESI,DWORD PTR DS:[EBX+EDX*4+158] ... 7C82A2A8 AND EAX,DWORD PTR DS:[ESI] ... 7C82A2B8 JNZ ntdll.7C82CB46 7C82A2BE TEST EAX,EAX 7C82A2C0 JNZ ntdll.7C82C8C9 7C82A2C6 MOV EAX,DWORD PTR DS:[ESI] Bitmap is checked when looking for a FreeList[n] that fits the request Bitmap is populated when chunk added to FreeList[n] If a match is found then the corresponding FreeList[n] is used for the allocation. If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can be returned, allowing the overwrite of management structures. [nico] 80 00 00 02 00 00 80 00 00 00 00 00 00 00 00 00 0-7 24-31 48-55
Heap Management Structure - FreeList Bitmap Heap Management Address Value Description 00360158 00000000 FreeList Bitmap If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can be returned, allowing the overwrite of management structures. [nico] 80 00 00 02 00 00 80 00 00 00 00 00 00 00 00 00 FreeList[7] is populated FreeList[16] is empty FreeLists Address Value Description 003601B0 00364D78 FreeList[7] ... ... ... 003601F8 003601F8 FreeList[16] Request for block 16 will create a new block and return it Modify bitmap Request for block 16 will return 003601F8 80 00 01 02 00 00 80 00 00 00 00 00 00 00 00 00 FreeLists Address Value Description 003601B0 00364D78 FreeList[7] ... ... ... 003601F8 XXXXXXXX Overwrite XXXXXXXX Overwrite XXXXXXXX Overwrite XXXXXXXX Overwrite XXXXXXXX Overwrite
Heap Management Structure - FreeList Bitmap If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can be returned, allowing the overwrite of management structures. [nico] Part Of The Bitmap Loading Code 7C82C8AB MOVZX EAX,AH 7C82C8AE MOVSX EAX,BYTE PTR DS:[EAX+7C82BAB8] 7C82C8B5 ADD EAX,8 7C82C8B8 JMP ntdll.7C82C830 7C82C8BD MOVSX EAX,BYTE PTR DS:[ECX+7C82BAB8] 7C82C8C4 JMP ntdll.7C82C830 7C82C8C9 LEA EDX,DWORD PTR DS:[EBX+178] 7C82C8CF JMP ntdll.7C82C808 7C82C8D4 SHR EAX,18 7C82C8D7 MOVSX EAX,BYTE PTR DS:[EAX+7C82BAB8] 7C82C8DE ADD EAX,18 7C82C8E1 JMP ntdll.7C82C830 [ 7C82BAB8 ] A Static Pointer To A Bit Mask Table That Can Be Modified To Manipulate The Bitmap Result
Heap Management Structure – FreeList[n] Heap Management Address Value Description 00360178 00361e90 FreeList[0] 00360180 00360180 FreeList[n] FreeList[0] is similar to FreeList[n] but holds chunks > 1016 bytes 00360180 FLINK 00360184 BLINK Free Chunk Header Header Self Size Prev Size CK FL UN SI Links FLINK BLINK Free Chunk Header Header Self Size Prev Size CK FL UN SI Links FLINK BLINK Double Linked List connects free chunks together
Heap Management Structure - Commit Routine Pointer Heap Management Address Value Description 0036057C 00000000 Commit Routine Ptr 7C833BF9 MOV ECX,DWORD PTR DS:[EAX+57C] 7C833BFF TEST ECX,ECX 7C833C01 JNZ ntdll.7C852C9E ... 7C852C9E PUSH EBX 7C852C9F LEA EDX,DWORD PTR SS:[EBP+14] 7C852CA2 PUSH EDX 7C852CA3 PUSH EAX 7C852CA4 CALL ECX Initially set to nothing Custom function() called when committing more memory to the Heap This is a static pointer that can be overwritten to gain execution control Loaded into ECX and called
Heap Management Structure – Lookaside[n] Heap Management Address Value Description 00360688 00000000 Lookaside[n] 003606E8 Lookaside[2] Lookaside[0] and Lookaside[1] are not used 48 byte structure Lookaside List Header Address Description +00 Pointer To First Chunk +04 Depth +06 Max Depth +08 Allocation tracking for automatic Lookaside Fine Tuning +0C +10 ... Lookaside Chunk Header Header Self Size Prev Size CK FL UN SI Links FLINK Lookaside Chunk Header Header Self Size Prev Size CK FL UN SI Links FLINK
Heap Chunks Chunk On Lookaside Header Self Size Prev Size CK FL UN SI Links FLINK Data A Used Chunk Header Self Size Prev Size CK FL UN SI Data Chunk On FreeList Header Self Size Prev Size CK FL UN SI Links FLINK BLINK Data Chunk Flags 00 Free 01 Busy 02 Extra Present 04 Fill Pattern 08 Virtual Alloc 10 Last Entry 20 FFU1 40 FFU2 80 No Coalesce
Lookaside Lists Lookaside[n] FLINK 00000000 Lookaside Starts Empty Address FLINK 003620D0 00000000 Lookaside[n] FLINK 003620D0 Chunk Added To Top Of Lookaside Address FLINK 003620E8 003620D0 Lookaside[n] FLINK 003620E8 Chunk Added To Top Of Lookaside Address FLINK 003620D0 00000000 Address FLINK 00362100 003620E8 Lookaside[n] FLINK 00362100 Chunk Added To Top Of Lookaside Address FLINK 003620E8 003620D0 Address FLINK 003620D0 00000000 About To Allocate From The Lookaside[n] This Value Gets Copied Address FLINK 00362100 003620E8 Lookaside[n] FLINK 00362100 Address FLINK 003620E8 003620D0 Address FLINK 003620D0 00000000 Chunk Removed From Top Of Lookaside Lookaside[n] FLINK 003620E8 Address FLINK 003620E8 003620D0 Address FLINK 003620D0 00000000 Copied To Here There is no Safe Unlinking or Cookie check for Lookaside Lists Well known attack is to overwrite the FLINK of a chunk on a Lookaside. This will populate the Lookaside[n]->FLINK with an arbitrary value to be returned at allocation. Overwrite the FLINK of the top chunk Lookaside[n] FLINK 003620E8 Address FLINK 003620E8 XXXXXXXX Address FLINK 003620D0 00000000 Lookaside[n]->FLINK is corrupted Lookaside[n] FLINK XXXXXXXX
Freelist[n] Lists Lookaside[n] FLINK 00000000 Freelist Starts Empty Lookaside[n] FLINK 003620D0 Lookaside[n] FLINK 003620E8 Lookaside[n] FLINK 00362100 Lookaside[n] FLINK 00362100 Lookaside[n] FLINK 003620E8 Safe Unlinking and Cookie checks will prevent Unlinking Overwriting the Freelist[n]->BLINK will cause the address of the Free’d Chunk to be written to an arbitrary location Lookaside[n] FLINK 003620E8 Freelist[n] Address FLINK BLINK 00360190 00360190 00360190 Address FLINK BLINK 00362130 00360190 00360190 Chunk Added To Bottom Freelist[n] Address FLINK BLINK 00360190 00362130 00362130 Address FLINK BLINK 00362160 00360190 00362130 Chunk Added To Bottom Freelist[n] Address FLINK BLINK 00360190 00362130 00362160 Address FLINK BLINK 00362130 00362160 00360190 Chunk Removed From Bottom Freelist[n] Address FLINK BLINK 00360190 00362130 00362130 Address FLINK BLINK 00362130 00360190 00360190 Freelist Is Empty
Freelist[n] Lists Freelist Searching : If a freelist[n] of requested size not available bitmap is used to find larger populated freelist[n] Chunk Size : Size field of the chunk header used as offset to bitmap : Bitmap is updated on allocate/free if needed : Size field is used to calculate freelist[n] to free to Manipulating Size Field : Allocation can control bitmap flipping : Free can have chunk free’d to different lookaside/freelist Header Self Size Prev Size CK FL UN SI
Flipping Bitmap On Allocate Size Is Overwritten FLINK / BLINK Can Be Overwritten 7C82C8E6 MOVZX ECX,WORD PTR DS:[ESI] ; Load Self Size 7C82C8E9 MOV EDX,ECX .. 7C82C902 8DBC1A 58010000 LEA EDI,DWORD PTR DS:[EDX+EBX+158] Calculate Bitmap Bitmap Attack Explained Earlier Chunk On FreeList Header #### Prev Size CK FL UN SI Links FLINK BLINK Data If Last Chunk On Freelist Then Bitmap Updated If FLINK and BLINK Overwritten with Valid For Read and FLINK == BLINK Then Bitmap Updated
Free To Arbitrary Lookaside[n]/FreeList[n] Size Is Overwritten Cookie Is Left Intact Chunk To Be Freed Header #### Prev Size CK FL UN SI Data 7C829F1B MOVZX EAX,WORD PTR DS:[ESI] ; Load self size 7C829F1E MOV DWORD PTR SS:[EBP-20],EAX 7C829F21 CMP EAX,80 7C829F26 JNB ntdll.7C82A7BC 7C829F2C PUSH DWORD PTR SS:[EBP+10] 7C829F2F LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; Calculate Lookaside 7C829F32 SHL EAX,4 7C829F35 ADD EAX,ECX 7C829F37 PUSH EAX 7C829F38 CALL ntdll.7C829F8F ; Push to Lookaside Freeing To Lookaside[n] Could This Be Useful When Filling In Gaps? 7C82A84C MOVZX EAX,WORD PTR SS:[EBP-20] ; Load selfsize 7C82A850 LEA EBX,DWORD PTR DS:[EDI+EAX*8+178] ; Calculate 7C82A857 MOV DWORD PTR SS:[EBP-88],EBX 7C82A85D CMP DWORD PTR DS:[EBX],EBX ; Check Freelist Freeing To Freelist[n] Coalescing Is A Problem That Needs To Be Dealt With
FreeList[0] - Free Address FLINK BLINK 00361E90 003622D0 00360178 Freelist[0] Address FLINK BLINK 00360178 00361E90 00362B60 Address FLINK BLINK 003622D0 00362B60 00361E90 Address FLINK BLINK 00362B60 00360178 003622D0 Populated Freelist[0] Load Freelist[0]->FLINK Check Size Is Larger Than Chunk Been Free’d Not Greater, Load Chunk->FLINK Check Size Is Great Than Chunk Been Free’d If It Is Greater Then Insert Chunk Exploitable Condition On Freelist[0] Insert
Exploiting FreeList[0] - Free Exploitable Condition On Freelist[0] Insert 7C82A982 CMP DX,WORD PTR DS:[EAX] ; Compare chunk size 7C82A985 JA ntdll.7C82FDC4 ; To large move to next 7C82A98B LEA EAX,DWORD PTR DS:[ESI+8] ; Header of free’d chunk 7C82A98E MOV DWORD PTR SS:[EBP-7C],EAX 7C82A991 MOV EDX,DWORD PTR DS:[ECX+4] ; Load BLINK of current chunk 7C82A994 MOV DWORD PTR SS:[EBP-84],EDX 7C82A99A MOV DWORD PTR DS:[EAX],ECX ; Set free’d->FLINK == current 7C82A99C MOV DWORD PTR DS:[EAX+4],EDX ; Set free’d->BLINK ==current->BLINK 7C82A99F MOV DWORD PTR DS:[EDX],EAX ; Write @free’d to [current->BLINK] 7C82A9A1 MOV DWORD PTR DS:[ECX+4],EAX ; Set current->BLINK == @free’d An Overwritten Chunk In Freelist[0] Can Be Exploited To Write The Address Of The Chunk Being Freed To An Arbitrary Location
Exploiting FreeList[0] - Free Exploitable Condition On Freelist[0] Insert Chunk To Be Freed @003622D0 8400 Prev Size CK FL UN SI Overwritten Chunk @00361E90 FFFF ???? ?? 02 ?? ?? FFFFFFFF 00360718 Place Where We Want To Write 003622D0 Could Be A Function Table, This Is A Lookaside Chunk To Be Freed @003622D0 8400 Prev Size CK FL UN SI 00361E90 00360718 Overwritten Chunk @00361E90 FFFF ???? ?? 02 ?? ?? FFFFFFFF 003622D0 Overwritten Lookaside Now Populated Three Requests And We Get Our Set Location Chunk Is Inserted Before The Overwritting Chunk. FLINK and BLINK updated
FreeList[0] - Allocate Address FLINK BLINK 00361E90 003622D0 00360178 Freelist[0] Address FLINK BLINK 00360178 00361E90 00362B60 Address FLINK BLINK 003622D0 00362B60 00361E90 Address FLINK BLINK 00362B60 00360178 003622D0 Populated Freelist[0] Load Freelist[0]->BLINK Check Size Is Large Enough For Request Load Freelist[0]->FLINK Check Size Is Large Enough For Request Too Small, Load Chunk->FLINK Check Size Is Large Enough For Request Large Enough, Return Chunk Exploitable Condition On Freelist[0] Allocate
Exploiting FreeList[0] - Searching Exploitable Condition On Freelist[0] Allocate - Searching Overwritten Chunk @003622C8 0100 ???? ?? ?? ?? ?? 00360188 ???????? Fake Chunk @00360180 8001 3600 80 01 36 00 00360188 00360188 Must Be Readable Must Be Readable = Requested Size (+1 block) Request Made For Size 0x0BF8 FLINK Points To Fake Chunk FLINK Points To Fake Chunk+8 Chunk Returned To Caller This Address Is In The Freelists
Allocation Relinking If Chunk Is Larger Than Request It Will Get Split Chunk Header Chunk Space Chunk Header Chunk Space New Chunk Header New Chunk Space New Header Is Written Into The Existing Chunk Space Chunk Header Chunk Space New Chunk Header New Chunk Space Chunk Returned To Caller Chunk Inserted Into FreeLists
