Jump to content

Heap Overflows Explained


K1u

Recommended Posts

By my good friend and teammate fl0_fl0w.

By fl0_fl0w

Heap Overflows Explained - fl0_fl0w

A heap overflow is another type of buffer overflow that occurs in the heap data area.

The compiler stores local variables in C functions, which programmers use as buffers for input data, on the stack.

The stack also has another important function: here, the CPU saves the return address when a subroutine is called.

If an attacker manages to overwrite this address with another value by means of a buffer overflow,

the CPU will continue processing the program after the subroutine, but at the return address stored.

This value would no longer be the original one, and would instead refer to the code that had been smuggled in.

Overwrite PEB lock routine to point to PEB space.

Put shellcode into PEB space.

Then cause the PEB lock routine to execute.

Win2K through WinXP SP1 in a single attempt:

First 4-byte overwrite:

Blink = 0x7ffdf020,

Flink = 0x7ffdf154

4-to-n-byte overwrite: 

Blink = &Lookaside[(n/8)+1]

Flink = 0x7ffdf154

Be the first to allocate n bytes (cause HeapAlloc(n)):

Put your shellcode into the returned buffer

For example, do 4-byte overwrite with Blink = 0xABABABAB

Microsoft modified heap structures and heap manipulation functions; two

checks on the chunks were added. The first check is to verify the integrity of a

security cookie in the chunk header, to ensure no overflow has occurred when this

same chunk is allocated; the second check, extremely efficient, verifies the forward

and backward link pointers of a free chunk being unlinked, for any reason (allocation,

coalescence). The same check is performed for virtually allocated blocks.

Others protections have been introduced as well, mainly PEB randomization, and

exception pointers encoding. These protections are there to minimize the amount of

fixed and well-known function pointers, used globally by the process. These locations

were priviledged targets to exploit a heap overflow the old way.

This is a logic scheme I made.

General case:

BLINK_1[header_1]FLINK_1 - BLINK_2[header_2]FLINK2...BLINK_N[header_n]FLINK_N

FLINK_1=BLINK_2;

BLINK_2+4=FLINK_1;

.

.

.

FLINK_n=BLINK_n;

BLINK_n+4=FLINK_n;

----------------------------

EAX,EDI

BLINK_1[HEADER_1]FLINK_1 - BLINK_2[HEADER_2]FLINK_2

MOV EDX,DWORD PTR DS:[EAX]

CMP EDX,DWORD PTR DS:[EDI+4]

NOTATION

EAX=BLINK_2

EDI=FLINK_1

EDI=EAX;

EAX+4=EDI;

I will not give you a crappy program to exploit... like in every heap overrun tutorial, just remember these steps!

1. You need to find the offset of BLINK and FLINK.

2. You need to put right values in these 2 offsets.

3. You need to find offset of EAX and EDI in your buffer.

4. You need to craft these values to write [YOUR SHELLCODE ADDRESS] to [PEB RTLENTERCRITICALSECTION].

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...