Attacking the Vista Heap - 2008

More documents

Recommendations

Info

hHeap payload hHeap (X) … A … 0 68 • A heapOptions, set the two bits in 0x10000001 (others don’t matter): avoid interceptor 1 , trigger RtlpAllocateHeap 2 , avoid debug heap 3 , remove serialization 4 Offsets relative from .text segment base of ntdll.dll 6.0.6001.18000 (i.e. Vista SP1): 1. 6F3E7 2. 648DC 3. 8CC70 4. 677E5
hHeap payload hHeap (X) … A … B … 0 68 80 • B heapCanary, set to pass checksum inegrity test on freeEntry element 1 (more later) Set to 0x41414141 1. 678E5
Page 1 and 2:
Attacking the Vista Heap Ben Hawkes
Page 3 and 4:
The Heap
Page 5 and 6:
Heap Exploit • An “exploit” p
Page 7 and 8:
Intro-clusion 2 • Heap exploits a
Page 9 and 10:
Heap Chunk • HeapAlloc returns a
Page 11 and 12:
Unlink • Solar Designer haxed net
Page 13 and 14:
Unlink • HISTORY: control the fwd
Page 15 and 16:
Current Heap Exploitation • So ev
Page 17 and 18: Attacking the Application • At th
Page 19 and 20: Attacking the Vista Heap • The te
Page 21 and 22: hHeap HANDLE payload
Page 23 and 24: Heap API
Page 25 and 26: Heap API HANDLE hHeap LPVOID chunk
Page 27 and 28: Heap HANDLE II • Unfortunately th
Page 29 and 30: Heap HANDLE II • Set a Heap HANDL
Page 31 and 32: Arbitrary Free
Page 33 and 34: Arbitrary Free I • Assume you can
Page 35 and 36: Arbitrary Free III Arbitrary Free (
Page 37 and 38: Vista Arbitrary Free II • Is ther
Page 39 and 40: Vista Arbitrary Free IV • Partial
Page 41 and 42: Vista Arbitrary Free VI Vista Arbit
Page 43 and 44: Vista Heap Changes • List integri
Page 45 and 46: Securing the Heap II - Generic •
Page 47 and 48: Food for Thought • Fundamentally
Page 49 and 50: Rant Off • We need an architectur
Page 51 and 52: Summary • Heap vulnerabilities ar
Page 53 and 54: Appendix 1 - page 54 - hHeap overfl
Page 55 and 56: ASLR HeapCreate: 1 2 3 4 randPad =
Page 57 and 58: Large Chunk Allocation RtlpAllocate
Page 59 and 60: Heap Spray II - the stats • Say N
Page 61 and 62: Guarding hHeap • Notice lack of g
Page 63 and 64: hHeap overflows I • Overflow in c
Page 65 and 66: hHeap overflows IV • Pattern 1: -
Page 67: hHeap overflows VI • Pattern 3: -
Page 71 and 72: hHeap payload hHeap (X) … A … B
Page 73 and 74: hHeap payload hHeap (X) … A … B
Page 75 and 76: hHeap payload hHeap (X) … B … C
Page 77 and 78: Adjusted Double Free I • Applicat
Page 79 and 80: Adjusted Double Free III • At thi
Page 81 and 82: Adjusted Double Free V Adjusted Dou
Page 83 and 84: Heap termination I BOOL SetHeapOpti
Page 85 and 86: Heap termination III • Must opt-i
Page 87 and 88: Off-by-one II • Modify free chunk
Page 89 and 90: Off-by-one IV Off-by-one overflow r
Page 91 and 92: Vista Chunks • Every chunk has a
Page 93 and 94: Canary leak • Leak of a chunk hea
Page 95 and 96: LFH bucket overflow I • LFH bucke
Page 97 and 98: LFH bucket overflow II • LFH buck
Page 99 and 100: LFH bucket overflow IV • Set ent_
Page 101 and 102: LFH bucket overflow V • Y is used
Page 103 and 104: LFH header overflow I • Given an
Page 105 and 106: LFH header overflow II LFH_HEAP_ENT
Page 107 and 108: LFH header overflow IV LFH Chunk la
Page 109: LFH header overflow VI LFH header o
show all

Attacking the Vista Heap - 2008

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?