Exploiting FreeList[0] - Relinking Exploitable Condition On Freelist[0] Allocate - Relinking Overwritten Chunk @003622C8 0202 ???? ?? ?? ?? ?? 0036057C READ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX..... Request Made For Size Smaller Than Our Overwrite Fake Chunk @00360574 7005 3600 08 06 36 00 ???????? 00360688 Must Be Read/Write > Relink Chunk Size FLINK Points To Fake Chunk FLINK Points To Fake Chunk+8 Relink Chunk Address Written To 00360580 This Is The FrontEndHeap (Lookaside Base)
When Allocated Chunk Is To Large : Checked when allocation from other list : Chunk is cut to size, New header is written : Chunk is inserted to freelist[n] or freelist[0] : Size manipulated to put new chunk into arbitrary Freelist Splitting / Resizing 7C82A3DB CMP EBX,1 ; Larger than one block difference 7C82A3DE JE ntdll.7C82E5A4 7C82A3E4 MOV EAX,DWORD PTR SS:[EBP-48] ; Load requested size 7C82A3E7 LEA EDI,DWORD PTR DS:[ESI+EAX*8] ; Move to create the new chunk .. 7C82A3F3 MOV BYTE PTR DS:[EDI+5],CL ; Store new flag 7C82A3F6 MOV WORD PTR DS:[EDI+2],AX ; Store Prev Size .. 7C82A400 MOV WORD PTR DS:[EDI],BX ; Store new size 7C82A403 TEST CL,10 ; Is chunk new LAST CHUNK 7C82A406 JNZ ntdll.7C82A65E ; Jump if chunk is last chunk 7C82A40C LEA EAX,DWORD PTR DS:[EDI+EBX*8] ; Move to NEXT chunk based on size 7C82A40F MOV DWORD PTR SS:[EBP-50],EAX ; Will try and coalesce with next Can Skip By Setting As Last Chunk
When Chunk Is Free’d To Freelist : Size field is used to locate previous and next chunk : Requires valid FLINK/BLINK on chunks to colaesce : An overflow can control all of this to prevent coalesce Coalesced Chunks 7C82A6F6 JE SHORT ntdll.7C82A702 ; If prev size is 0 jump 7C82A6F8 TEST BYTE PTR DS:[ESI+5],1 ; Is prev chunk BUSY? 7C82A6FC JE ntdll.7C82CA7A ; If not then coalesce 7C82A702 TEST BYTE PTR DS:[EDI+5],10 ; Is our chunk the last chunk? 7C82A706 JNZ ntdll.7C82A7B3 ; If so can't coalesce 7C82A70C MOV EAX,DWORD PTR SS:[EBP+10] 7C82A70F MOV EAX,DWORD PTR DS:[EAX] ; Load our block size 7C82A711 LEA ESI,DWORD PTR DS:[EDI+EAX*8] ; Move to next chunk 7C82A714 TEST BYTE PTR DS:[ESI+5],1 ; Is next chunk BUSY? 7C82A718 JNZ ntdll.7C82A7B3 ; Yup, so don't colaesce Test Flag Of Previous Chunk Test Flag Of Next Chunk Header Self Size Prev Size CK FL UN SI
How To Prevent A Coalesce : Set the chunk being freed prev size to ZERO : Set the chunk being freed FLAG to last chunk : Set the chunk being freed self size > 0xFE00 : Set the prev/next chunks flag to PASS the BUSY check : Control the size to fake the prev/next chunks location Why Prevent A Coalesce() : Coalescing an overwritten chunk normally blows up : Linking, resizing, and relinking is very complex Preventing Coalesce
Coalesced Chunks ???? ???? ?? ?? ?? ?? DATA FFFF FFFF FF FF FF FF DATA Chunk A Data Stored In Chunk B We Overflowing BUSY Chunk BUSY Chunk Chunk A Will Be Free’d And We Want To Prevent Coalescing FFFF FFFF FF 01 FF FF DATA Keep The Flag Set To BUSY
Coalesced Chunks ???? ???? ?? ?? ?? ?? DATA FFFF FFFF FF FF FF FF DATA Chunk A Data Stored In Chunk B We Overflowing BUSY Chunk BUSY Chunk Chunk B Will Be Free’d And We Want To Prevent Coalescing FFFF FFFF FF 01 FF FF DATA 0200 0200 FF FF FF FF DATA FFFF FFFF FF 01 FF FF DATA Create Two Fake Chunks And Set Size In Header Of Chunk B To Point To The Fake Chunks Flag Set To Busy Create Two Fake Chunks And Set Size In Header Of Chunk B To Point To The Fake Chunks Flag Set To Busy
Coalesced Chunks ???? ???? ?? ?? ?? ?? DATA FFFF FFFF FF FF FF FF DATA Chunk A Data Stored In Chunk B We Overflowing BUSY Chunk BUSY Chunk Chunk B Will Be Free’d And We Want To Prevent Coalescing FFFF 0000 FF 10 FF FF DATA Set The Flag To Contain The Last Chunk Flag
How To Prevent A Free : Set the chunks flag to FAIL the BUSY check Why Prevent A Free() : Remove chunk from Lookaside Can be overwritten before allocation : Remove chunk from Freelist[] Flag gets reset on allocation Bypass Cookie Check : Will cause a heap exception, doesn’t stop execution Preventing A Free Move To Chunk Header Load Flag and Test If Busy
Example Removing Chunk From Lookaside Before Allocation After Free() Overwrite Flag Self Size Prev Size CK FL UN SI 0300 0300 06 01 0E 00 Self Size Prev Size CK FL UN SI 0101 0101 01 02 01 01 After Allocation
Top Chunk On A Lookaside Is Overwritten : Flags set to not BUSY, Flink set to 0x00000000 Clearing The Lookaside Before Allocation After Overwrite Allocation And Free Will Clear The Lookaside List Overwrite Flag And FLINK Self Size Prev Size CK FL UN SI 0300 0300 06 01 0E 00 00362100 Self Size Prev Size CK FL UN SI 0101 0101 01 02 01 01 00000000
The Steps : Exploit the heap : Overwrite a function pointer or other to gain execution : Flip the heap onto the stack to get ret-to-libc style control : Turn off Data Execution Protection (DEP) : Return to shellcode Exploit The Heap : Application dependant Overwrite A Function Pointer : Application dependant? The Exploitation Process
What Is Heap/Stack Flipping : Exploit data is on the heap : For fine grained control, it needs to be on the stack Requirements : Pointer to exploit data; on stack, in a register, in [reg +/- n] : Locate instructions to manipulate pointer and pop esp, ret : Overwrite function pointer to return to instructions Populate ESP With The Pointer To Exploit Data Heap / Stack Flipping PUSH EBX POP ESP POP EBP RET EBX -> DATA LEAVE RET EBP -> DATA ECX -> DATA MOV ESP,ECX RET 8 EAX-> DATA XCHG EAX,ESP RET
Heap / Stack Flipping Flipping Code Stack Exploit Data Registers Code Gets Executed
Heap / Stack Flipping New Stack Exploit Data New Registers Code That We Returned Into
Entirely Ret-to-Libc : Entire shellcode in ‘borrowed’ instructions : Inject into process that is not DEP enabled : Very difficult HeapCreate() : Create new heap with HEAP_CREATE_ENABLE_EXECUTE : Allocate new chunk, memcpy shellcode across : Doable, but sounds like a lot of work Registry : 'Image File Execution Options‘ : Would turn it off on a restart : Not really very helpful Bypassing DEP
SetProcessDEPPolicy() : Not available on 2003 Copy Shellcode To RWE Memory Page : Copy shellcode and then return to address VirtualProtect() : Use the PAGE_EXECUTE_READWRITE flag to reset heap : Return to shellcode Bypassing DEP
VirtualAlloc() : Allocate new memory with PAGE_EXECUTE_READWRITE : Address is returned in EAX : Copy shellcode and return to it NtSetInformationProcess() : Skape and Skywing ret-to-libc to deactivate DEP : Easier on windows 2003 Bypassing DEP NtSetInformationProcess( NtCurrentProcess(), // (HANDLE)-1 ProcessExecuteFlags, // 0x22 &ExecuteFlags, // ptr to 0x2 sizeof(ExecuteFlags)); // 0x4
Bypassing DEP Perfect Instruction Set NtSetInformationProcess( NtCurrentProcess(), // (HANDLE)-1 ProcessExecuteFlags, // 0x22 &ExecuteFlags, // ptr to 0x2 sizeof(ExecuteFlags)); // 0x4 Requires [ESI+37] To Be Writable Correctly Set Stack BUT!
Step By Step : The vulnerability : Reproduction : Understanding the bug : Finding an overwrite : Find a pointer : Flipping the heap to stack : Bypassing DEP : The working Heap Exploitation
The Vulnerability Citrix ImaSrv.exe TCP Port 2512 or 2513 User-supplied -> Memory Allocation Undersized Allocation Overflow The Heap Buffer Citrix TCP Port 2512 or 2513 User-supplied -> Memory Allocation ImaSrv.exe Overflow The Heap Buffer
Usual Integer Overflow : Usual ‘packet size bug’ Usual Basic Fuzz Test while !crashed { inc buffer length fill buffer with 0xFF send to TCP 2512 } Reproducing The Vulnerability Length Of Data DATA I Am Listening On TCP 2512 xFFxFFxFFxFF xFFxFFxFFxFFxFFxFF
Reproducing The Vulnerability A Crash A Crash ntdll! RtlAllocateHeap In the good ‘ol days, it would now be as easy as overwriting the UEF. But those days are over.
Need To Trace From Start To Finish : bp WSARecv and send overflow again Understanding The Bug WSARecv Stack Buffer Size Buffer Address
Need To Trace From Start To Finish : After WSARecv our buffer is loaded Understanding The Bug
Trace Through Code To Determine Paths : This code checks buffer sizes Understanding The Bug Load First DWORD Of Packet Into EAX Compare Against Size Of Current Buffer 0x408 Jump If Our Packet Specified A Size Larger Than 0x408
Trace Through Code To Determine Paths : Eventually get to here Understanding The Bug ESI == First DWORD From Packet EAX == ESI + 3C Is Going To Allocate A Buffer Of Size EAX EAX == ESI + 3C
But its not over yet : Trace down to ntdll!RTLAllocateHeap Understanding The Bug Allocate From Heap 00320000 Allocate 3B Bytes
Still Thats Just An Undersized Buffer : Keep tracing the code Understanding The Bug Bunch Of Stuff Is Written Into The New Buffer This Is A Custom Header And Is 0x3C Bytes Long EAX Points To The Newly Allocated Buffer
Finally.... : A memmove instruction overflows the buffer Understanding The Bug New Buffer+3C Packet Data This Is The Size Of The Packet That We Sent KABOOM!
The Result : We can cause the allocation of a size 0x01 – 0x03B : We can overflow the chunk with 0x408 bytes The Limitations : Can only allocate chunk 2 through to 9 That range is FFFFFFC5 == 0x01 == Chunk 2 To FFFFFFFF == 0x3b == Chunk 9 : The first 0x3C bytes are not controlled by us due to the custom header Understanding The Bug
So Now What? : We know we can cause an allocation of a lower chunk : Lets look at the Lookaside lists at the time of the allocation The Request LifeCycle WSARecv() RTLFreeHeap() RTLAllocateHeap() memmove()
The Lookaside Lists Lookaside[8] Has A Top Chunk That Sits After Lookaside[7] Top Chunk On All Runs AND The Difference Is Greater Than 0x3C 0x0a871cc8 – 0x0a871c60 = 0x68 0x0a871c38 – 0x0a871bd0 = 0x68 0x0a871d00 – 0x0a871c98 = 0x68
First Request : Request Lookaside[7] : Overwrite Lookaside[8] : Free Request Problem : If we now had two allocations of Lookaside[8] : But we only have one Solution : Set flag of top chunk of Lookaside[8] to be FREE : Then when free() is called it will be skipped Lets Try It
First Request : Request Lookaside[7] : Overwrite Lookaside[8] : Free Request Second Request : Request Lookaside[8] : Top Chunk Is Popped : Free Request Third Request : Request Lookaside[8], Our Address Is Returned Lets Try It
Function Pointer : Trace code looking for pointer : None found before WSARecv() What Address To Overwrite Lucky For Us That Winsock Uses Static Pointers 0x71C14044 Is A Static Pointer That Can Be Overwritten EAX Points To Stack
Winsock : Holds a structure : Structure holds pointer to function pointer table on the default heap Winsock Structure Static Pointer To Handle Load Address Of Pointer Table ‘Static Within Heap’ Call Function
Pointer Table Address : 0x142360 Set Lookaside Address : Need to account for header : Set lookaside to 0x01431D0 Overwrite The Pointer Table : We now control execution Set The Stack : EAX points to the pointer table : EAX points to our data : Search for a heap/stack flip Return Down The Stack : Return to Anti-DEP : Return to shellcode on pointer table Exploiting The Bug Heap/Stack Flip Local To Citrix DLLS
Da Greetz Acknowledgement to those who shared current information, some of which was used in this presentation Nico Caddis mxatone Acknowledgement to those who have published past heap research 0ded Shok Sotirov Sandip Chaudhari A. Anisimov N. Falliere Halvar Litchfield + All Others

