Professional Documents
Culture Documents
10 Lecture
10 Lecture
ELF Executable
.text segment
.data segment
It’s just another segment
in runtime memory
Heap
Stack
0xFFFFFFFF
MBE - 04/07/2015 Heap Exploitation 5
Basics of Dynamic Memory
int main()
{
char * buffer = NULL;
• malloc(20);
• malloc(0);
• malloc(20);
• malloc(0);
• malloc(0);
Heap Chunk
Previous Chunk Size Chunk Size Data
Flags
Heap Chunk
Previous Chunk Size Chunk Size Data
Flags
Heap Chunk
Previous Chunk Size Chunk Size Data
Flags
Heap Chunk
Previous Chunk Size Chunk Size Data
Flags
ELF Executable
0x08048000 – Start of .text Segment
.text segment
.data segment
--------------------------------->
Runtime Memory Heap Segment
.data segment
Heap
Stack
0xFFFFFFFF
MBE - 04/07/2015 Heap Exploitation 26
Heap Allocations
0x00000000
--------------------------------->
Runtime Memory Heap Segment
Data
Heap
Stack
0xFFFFFFFF
MBE - 04/07/2015 Heap Exploitation 27
Heap Allocations
0x00000000
--------------------------------->
Runtime Memory Heap Segment
Data
Grows towards
higher memory
---------->
towards higher memory
Grows towards
lower memory
<---------
Stack Segment
Grows towards
Runtime Memory
higher memory
---------->
Libraries (libc)
ELF Executable
.text segment
.data segment
Grows towards
lower memory
<---------
Heap
Stack
0xFFFFFFFF Stack Segment
Grows towards
higher memory
---------->
towards higher memory
Grows towards
lower memory
<---------
Stack Segment
Grows towards
higher memory
---------->
towards higher memory
Grows towards
lower memory
<---------
– Probably historical reasons,
gave low memory systems
more room to fluctuate
Stack Segment
Heap Chunk
Previous Chunk Size Chunk Size Data
Flags
struct malloc_chunk {
• https://sploitfun.wordpress.
com/2015/02/10/understanding-glibc-malloc/
--------------------------------->
Runtime Memory Heap Segment
Data
--------------------------------->
Runtime Memory Heap Segment
struct toystr {
void (* message)(char *);
char buffer[20];
};
coolguy->message = &print_cool;
lameguy->message = &print_meh;
coolguy->message(coolguy->buffer);
lameguy->message(lameguy->buffer);
coolguy->message = &print_cool;
lameguy->message = &print_meh; Silly heap overflow
printf("Input coolguy's name: ");
fgets(coolguy->buffer, 200, stdin); // oopz...
coolguy->buffer[strcspn(coolguy->buffer, "\n")] = 0;
coolguy->message(coolguy->buffer);
lameguy->message(lameguy->buffer);
--------------------------------->
Runtime Memory Heap Segment
lameguy
Heap
Stack
0xFFFFFFFF
MBE - 04/07/2015 Heap Exploitation 55
Heap Overflows
0x00000000
--------------------------------->
Runtime Memory Heap Segment
Stack
0xFFFFFFFF
MBE - 04/07/2015 Heap Exploitation 56
Heap Overflows
coolguy->message = &print_cool;
lameguy->message = &print_meh;
Silly heap overflow
printf("Input coolguy's name: ");
fgets(coolguy->buffer, 200, stdin); // oopz...
coolguy->buffer[strcspn(coolguy->buffer, "\n")] = 0;
coolguy->message(coolguy->buffer);
lameguy->message(lameguy->buffer);
Overwritten
function pointer!
MBE - 04/07/2015 Heap Exploitation 57
/levels/lecture/heap/heap_smash
toy function pointer overwrite on heap
--------------------------------->
Runtime Memory Heap Segment
Data
--------------------------------->
Runtime Memory Heap Segment
Data
--------------------------------->
Runtime Memory Heap Segment
--------------------------------->
Runtime Memory Heap Segment
Data
n t er
Heap poi Previous Chunk Size
l ing
g Chunk Size
dan
Stack Data
0xFFFFFFFF
MBE - 04/07/2015 Heap Exploitation 64
Course Terminology
• Dangling Pointer
– A left over pointer in your code that references
free’d data and is prone to be re-used
– As the memory it’s pointing at was freed, there’s
no guarantees on what data is there now
– Also known as stale pointer, wild pointer
--------------------------------->
Runtime Memory Heap Segment
Data
n t er
Heap poi Previous Chunk Size
l ing
g Chunk Size
dan
Stack Data
0xFFFFFFFF
MBE - 04/07/2015 Heap Exploitation 66
Use After Free
0x00000000
--------------------------------->
Runtime Memory Heap Segment
n t er
Heap poi Newly allocated
l ing
g data
dan
Stack
0xFFFFFFFF
MBE - 04/07/2015 Heap Exploitation 67
Use After Free
0x00000000
--------------------------------->
Runtime Memory Heap Segment
--------------------------------->
Runtime Memory Heap Segment
http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-
development-and-cyber-attacks.html
http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-
development-and-cyber-attacks.html
• Why?
–
• Why?
– UAF’s only exist in certain states of execution, so
statically scanning source for them won’t go far
• Why?
– UAF’s only exist in certain states of execution, so
statically scanning source for them won’t go far
– They’re usually only found through crashes, but
symbolic execution and constraint solvers are helping
find these bugs faster
filler = “AAAAAAAAAAAAA...”;
for(i = 0; i < 3000; i++)
{
temp = malloc(1000000);
memcpy(temp, filler, 1000000);
}
AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA filler = “AAAAAAAAAAAAA...”;
AAAAAAAAAAAAAAAA for(i = 0; i < 3000; i++)
AAAAAAAAAAAAAAAA {
AAAAAAAAAAAAAAAA temp = malloc(1000000);
AAAAAAAAAAAAAAAA memcpy(temp, filler, 1000000);
AAAAAAAAAAAAAAAA }
0xbbe09e00 – bottom of heap
Heap Metadata
Heap Chunk
Previous Chunk Size Chunk Size Data
Flags
• https://sploitfun.wordpress.
com/2015/02/26/heap-overflow-using-unlink/