Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
第2页
第3页
• What Is Covered
– Heap internals that can aid in exploitations
• Heap & process relations
• The heap main data structures
• The algorithms for allocate & free
• Not Covered
– Heap internals that will bore you to death
– Stuff that is not directly related to exploit reliability
– Algorithms for “slow” allocation or heap debugging
第6页
PEB
0x0010 Default
Heap
0x0080 Heaps
Count
0x0090 Heap List
0x70000 Default
DefaultHeap
Heap
0x170000
22ndndHeap
Heap
第7页
Reserved
第8页
Free Lists
Table Look aside
Table
第9页
• Segment management
– Segment limits (in pages)
– List of uncommitted
blocks
– Free/Reserved pages
count
– Pointer to “Last entry”
Reserved
Committed
第10页
第11页
5
6 48 48
第12页
• Lookaside Table
– Fastest route for free and alloc
– Starts empty
– 128 singly-linked lists of busy chunks (free but left
busy)
– Self balanced depth to optimize performance
0
1
2 16
3
4
5
6 48 48
第13页
0 1 2 3 4 5 6 7 8
Overflow direction
第14页
0 1 2 3 4 5 6 7 8
第15页
0 1 2 3 4 5 6 7 8
第16页
第18页
New header
第20页
第22页
第23页
第24页
第25页
第26页
Reserved
Committed
第27页
第28页
第30页
A B C
A C
A + B + C Coalesced
第31页
• Summary – Questions?
• Main structures – Segments, Lookaside, Free lists,
Cache, Free list [0], Virtual alloc list
• 4-byte Overwrite
– Able to overwrite any arbitrary 32-bit address (WhereTo) with an
arbitrary 32-bit value (WithWhat)
• 4-to-n-byte Overwrite
– Using a 4-byte overwrite to indirectly cause an overwrite of an
arbitrary-n bytes
• Double 4-byte Overwrite:
– Two 4-byte Overwrites result from the same operation (e.g., a
single free)
• AddressOfSelf Overwrite:
– 4-byte overwrite where you set WhereTo, and WithWhat is
already the address of a chunk you control
第35页
<
Overflow 9
0x40
start
01 – Busy
08 – Virtual Alloc
第36页
第38页
Address A Address B
第39页
§Busy
§Previous size lead
to Fake A
§Size lead to Fake B
第41页
第42页
• Up to now…
Address A Address B Comments
第43页
第46页
0x7ffdf130
~1k of payload
第47页
第48页
第49页
第50页
Populated entry
Remapped table
PEB
第51页
• Remapping Lookaside
• Although the Lookaside default location is 0x688 bytes from heap
base, still the heap reference the Lookaside tables through a pointer
• We can change that pointer to overlap a function pointer
• Once we do it all we need is to allocate the right size, and the
pointer will be automatically populated with the address of our buffer
Original Lookaside table
Heap
PEB
第52页
• Remapping Lookaside
• Limitation for Lookaside remapping
• Zero area will serve as good empty Lookaside space. If
Lookaside is remapped over non zero area, we need to
be careful since heap might return unknown values in
alloc()
• Buffer will be freed into Lookaside only if Lookaside
depth is smaller them max depth. (i.e. short value at
offset 4 should be smaller than short value in offset 8)
• The address that is being overwritten by the heap as if it
were the Lookaside entry is “pushed” on the Lookaside
“stack”. Meaning, it will overwrite the first 4 bytes of your
buffer. Therefore if these bytes make invalid command, it
is not possible to use this method
第53页
Last Entry
Segment X
Last Entry
Segment pointer to
last entry gets updated
第56页
• Segment’s lastSegment
entry update
pointer to last (under attack)
entry gets updated.
Dummy
Since the segment
Segment PEB overlaps the PEB, the Coalescing with “last entry”
PEB lock function will makes the new bigger buffer
automatically point to becomes the last entry
our coalesced buffer This time, our fake header will
Cause arbitrary memory overwrite
Heap header
Last Entry
第58页
第59页
• Off-By-Ones
• Off-by-ones for heap exploits means overwriting
the lowest byte of the next block’s chunk header
with aOverflowed
NUL byte Chunk B
Chunk Header
SizeLo
SizeHi
Chunk A
…
Header
Set to 0
第60页
第61页
• Before Off-By-One
Real Size
0x0110 * 8 = 2176 bytes
Chunk B Chunk C
Header Header
第62页
• After Off-By-One
Real Size
0x0110 * 8 = 2176 bytes
Fake Real
Chunk B
Chunk C Chunk C
Header
Header Header
第63页
第64页
• Double Frees
• On Windows, only exploitable if:
• Chunk to be double freed is coalesced with
previous chunk
• User can get the coalesced chunk before the
double free
第65页
Chunk A Chunk B
Header Header
(Free) (Busy)
第66页
Former Chunk B
第67页
Chunk
Fake
Blink
Flink
Chunk A
Header
Old
Chunk B
第68页
第69页
第71页
第72页
• PEB Randomization
• Until XP SP2 the PEB was always at the end of the user
mode address space. Typically that address was 0x7ffdf000.
(This address could have changed in case of the 3GB
configuration)
第73页
0 1 2 3 4 5 6 7 8
第74页
• On the other hand, the cookie is only one byte, there are
only 256 possible values
第75页
• Safe unlinking
• The unlink operation is designed to take an item out of a
doubly link list
• In the example below, B should be taken out the list. C
should now point back to A, and A should point forward
to C.
• XP SP2 heap will make sure that at the time of unlinking
the following statement is true
• Entry->Flink->Blink == Entry->Blink->Flink == Entry
Header to free
A B C
第76页
• 4-byte Overwrite
– Able to overwrite any arbitrary 32-bit address
(WhereTo) with an arbitrary 32-bit value (WithWhat)
• 4-to-n-byte Overwrite
– Using a 4-byte overwrite to indirectly cause an
overwrite of an arbitrary n bytes
• Double 4-byte Overwrite:
– Two 4-byte Overwrite result from the same operation
• AddressOfSelf Overwrite:
– 4-byte overwrite where you control WhereTo, and
WithWhat is the address of a chunk you control
第79页
• Coalesce-On-Free Overwrite:
– A 4-byte Overwrite that occurs when the overflowed
chunk (the source of the overflow) gets freed
• Coalesce-On-Free Double Overwrite:
– A 4-byte Overwrite that occurs when the chunk after
the overflowed chunk (the on with a fake header) gets
freed
• VirtualAlloc Overwrite:
– A 4-byte Overwrite that occurs while freeing a virtually
allocated block
第80页
• ListHead Overwrite:
– 4-byte Overwrite, WhereTo is a Lookaside or FreeList
list head that leads to a 4-to-n-byte Overwrite
• Segment Double Overwrite:
– Double 4-byte AddressOfSelf overwrite
• Remapping the Lookaside:
– 4-byte Overwrite, WhereTo is the Cache pointer in the
heap structure
• Remapping the Cache:
– 4-byte Overwrite, WhereTo is the Cache pointer in the
heap structure
第81页