Recommended

API Centrifugal Pump
API Centrifugal PumpAPI Centrifugal Pump
API Centrifugal Pump
MNButt
 
IPV6 Implémentation Best Practices & Retours d'Expérience
IPV6 Implémentation Best Practices & Retours d'ExpérienceIPV6 Implémentation Best Practices & Retours d'Expérience
IPV6 Implémentation Best Practices & Retours d'Expérience
Microsoft Technet France
 
SAP SD LSMW -Legacy System Migration Workbench
SAP SD LSMW -Legacy System Migration WorkbenchSAP SD LSMW -Legacy System Migration Workbench
SAP SD LSMW -Legacy System Migration Workbench
arun_bala1
 
Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...
Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...
Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...
kfdjkskdmm
 
Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0
Dhruv Sharma
 
Allstate
AllstateAllstate
Allstate
Adam Hudak
 
IMS Session Flow
IMS Session FlowIMS Session Flow
IMS Session Flow
Kent Loh
 
Scheda Tecnica Ford Mondeo
Scheda Tecnica Ford MondeoScheda Tecnica Ford Mondeo
Scheda Tecnica Ford Mondeo
autoblogpuntoit
 

Recommended

API Centrifugal Pump
API Centrifugal PumpAPI Centrifugal Pump
API Centrifugal Pump
MNButt
 
IPV6 Implémentation Best Practices & Retours d'Expérience
IPV6 Implémentation Best Practices & Retours d'ExpérienceIPV6 Implémentation Best Practices & Retours d'Expérience
IPV6 Implémentation Best Practices & Retours d'Expérience
Microsoft Technet France
 
SAP SD LSMW -Legacy System Migration Workbench
SAP SD LSMW -Legacy System Migration WorkbenchSAP SD LSMW -Legacy System Migration Workbench
SAP SD LSMW -Legacy System Migration Workbench
arun_bala1
 
Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...
Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...
Massey ferguson mf 283 tractor service parts catalogue manual (part number 3...
kfdjkskdmm
 
Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0
Dhruv Sharma
 
Allstate
AllstateAllstate
Allstate
Adam Hudak
 
IMS Session Flow
IMS Session FlowIMS Session Flow
IMS Session Flow
Kent Loh
 
Scheda Tecnica Ford Mondeo
Scheda Tecnica Ford MondeoScheda Tecnica Ford Mondeo
Scheda Tecnica Ford Mondeo
autoblogpuntoit
 
Autenticación remota y servicios de directorio LDAP
Autenticación remota y servicios de directorio LDAPAutenticación remota y servicios de directorio LDAP
Autenticación remota y servicios de directorio LDAP
seguridadelinux
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
Netwax Lab
 
Jcb js220 tracked excavator service repair manual sn from 2451101 onwards
Jcb js220 tracked excavator service repair manual sn from 2451101 onwardsJcb js220 tracked excavator service repair manual sn from 2451101 onwards
Jcb js220 tracked excavator service repair manual sn from 2451101 onwards
fjskekqwefsmemm
 
Chapter 8 .vlan.pdf
Chapter 8 .vlan.pdfChapter 8 .vlan.pdf
Chapter 8 .vlan.pdf
manojkumar595505
 
Mécanismes de transition ipv6
Mécanismes de transition ipv6Mécanismes de transition ipv6
Mécanismes de transition ipv6
Aymen Bouzid
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus series
Anwesh Dixit
 
IPV6 INTRODUCTION
IPV6 INTRODUCTIONIPV6 INTRODUCTION
IPV6 INTRODUCTION
AVINASH JURIANI
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
UTD Computer Security Group
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
UTD Computer Security Group
 
Faster transactions & analytics with the new SQL2016 In-memory technologies
Faster transactions & analytics with the new SQL2016 In-memory technologiesFaster transactions & analytics with the new SQL2016 In-memory technologies
Faster transactions & analytics with the new SQL2016 In-memory technologies
Henk van der Valk
 
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxChapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
christinemaritza
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Pool
guest215c4e
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
Dmitry Vostokov
 
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
Dave Stokes
 
Debunking myths about_redo_ppt
Debunking myths about_redo_pptDebunking myths about_redo_ppt
Debunking myths about_redo_ppt
Riyaj Shamsudeen
 
MySQL 8.0 New Features -- September 27th presentation for Open Source Summit
MySQL 8.0 New Features -- September 27th presentation for Open Source SummitMySQL 8.0 New Features -- September 27th presentation for Open Source Summit
MySQL 8.0 New Features -- September 27th presentation for Open Source Summit
Dave Stokes
 
Beginbackup
BeginbackupBeginbackup
Beginbackup
oracle documents
 
Oracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cacheOracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cache
Kyle Hailey
 
Oracle Database InMemory
Oracle Database InMemoryOracle Database InMemory
Oracle Database InMemory
Jorge Barba
 
Linuxfest Northwest 2022 - MySQL 8.0 Nre Features
Linuxfest Northwest 2022 - MySQL 8.0 Nre FeaturesLinuxfest Northwest 2022 - MySQL 8.0 Nre Features
Linuxfest Northwest 2022 - MySQL 8.0 Nre Features
Dave Stokes
 
iOS Development with Blocks
iOS Development with BlocksiOS Development with Blocks
iOS Development with Blocks
Jeff Kelley
 

More Related Content

What's hot

Autenticación remota y servicios de directorio LDAP
Autenticación remota y servicios de directorio LDAPAutenticación remota y servicios de directorio LDAP
Autenticación remota y servicios de directorio LDAP
seguridadelinux
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
Netwax Lab
 
Jcb js220 tracked excavator service repair manual sn from 2451101 onwards
Jcb js220 tracked excavator service repair manual sn from 2451101 onwardsJcb js220 tracked excavator service repair manual sn from 2451101 onwards
Jcb js220 tracked excavator service repair manual sn from 2451101 onwards
fjskekqwefsmemm
 
Chapter 8 .vlan.pdf
Chapter 8 .vlan.pdfChapter 8 .vlan.pdf
Chapter 8 .vlan.pdf
manojkumar595505
 
Mécanismes de transition ipv6
Mécanismes de transition ipv6Mécanismes de transition ipv6
Mécanismes de transition ipv6
Aymen Bouzid
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus series
Anwesh Dixit
 
IPV6 INTRODUCTION
IPV6 INTRODUCTIONIPV6 INTRODUCTION
IPV6 INTRODUCTION
AVINASH JURIANI
 

What's hot (7)

Autenticación remota y servicios de directorio LDAP
Autenticación remota y servicios de directorio LDAPAutenticación remota y servicios de directorio LDAP
Autenticación remota y servicios de directorio LDAP
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
 
Jcb js220 tracked excavator service repair manual sn from 2451101 onwards
Jcb js220 tracked excavator service repair manual sn from 2451101 onwardsJcb js220 tracked excavator service repair manual sn from 2451101 onwards
Jcb js220 tracked excavator service repair manual sn from 2451101 onwards
 
Chapter 8 .vlan.pdf
Chapter 8 .vlan.pdfChapter 8 .vlan.pdf
Chapter 8 .vlan.pdf
 
Mécanismes de transition ipv6
Mécanismes de transition ipv6Mécanismes de transition ipv6
Mécanismes de transition ipv6
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus series
 
IPV6 INTRODUCTION
IPV6 INTRODUCTIONIPV6 INTRODUCTION
IPV6 INTRODUCTION
 

Similar to Heaps About Heaps - Brett Moore.ppt

Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
UTD Computer Security Group
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
UTD Computer Security Group
 
Faster transactions & analytics with the new SQL2016 In-memory technologies
Faster transactions & analytics with the new SQL2016 In-memory technologiesFaster transactions & analytics with the new SQL2016 In-memory technologies
Faster transactions & analytics with the new SQL2016 In-memory technologies
Henk van der Valk
 
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxChapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
christinemaritza
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Pool
guest215c4e
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
Dmitry Vostokov
 
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
Dave Stokes
 
Debunking myths about_redo_ppt
Debunking myths about_redo_pptDebunking myths about_redo_ppt
Debunking myths about_redo_ppt
Riyaj Shamsudeen
 
MySQL 8.0 New Features -- September 27th presentation for Open Source Summit
MySQL 8.0 New Features -- September 27th presentation for Open Source SummitMySQL 8.0 New Features -- September 27th presentation for Open Source Summit
MySQL 8.0 New Features -- September 27th presentation for Open Source Summit
Dave Stokes
 
Beginbackup
BeginbackupBeginbackup
Beginbackup
oracle documents
 
Oracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cacheOracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cache
Kyle Hailey
 
Oracle Database InMemory
Oracle Database InMemoryOracle Database InMemory
Oracle Database InMemory
Jorge Barba
 
Linuxfest Northwest 2022 - MySQL 8.0 Nre Features
Linuxfest Northwest 2022 - MySQL 8.0 Nre FeaturesLinuxfest Northwest 2022 - MySQL 8.0 Nre Features
Linuxfest Northwest 2022 - MySQL 8.0 Nre Features
Dave Stokes
 
iOS Development with Blocks
iOS Development with BlocksiOS Development with Blocks
iOS Development with Blocks
Jeff Kelley
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Dmitry Vostokov
 
Sql server scalability fundamentals
Sql server scalability fundamentalsSql server scalability fundamentals
Sql server scalability fundamentals
Chris Adkin
 
Oracle NOLOGGING
Oracle NOLOGGINGOracle NOLOGGING
Oracle NOLOGGING
Franck Pachot
 
Direct SGA access without SQL
Direct SGA access without SQLDirect SGA access without SQL
Direct SGA access without SQL
Kyle Hailey
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Dmitry Vostokov
 

Similar to Heaps About Heaps - Brett Moore.ppt (20)

Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
Faster transactions & analytics with the new SQL2016 In-memory technologies
Faster transactions & analytics with the new SQL2016 In-memory technologiesFaster transactions & analytics with the new SQL2016 In-memory technologies
Faster transactions & analytics with the new SQL2016 In-memory technologies
 
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docxChapter 8 1 Digital Design and Computer Architecture, 2n.docx
Chapter 8 1 Digital Design and Computer Architecture, 2n.docx
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Pool
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
 
Debunking myths about_redo_ppt
Debunking myths about_redo_pptDebunking myths about_redo_ppt
Debunking myths about_redo_ppt
 
MySQL 8.0 New Features -- September 27th presentation for Open Source Summit
MySQL 8.0 New Features -- September 27th presentation for Open Source SummitMySQL 8.0 New Features -- September 27th presentation for Open Source Summit
MySQL 8.0 New Features -- September 27th presentation for Open Source Summit
 
Beginbackup
BeginbackupBeginbackup
Beginbackup
 
Oracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cacheOracle 10g Performance: chapter 06 buffer cache
Oracle 10g Performance: chapter 06 buffer cache
 
Oracle Database InMemory
Oracle Database InMemoryOracle Database InMemory
Oracle Database InMemory
 
Linuxfest Northwest 2022 - MySQL 8.0 Nre Features
Linuxfest Northwest 2022 - MySQL 8.0 Nre FeaturesLinuxfest Northwest 2022 - MySQL 8.0 Nre Features
Linuxfest Northwest 2022 - MySQL 8.0 Nre Features
 
iOS Development with Blocks
iOS Development with BlocksiOS Development with Blocks
iOS Development with Blocks
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)
 
Sql server scalability fundamentals
Sql server scalability fundamentalsSql server scalability fundamentals
Sql server scalability fundamentals
 
Oracle NOLOGGING
Oracle NOLOGGINGOracle NOLOGGING
Oracle NOLOGGING
 
Direct SGA access without SQL
Direct SGA access without SQLDirect SGA access without SQL
Direct SGA access without SQL
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump Analysis
 

Recently uploaded

4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
Gino153088
 
Object Oriented Analysis and Design - OOAD
Object Oriented Analysis and Design - OOADObject Oriented Analysis and Design - OOAD
Object Oriented Analysis and Design - OOAD
PreethaV16
 
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
PriyankaKilaniya
 
Accident detection system project report.pdf
Accident detection system project report.pdfAccident detection system project report.pdf
Accident detection system project report.pdf
Kamal Acharya
 
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptxSENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
b0754201
 
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
Paris Salesforce Developer Group
 
AI-Based Home Security System : Home security
AI-Based Home Security System : Home securityAI-Based Home Security System : Home security
AI-Based Home Security System : Home security
AIRCC Publishing Corporation
 
ITSM Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptxITSM Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptx
VANDANAMOHANGOUDA
 
smart pill dispenser is designed to improve medication adherence and safety f...
smart pill dispenser is designed to improve medication adherence and safety f...smart pill dispenser is designed to improve medication adherence and safety f...
smart pill dispenser is designed to improve medication adherence and safety f...
um7474492
 
Open Channel Flow: fluid flow with a free surface
Open Channel Flow: fluid flow with a free surfaceOpen Channel Flow: fluid flow with a free surface
Open Channel Flow: fluid flow with a free surface
Indrajeet sahu
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
ElakkiaU
 
SCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m .pptxSCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m .pptx
harshapolam10
 
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by AnantLLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
Anant Corporation
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENTNATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
Addu25809
 
5G Radio Network Througput Problem Analysis HCIA.pdf
5G Radio Network Througput Problem Analysis HCIA.pdf5G Radio Network Througput Problem Analysis HCIA.pdf
5G Radio Network Througput Problem Analysis HCIA.pdf
AlvianRamadhani5
 
Introduction to Computer Networks & OSI MODEL.ppt
Introduction to Computer Networks & OSI MODEL.pptIntroduction to Computer Networks & OSI MODEL.ppt
Introduction to Computer Networks & OSI MODEL.ppt
Dwarkadas J Sanghvi College of Engineering
 
Transformers design and coooling methods
Transformers design and coooling methodsTransformers design and coooling methods
Transformers design and coooling methods
Roger Rozario
 
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Transcat
 
OOPS_Lab_Manual - programs using C++ programming language
OOPS_Lab_Manual - programs using C++ programming languageOOPS_Lab_Manual - programs using C++ programming language
OOPS_Lab_Manual - programs using C++ programming language
PreethaV16
 

Recently uploaded (20)

4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
 
Object Oriented Analysis and Design - OOAD
Object Oriented Analysis and Design - OOADObject Oriented Analysis and Design - OOAD
Object Oriented Analysis and Design - OOAD
 
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
 
Accident detection system project report.pdf
Accident detection system project report.pdfAccident detection system project report.pdf
Accident detection system project report.pdf
 
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptxSENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
 
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
 
AI-Based Home Security System : Home security
AI-Based Home Security System : Home securityAI-Based Home Security System : Home security
AI-Based Home Security System : Home security
 
ITSM Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptxITSM Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptx
 
smart pill dispenser is designed to improve medication adherence and safety f...
smart pill dispenser is designed to improve medication adherence and safety f...smart pill dispenser is designed to improve medication adherence and safety f...
smart pill dispenser is designed to improve medication adherence and safety f...
 
Open Channel Flow: fluid flow with a free surface
Open Channel Flow: fluid flow with a free surfaceOpen Channel Flow: fluid flow with a free surface
Open Channel Flow: fluid flow with a free surface
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
 
SCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m .pptxSCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m .pptx
 
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by AnantLLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENTNATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
 
5G Radio Network Througput Problem Analysis HCIA.pdf
5G Radio Network Througput Problem Analysis HCIA.pdf5G Radio Network Througput Problem Analysis HCIA.pdf
5G Radio Network Througput Problem Analysis HCIA.pdf
 
Introduction to Computer Networks & OSI MODEL.ppt
Introduction to Computer Networks & OSI MODEL.pptIntroduction to Computer Networks & OSI MODEL.ppt
Introduction to Computer Networks & OSI MODEL.ppt
 
Transformers design and coooling methods
Transformers design and coooling methodsTransformers design and coooling methods
Transformers design and coooling methods
 
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
 
OOPS_Lab_Manual - programs using C++ programming language
OOPS_Lab_Manual - programs using C++ programming languageOOPS_Lab_Manual - programs using C++ programming language
OOPS_Lab_Manual - programs using C++ programming language
 

Heaps About Heaps - Brett Moore.ppt

  • 2. Windows 2003 : Windows 2003 SP2 : Still most widely used windows server OS : Still not a lot of heap exploits released : Still not a lot of heap research released : Vista -> Ben Hawkes BHUS08 Heap Explotation : How the heap works : Freelists vs Lookaside : Exploitation Techniques Heap Exploit Walkthrough : From start to finish This Talk Covers
  • 3. Multiple Heaps : Process has default heap : Can create separate heaps for different uses : Some loaded .dll create their own heap : Some .dlls hold pointer to the heap they use State Of The Heap : Server restart : Service restart : First request : Long time live, multiple previous requests Things That Matter : Everything, IP address, server name, day of the week Windows Heap
  • 4. Safe Unlinking : On unlink, coalesce, relink from freelist : Causes the link/unlink to fail if addresses readable : Raises a handled exception, execution proceeds : Chunk address still returned to caller Cookie Check : Cookie checked on free : Invalid cookie prevents relinking of chunk HeapSetInformation() : HeapEnableTerminateOnCorruption() : Windows Vista and Windows Server 2008 Heap Exploit Difficulties Need To Get Creative In Exploitation Methods
  • 5. Initial Heap Heap Management Last Free Chunk Header Last Free Chunk Space A Heap In Motion The heap object initially starts as an empty contiguous block of memory. Two structures are written into the heap. The Heap Management structure contains information regarding the heap object, and tracks the heap chunks. There is always one Free Chunk in the heap object and it points to the free space at the end of the heap.
  • 6. Initial Heap Heap Management Last Free Chunk Header Last Free Chunk Space The Heap In Motion Allocated A,B,C Heap Management Chunk A Header Chunk A Space Chunk B Header Chunk B Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space After the allocation of three memory chunks, the heap layout now looks like this
  • 7. Initial Heap Heap Management Last Free Chunk Header Last Free Chunk Space The Heap In Motion Allocated A,B,C Heap Management Chunk A Header Chunk A Space Chunk B Header Chunk B Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Free B Heap Management Chunk A Header Chunk A Space Free Chunk Header Free Chunk Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Freeing a chunk in between two busy chunks, creates a Free Chunk
  • 8. Initial Heap Heap Management Last Free Chunk Header Last Free Chunk Space The Heap In Motion Allocated A,B,C Heap Management Chunk A Header Chunk A Space Chunk B Header Chunk B Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Free B Heap Management Chunk A Header Chunk A Space Free Chunk Header Free Chunk Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Free A Heap Management Free Chunk Header Free Chunk Space Chunk C Header Chunk C Space Last Free Chunk Header Last Free Chunk Space Free chunks that sit next to each other are joined (Coalesced) together.
  • 9. Heap Management Structure Heap Management Address Value Description 00360000 Base Address 0036000C 00000002 Flags 00360010 00000000 ForceFlags 00360014 0000FE00 VirtualMemoryThreshold 00360050 00360050 VirtualAllocatedBlocks List 00360158 00000000 FreeList Bitmap 00360178 00361E90 FreeList[0] 00360180 00360180 FreeList[n] 00360578 00360608 HeapLockSection 0036057C 00000000 Commit Routine Ptr 00360580 00360688 FrontEndHeap 00360586 00000001 FrontEndHeapType 00360678 00361E88 Last Free Chunk 00360688 00000000 Lookaside[n] All offsets are from the base of the Heap Object These Flags hold settings such as isDebug, Exception Raising, and Executable Heap The maximum size of an allocation before a Virtual Memory allocation is performed Linked list of blocks allocated from Virtual Memory A four DWORD bitmask with each bit set if the corresponding FreeList[n] is populated Pointer to the first chunk in FreeList[0] FreeList[0] is used to store Free Chunks > 1016 bytes Start of double linked lists to store Free Chunks Pointer to CriticalSection that is used to lock the heap during changes Pointer to Function() that is called when the heap is expanded and more pages committed Pointer to the front end allocator. This is a pointer to the Lookaside Flag that stores settings about the front end allocator Pointer to the Last Free Chunk in the heap Start of the 48 byte Lookaside list headers
  • 10. Heap Management Structure - Virtual Memory Allocation Heap Management Address Value Description 00360014 0000FE00 VirtualMemoryThreshold 00360050 00360050 VirtualAllocatedBlocks List 00360050 FLINK 00360054 BLINK 7C82AE14 CMP EDI,DWORD PTR DS:[EBX+14] 7C82AE17 JBE ntdll.7C82A2FC ... 7C82AE8E LEA EAX,DWORD PTR DS:[EBX+50] ... 7C82AE97 MOV EDX,DWORD PTR DS:[EAX+4] ... 7C82AEA0 MOV DWORD PTR DS:[ECX],EAX 7C82AEA2 MOV DWORD PTR DS:[ECX+4],EDX 7C82AEA5 MOV DWORD PTR DS:[EDX],ECX 7C82AEA7 MOV DWORD PTR DS:[EAX+4],ECX EBX is set to Base Address Check threshold Load BLINK Write @NewChunk to @BLINK+4 ECX is @NewChunk If the VirtualAllocatedBlocks->BLINK can be overwritten then the address of the NewChunk can be written to an arbitrary location
  • 11. Heap Management Structure - FreeList Bitmap Heap Management Address Value Description 00360158 00000000 FreeList Bitmap 7C82A291 LEA ESI,DWORD PTR DS:[EBX+EDX*4+158] ... 7C82A2A8 AND EAX,DWORD PTR DS:[ESI] ... 7C82A2B8 JNZ ntdll.7C82CB46 7C82A2BE TEST EAX,EAX 7C82A2C0 JNZ ntdll.7C82C8C9 7C82A2C6 MOV EAX,DWORD PTR DS:[ESI] Bitmap is checked when looking for a FreeList[n] that fits the request Bitmap is populated when chunk added to FreeList[n] If a match is found then the corresponding FreeList[n] is used for the allocation. If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can be returned, allowing the overwrite of management structures. [nico] 80 00 00 02 00 00 80 00 00 00 00 00 00 00 00 00 0-7 24-31 48-55
  • 12. Heap Management Structure - FreeList Bitmap Heap Management Address Value Description 00360158 00000000 FreeList Bitmap If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can be returned, allowing the overwrite of management structures. [nico] 80 00 00 02 00 00 80 00 00 00 00 00 00 00 00 00 FreeList[7] is populated FreeList[16] is empty FreeLists Address Value Description 003601B0 00364D78 FreeList[7] ... ... ... 003601F8 003601F8 FreeList[16] Request for block 16 will create a new block and return it Modify bitmap Request for block 16 will return 003601F8 80 00 01 02 00 00 80 00 00 00 00 00 00 00 00 00 FreeLists Address Value Description 003601B0 00364D78 FreeList[7] ... ... ... 003601F8 XXXXXXXX Overwrite XXXXXXXX Overwrite XXXXXXXX Overwrite XXXXXXXX Overwrite XXXXXXXX Overwrite
  • 13. Heap Management Structure - FreeList Bitmap If the Bitmap can be manipulated then a pointer to an empty FreeList[n] can be returned, allowing the overwrite of management structures. [nico] Part Of The Bitmap Loading Code 7C82C8AB MOVZX EAX,AH 7C82C8AE MOVSX EAX,BYTE PTR DS:[EAX+7C82BAB8] 7C82C8B5 ADD EAX,8 7C82C8B8 JMP ntdll.7C82C830 7C82C8BD MOVSX EAX,BYTE PTR DS:[ECX+7C82BAB8] 7C82C8C4 JMP ntdll.7C82C830 7C82C8C9 LEA EDX,DWORD PTR DS:[EBX+178] 7C82C8CF JMP ntdll.7C82C808 7C82C8D4 SHR EAX,18 7C82C8D7 MOVSX EAX,BYTE PTR DS:[EAX+7C82BAB8] 7C82C8DE ADD EAX,18 7C82C8E1 JMP ntdll.7C82C830 [ 7C82BAB8 ] A Static Pointer To A Bit Mask Table That Can Be Modified To Manipulate The Bitmap Result
  • 14. Heap Management Structure – FreeList[n] Heap Management Address Value Description 00360178 00361e90 FreeList[0] 00360180 00360180 FreeList[n] FreeList[0] is similar to FreeList[n] but holds chunks > 1016 bytes 00360180 FLINK 00360184 BLINK Free Chunk Header Header Self Size Prev Size CK FL UN SI Links FLINK BLINK Free Chunk Header Header Self Size Prev Size CK FL UN SI Links FLINK BLINK Double Linked List connects free chunks together
  • 15. Heap Management Structure - Commit Routine Pointer Heap Management Address Value Description 0036057C 00000000 Commit Routine Ptr 7C833BF9 MOV ECX,DWORD PTR DS:[EAX+57C] 7C833BFF TEST ECX,ECX 7C833C01 JNZ ntdll.7C852C9E ... 7C852C9E PUSH EBX 7C852C9F LEA EDX,DWORD PTR SS:[EBP+14] 7C852CA2 PUSH EDX 7C852CA3 PUSH EAX 7C852CA4 CALL ECX Initially set to nothing Custom function() called when committing more memory to the Heap This is a static pointer that can be overwritten to gain execution control Loaded into ECX and called
  • 16. Heap Management Structure – Lookaside[n] Heap Management Address Value Description 00360688 00000000 Lookaside[n] 003606E8 Lookaside[2] Lookaside[0] and Lookaside[1] are not used 48 byte structure Lookaside List Header Address Description +00 Pointer To First Chunk +04 Depth +06 Max Depth +08 Allocation tracking for automatic Lookaside Fine Tuning +0C +10 ... Lookaside Chunk Header Header Self Size Prev Size CK FL UN SI Links FLINK Lookaside Chunk Header Header Self Size Prev Size CK FL UN SI Links FLINK
  • 17. Heap Chunks Chunk On Lookaside Header Self Size Prev Size CK FL UN SI Links FLINK Data A Used Chunk Header Self Size Prev Size CK FL UN SI Data Chunk On FreeList Header Self Size Prev Size CK FL UN SI Links FLINK BLINK Data Chunk Flags 00 Free 01 Busy 02 Extra Present 04 Fill Pattern 08 Virtual Alloc 10 Last Entry 20 FFU1 40 FFU2 80 No Coalesce
  • 18. Lookaside Lists Lookaside[n] FLINK 00000000 Lookaside Starts Empty Address FLINK 003620D0 00000000 Lookaside[n] FLINK 003620D0 Chunk Added To Top Of Lookaside Address FLINK 003620E8 003620D0 Lookaside[n] FLINK 003620E8 Chunk Added To Top Of Lookaside Address FLINK 003620D0 00000000 Address FLINK 00362100 003620E8 Lookaside[n] FLINK 00362100 Chunk Added To Top Of Lookaside Address FLINK 003620E8 003620D0 Address FLINK 003620D0 00000000 About To Allocate From The Lookaside[n] This Value Gets Copied Address FLINK 00362100 003620E8 Lookaside[n] FLINK 00362100 Address FLINK 003620E8 003620D0 Address FLINK 003620D0 00000000 Chunk Removed From Top Of Lookaside Lookaside[n] FLINK 003620E8 Address FLINK 003620E8 003620D0 Address FLINK 003620D0 00000000 Copied To Here There is no Safe Unlinking or Cookie check for Lookaside Lists Well known attack is to overwrite the FLINK of a chunk on a Lookaside. This will populate the Lookaside[n]->FLINK with an arbitrary value to be returned at allocation. Overwrite the FLINK of the top chunk Lookaside[n] FLINK 003620E8 Address FLINK 003620E8 XXXXXXXX Address FLINK 003620D0 00000000 Lookaside[n]->FLINK is corrupted Lookaside[n] FLINK XXXXXXXX
  • 19. Freelist[n] Lists Lookaside[n] FLINK 00000000 Freelist Starts Empty Lookaside[n] FLINK 003620D0 Lookaside[n] FLINK 003620E8 Lookaside[n] FLINK 00362100 Lookaside[n] FLINK 00362100 Lookaside[n] FLINK 003620E8 Safe Unlinking and Cookie checks will prevent Unlinking Overwriting the Freelist[n]->BLINK will cause the address of the Free’d Chunk to be written to an arbitrary location Lookaside[n] FLINK 003620E8 Freelist[n] Address FLINK BLINK 00360190 00360190 00360190 Address FLINK BLINK 00362130 00360190 00360190 Chunk Added To Bottom Freelist[n] Address FLINK BLINK 00360190 00362130 00362130 Address FLINK BLINK 00362160 00360190 00362130 Chunk Added To Bottom Freelist[n] Address FLINK BLINK 00360190 00362130 00362160 Address FLINK BLINK 00362130 00362160 00360190 Chunk Removed From Bottom Freelist[n] Address FLINK BLINK 00360190 00362130 00362130 Address FLINK BLINK 00362130 00360190 00360190 Freelist Is Empty
  • 20. Freelist[n] Lists Freelist Searching : If a freelist[n] of requested size not available bitmap is used to find larger populated freelist[n] Chunk Size : Size field of the chunk header used as offset to bitmap : Bitmap is updated on allocate/free if needed : Size field is used to calculate freelist[n] to free to Manipulating Size Field : Allocation can control bitmap flipping : Free can have chunk free’d to different lookaside/freelist Header Self Size Prev Size CK FL UN SI
  • 21. Flipping Bitmap On Allocate Size Is Overwritten FLINK / BLINK Can Be Overwritten 7C82C8E6 MOVZX ECX,WORD PTR DS:[ESI] ; Load Self Size 7C82C8E9 MOV EDX,ECX .. 7C82C902 8DBC1A 58010000 LEA EDI,DWORD PTR DS:[EDX+EBX+158] Calculate Bitmap Bitmap Attack Explained Earlier Chunk On FreeList Header #### Prev Size CK FL UN SI Links FLINK BLINK Data If Last Chunk On Freelist Then Bitmap Updated If FLINK and BLINK Overwritten with Valid For Read and FLINK == BLINK Then Bitmap Updated
  • 22. Free To Arbitrary Lookaside[n]/FreeList[n] Size Is Overwritten Cookie Is Left Intact Chunk To Be Freed Header #### Prev Size CK FL UN SI Data 7C829F1B MOVZX EAX,WORD PTR DS:[ESI] ; Load self size 7C829F1E MOV DWORD PTR SS:[EBP-20],EAX 7C829F21 CMP EAX,80 7C829F26 JNB ntdll.7C82A7BC 7C829F2C PUSH DWORD PTR SS:[EBP+10] 7C829F2F LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; Calculate Lookaside 7C829F32 SHL EAX,4 7C829F35 ADD EAX,ECX 7C829F37 PUSH EAX 7C829F38 CALL ntdll.7C829F8F ; Push to Lookaside Freeing To Lookaside[n] Could This Be Useful When Filling In Gaps? 7C82A84C MOVZX EAX,WORD PTR SS:[EBP-20] ; Load selfsize 7C82A850 LEA EBX,DWORD PTR DS:[EDI+EAX*8+178] ; Calculate 7C82A857 MOV DWORD PTR SS:[EBP-88],EBX 7C82A85D CMP DWORD PTR DS:[EBX],EBX ; Check Freelist Freeing To Freelist[n] Coalescing Is A Problem That Needs To Be Dealt With
  • 23. FreeList[0] - Free Address FLINK BLINK 00361E90 003622D0 00360178 Freelist[0] Address FLINK BLINK 00360178 00361E90 00362B60 Address FLINK BLINK 003622D0 00362B60 00361E90 Address FLINK BLINK 00362B60 00360178 003622D0 Populated Freelist[0] Load Freelist[0]->FLINK Check Size Is Larger Than Chunk Been Free’d Not Greater, Load Chunk->FLINK Check Size Is Great Than Chunk Been Free’d If It Is Greater Then Insert Chunk Exploitable Condition On Freelist[0] Insert
  • 24. Exploiting FreeList[0] - Free Exploitable Condition On Freelist[0] Insert 7C82A982 CMP DX,WORD PTR DS:[EAX] ; Compare chunk size 7C82A985 JA ntdll.7C82FDC4 ; To large move to next 7C82A98B LEA EAX,DWORD PTR DS:[ESI+8] ; Header of free’d chunk 7C82A98E MOV DWORD PTR SS:[EBP-7C],EAX 7C82A991 MOV EDX,DWORD PTR DS:[ECX+4] ; Load BLINK of current chunk 7C82A994 MOV DWORD PTR SS:[EBP-84],EDX 7C82A99A MOV DWORD PTR DS:[EAX],ECX ; Set free’d->FLINK == current 7C82A99C MOV DWORD PTR DS:[EAX+4],EDX ; Set free’d->BLINK ==current->BLINK 7C82A99F MOV DWORD PTR DS:[EDX],EAX ; Write @free’d to [current->BLINK] 7C82A9A1 MOV DWORD PTR DS:[ECX+4],EAX ; Set current->BLINK == @free’d An Overwritten Chunk In Freelist[0] Can Be Exploited To Write The Address Of The Chunk Being Freed To An Arbitrary Location
  • 25. Exploiting FreeList[0] - Free Exploitable Condition On Freelist[0] Insert Chunk To Be Freed @003622D0 8400 Prev Size CK FL UN SI Overwritten Chunk @00361E90 FFFF ???? ?? 02 ?? ?? FFFFFFFF 00360718 Place Where We Want To Write 003622D0 Could Be A Function Table, This Is A Lookaside Chunk To Be Freed @003622D0 8400 Prev Size CK FL UN SI 00361E90 00360718 Overwritten Chunk @00361E90 FFFF ???? ?? 02 ?? ?? FFFFFFFF 003622D0 Overwritten Lookaside Now Populated Three Requests And We Get Our Set Location Chunk Is Inserted Before The Overwritting Chunk. FLINK and BLINK updated
  • 26. FreeList[0] - Allocate Address FLINK BLINK 00361E90 003622D0 00360178 Freelist[0] Address FLINK BLINK 00360178 00361E90 00362B60 Address FLINK BLINK 003622D0 00362B60 00361E90 Address FLINK BLINK 00362B60 00360178 003622D0 Populated Freelist[0] Load Freelist[0]->BLINK Check Size Is Large Enough For Request Load Freelist[0]->FLINK Check Size Is Large Enough For Request Too Small, Load Chunk->FLINK Check Size Is Large Enough For Request Large Enough, Return Chunk Exploitable Condition On Freelist[0] Allocate
  • 27. Exploiting FreeList[0] - Searching Exploitable Condition On Freelist[0] Allocate - Searching Overwritten Chunk @003622C8 0100 ???? ?? ?? ?? ?? 00360188 ???????? Fake Chunk @00360180 8001 3600 80 01 36 00 00360188 00360188 Must Be Readable Must Be Readable = Requested Size (+1 block) Request Made For Size 0x0BF8 FLINK Points To Fake Chunk FLINK Points To Fake Chunk+8 Chunk Returned To Caller This Address Is In The Freelists
  • 28. Allocation Relinking If Chunk Is Larger Than Request It Will Get Split Chunk Header Chunk Space Chunk Header Chunk Space New Chunk Header New Chunk Space New Header Is Written Into The Existing Chunk Space Chunk Header Chunk Space New Chunk Header New Chunk Space Chunk Returned To Caller Chunk Inserted Into FreeLists
  • 29. Exploiting FreeList[0] - Relinking Exploitable Condition On Freelist[0] Allocate - Relinking Overwritten Chunk @003622C8 0202 ???? ?? ?? ?? ?? 0036057C READ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX..... Request Made For Size Smaller Than Our Overwrite Fake Chunk @00360574 7005 3600 08 06 36 00 ???????? 00360688 Must Be Read/Write > Relink Chunk Size FLINK Points To Fake Chunk FLINK Points To Fake Chunk+8 Relink Chunk Address Written To 00360580 This Is The FrontEndHeap (Lookaside Base)
  • 30. When Allocated Chunk Is To Large : Checked when allocation from other list : Chunk is cut to size, New header is written : Chunk is inserted to freelist[n] or freelist[0] : Size manipulated to put new chunk into arbitrary Freelist Splitting / Resizing 7C82A3DB CMP EBX,1 ; Larger than one block difference 7C82A3DE JE ntdll.7C82E5A4 7C82A3E4 MOV EAX,DWORD PTR SS:[EBP-48] ; Load requested size 7C82A3E7 LEA EDI,DWORD PTR DS:[ESI+EAX*8] ; Move to create the new chunk .. 7C82A3F3 MOV BYTE PTR DS:[EDI+5],CL ; Store new flag 7C82A3F6 MOV WORD PTR DS:[EDI+2],AX ; Store Prev Size .. 7C82A400 MOV WORD PTR DS:[EDI],BX ; Store new size 7C82A403 TEST CL,10 ; Is chunk new LAST CHUNK 7C82A406 JNZ ntdll.7C82A65E ; Jump if chunk is last chunk 7C82A40C LEA EAX,DWORD PTR DS:[EDI+EBX*8] ; Move to NEXT chunk based on size 7C82A40F MOV DWORD PTR SS:[EBP-50],EAX ; Will try and coalesce with next Can Skip By Setting As Last Chunk
  • 31. When Chunk Is Free’d To Freelist : Size field is used to locate previous and next chunk : Requires valid FLINK/BLINK on chunks to colaesce : An overflow can control all of this to prevent coalesce Coalesced Chunks 7C82A6F6 JE SHORT ntdll.7C82A702 ; If prev size is 0 jump 7C82A6F8 TEST BYTE PTR DS:[ESI+5],1 ; Is prev chunk BUSY? 7C82A6FC JE ntdll.7C82CA7A ; If not then coalesce 7C82A702 TEST BYTE PTR DS:[EDI+5],10 ; Is our chunk the last chunk? 7C82A706 JNZ ntdll.7C82A7B3 ; If so can't coalesce 7C82A70C MOV EAX,DWORD PTR SS:[EBP+10] 7C82A70F MOV EAX,DWORD PTR DS:[EAX] ; Load our block size 7C82A711 LEA ESI,DWORD PTR DS:[EDI+EAX*8] ; Move to next chunk 7C82A714 TEST BYTE PTR DS:[ESI+5],1 ; Is next chunk BUSY? 7C82A718 JNZ ntdll.7C82A7B3 ; Yup, so don't colaesce Test Flag Of Previous Chunk Test Flag Of Next Chunk Header Self Size Prev Size CK FL UN SI
  • 32. How To Prevent A Coalesce : Set the chunk being freed prev size to ZERO : Set the chunk being freed FLAG to last chunk : Set the chunk being freed self size > 0xFE00 : Set the prev/next chunks flag to PASS the BUSY check : Control the size to fake the prev/next chunks location Why Prevent A Coalesce() : Coalescing an overwritten chunk normally blows up : Linking, resizing, and relinking is very complex Preventing Coalesce
  • 33. Coalesced Chunks ???? ???? ?? ?? ?? ?? DATA FFFF FFFF FF FF FF FF DATA Chunk A Data Stored In Chunk B We Overflowing BUSY Chunk BUSY Chunk Chunk A Will Be Free’d And We Want To Prevent Coalescing FFFF FFFF FF 01 FF FF DATA Keep The Flag Set To BUSY
  • 34. Coalesced Chunks ???? ???? ?? ?? ?? ?? DATA FFFF FFFF FF FF FF FF DATA Chunk A Data Stored In Chunk B We Overflowing BUSY Chunk BUSY Chunk Chunk B Will Be Free’d And We Want To Prevent Coalescing FFFF FFFF FF 01 FF FF DATA 0200 0200 FF FF FF FF DATA FFFF FFFF FF 01 FF FF DATA Create Two Fake Chunks And Set Size In Header Of Chunk B To Point To The Fake Chunks Flag Set To Busy Create Two Fake Chunks And Set Size In Header Of Chunk B To Point To The Fake Chunks Flag Set To Busy
  • 35. Coalesced Chunks ???? ???? ?? ?? ?? ?? DATA FFFF FFFF FF FF FF FF DATA Chunk A Data Stored In Chunk B We Overflowing BUSY Chunk BUSY Chunk Chunk B Will Be Free’d And We Want To Prevent Coalescing FFFF 0000 FF 10 FF FF DATA Set The Flag To Contain The Last Chunk Flag
  • 36. How To Prevent A Free : Set the chunks flag to FAIL the BUSY check Why Prevent A Free() : Remove chunk from Lookaside Can be overwritten before allocation : Remove chunk from Freelist[] Flag gets reset on allocation Bypass Cookie Check : Will cause a heap exception, doesn’t stop execution Preventing A Free Move To Chunk Header Load Flag and Test If Busy
  • 37. Example Removing Chunk From Lookaside Before Allocation After Free() Overwrite Flag Self Size Prev Size CK FL UN SI 0300 0300 06 01 0E 00 Self Size Prev Size CK FL UN SI 0101 0101 01 02 01 01 After Allocation
  • 38. Top Chunk On A Lookaside Is Overwritten : Flags set to not BUSY, Flink set to 0x00000000 Clearing The Lookaside Before Allocation After Overwrite Allocation And Free Will Clear The Lookaside List Overwrite Flag And FLINK Self Size Prev Size CK FL UN SI 0300 0300 06 01 0E 00 00362100 Self Size Prev Size CK FL UN SI 0101 0101 01 02 01 01 00000000
  • 39. The Steps : Exploit the heap : Overwrite a function pointer or other to gain execution : Flip the heap onto the stack to get ret-to-libc style control : Turn off Data Execution Protection (DEP) : Return to shellcode Exploit The Heap : Application dependant Overwrite A Function Pointer : Application dependant? The Exploitation Process
  • 40. What Is Heap/Stack Flipping : Exploit data is on the heap : For fine grained control, it needs to be on the stack Requirements : Pointer to exploit data; on stack, in a register, in [reg +/- n] : Locate instructions to manipulate pointer and pop esp, ret : Overwrite function pointer to return to instructions Populate ESP With The Pointer To Exploit Data Heap / Stack Flipping PUSH EBX POP ESP POP EBP RET EBX -> DATA LEAVE RET EBP -> DATA ECX -> DATA MOV ESP,ECX RET 8 EAX-> DATA XCHG EAX,ESP RET
  • 41. Heap / Stack Flipping Flipping Code Stack Exploit Data Registers Code Gets Executed
  • 42. Heap / Stack Flipping New Stack Exploit Data New Registers Code That We Returned Into
  • 43. Entirely Ret-to-Libc : Entire shellcode in ‘borrowed’ instructions : Inject into process that is not DEP enabled : Very difficult HeapCreate() : Create new heap with HEAP_CREATE_ENABLE_EXECUTE : Allocate new chunk, memcpy shellcode across : Doable, but sounds like a lot of work Registry : 'Image File Execution Options‘ : Would turn it off on a restart : Not really very helpful Bypassing DEP
  • 44. SetProcessDEPPolicy() : Not available on 2003 Copy Shellcode To RWE Memory Page : Copy shellcode and then return to address VirtualProtect() : Use the PAGE_EXECUTE_READWRITE flag to reset heap : Return to shellcode Bypassing DEP
  • 45. VirtualAlloc() : Allocate new memory with PAGE_EXECUTE_READWRITE : Address is returned in EAX : Copy shellcode and return to it NtSetInformationProcess() : Skape and Skywing ret-to-libc to deactivate DEP : Easier on windows 2003 Bypassing DEP NtSetInformationProcess( NtCurrentProcess(), // (HANDLE)-1 ProcessExecuteFlags, // 0x22 &ExecuteFlags, // ptr to 0x2 sizeof(ExecuteFlags)); // 0x4
  • 46. Bypassing DEP Perfect Instruction Set NtSetInformationProcess( NtCurrentProcess(), // (HANDLE)-1 ProcessExecuteFlags, // 0x22 &ExecuteFlags, // ptr to 0x2 sizeof(ExecuteFlags)); // 0x4 Requires [ESI+37] To Be Writable Correctly Set Stack BUT!
  • 47. Step By Step : The vulnerability : Reproduction : Understanding the bug : Finding an overwrite : Find a pointer : Flipping the heap to stack : Bypassing DEP : The working Heap Exploitation
  • 48. The Vulnerability Citrix ImaSrv.exe TCP Port 2512 or 2513 User-supplied -> Memory Allocation Undersized Allocation Overflow The Heap Buffer Citrix TCP Port 2512 or 2513 User-supplied -> Memory Allocation ImaSrv.exe Overflow The Heap Buffer
  • 49. Usual Integer Overflow : Usual ‘packet size bug’ Usual Basic Fuzz Test while !crashed { inc buffer length fill buffer with 0xFF send to TCP 2512 } Reproducing The Vulnerability Length Of Data DATA I Am Listening On TCP 2512 xFFxFFxFFxFF xFFxFFxFFxFFxFFxFF
  • 50. Reproducing The Vulnerability A Crash A Crash ntdll! RtlAllocateHeap In the good ‘ol days, it would now be as easy as overwriting the UEF. But those days are over.
  • 51. Need To Trace From Start To Finish : bp WSARecv and send overflow again Understanding The Bug WSARecv Stack Buffer Size Buffer Address
  • 52. Need To Trace From Start To Finish : After WSARecv our buffer is loaded Understanding The Bug
  • 53. Trace Through Code To Determine Paths : This code checks buffer sizes Understanding The Bug Load First DWORD Of Packet Into EAX Compare Against Size Of Current Buffer 0x408 Jump If Our Packet Specified A Size Larger Than 0x408
  • 54. Trace Through Code To Determine Paths : Eventually get to here Understanding The Bug ESI == First DWORD From Packet EAX == ESI + 3C Is Going To Allocate A Buffer Of Size EAX EAX == ESI + 3C
  • 55. But its not over yet : Trace down to ntdll!RTLAllocateHeap Understanding The Bug Allocate From Heap 00320000 Allocate 3B Bytes
  • 56. Still Thats Just An Undersized Buffer : Keep tracing the code Understanding The Bug Bunch Of Stuff Is Written Into The New Buffer This Is A Custom Header And Is 0x3C Bytes Long EAX Points To The Newly Allocated Buffer
  • 57. Finally.... : A memmove instruction overflows the buffer Understanding The Bug New Buffer+3C Packet Data This Is The Size Of The Packet That We Sent KABOOM!
  • 58. The Result : We can cause the allocation of a size 0x01 – 0x03B : We can overflow the chunk with 0x408 bytes The Limitations : Can only allocate chunk 2 through to 9 That range is FFFFFFC5 == 0x01 == Chunk 2 To FFFFFFFF == 0x3b == Chunk 9 : The first 0x3C bytes are not controlled by us due to the custom header Understanding The Bug
  • 59. So Now What? : We know we can cause an allocation of a lower chunk : Lets look at the Lookaside lists at the time of the allocation The Request LifeCycle WSARecv() RTLFreeHeap() RTLAllocateHeap() memmove()
  • 60. The Lookaside Lists Lookaside[8] Has A Top Chunk That Sits After Lookaside[7] Top Chunk On All Runs AND The Difference Is Greater Than 0x3C 0x0a871cc8 – 0x0a871c60 = 0x68 0x0a871c38 – 0x0a871bd0 = 0x68 0x0a871d00 – 0x0a871c98 = 0x68
  • 61. First Request : Request Lookaside[7] : Overwrite Lookaside[8] : Free Request Problem : If we now had two allocations of Lookaside[8] : But we only have one Solution : Set flag of top chunk of Lookaside[8] to be FREE : Then when free() is called it will be skipped Lets Try It
  • 62. First Request : Request Lookaside[7] : Overwrite Lookaside[8] : Free Request Second Request : Request Lookaside[8] : Top Chunk Is Popped : Free Request Third Request : Request Lookaside[8], Our Address Is Returned Lets Try It
  • 63. Function Pointer : Trace code looking for pointer : None found before WSARecv() What Address To Overwrite Lucky For Us That Winsock Uses Static Pointers 0x71C14044 Is A Static Pointer That Can Be Overwritten EAX Points To Stack
  • 64. Winsock : Holds a structure : Structure holds pointer to function pointer table on the default heap Winsock Structure Static Pointer To Handle Load Address Of Pointer Table ‘Static Within Heap’ Call Function
  • 65. Pointer Table Address : 0x142360 Set Lookaside Address : Need to account for header : Set lookaside to 0x01431D0 Overwrite The Pointer Table : We now control execution Set The Stack : EAX points to the pointer table : EAX points to our data : Search for a heap/stack flip Return Down The Stack : Return to Anti-DEP : Return to shellcode on pointer table Exploiting The Bug Heap/Stack Flip Local To Citrix DLLS
  • 66. Da Greetz Acknowledgement to those who shared current information, some of which was used in this presentation Nico Caddis mxatone Acknowledgement to those who have published past heap research 0ded Shok Sotirov Sandip Chaudhari A. Anisimov N. Falliere Halvar Litchfield + All Others