OpenRCE_nicowow
November 24th, 2007, 18:50
Sometimes, I believe Microsoft made it easy for us with the introduction of the default Low Fragmentation Heap on Vista. You can probably tell me 'yeah, but unlink is dead'. The Unlink Write4 was already dead long time ago, when ASLR came out and we dont have much to write.
Part of what we said on our Advance heap overflow trainning is that heap overflow are not about the unlink write4, but about controlling the determinism. This is gonna be part of my PacSec talk, Exploiting is far from just sending a string with a what and a where, It's about a methodology that includes a complete understanding of the allocation algorythm, different step that in the life of heap overflow and their layout and a deep as it can understanding of the server you are exploiting (At least, based on their allocation/deallocation patterns).
The objective now is aiming into the data (No matter how cool technique might came out for tricking the Vista algo).
Anyways, continuing with my statement, the Low Fragmentation Heap makes our life somehow easy to predict what we are overwriting either for small or a bigger application, since it allocates a big bucket of chunks of the same size all together.
(Now its a good time for checking the attached ScreenShot and see how a bucket looks like and how ID can tell you exactly the order where those chunks would be taken out when a chunk of that size is requested.)
So, if we have a Function Pointers, some structure and even a String we want to overwrite, apart of the usual magic we need to craft the 'overwriting' chunk as the same size of what we target. After that we would have everything on a 'small universe' where we can probably predict nicely.
PS: With the 'usual magic', I meant the usual holes filling, etc.
PS2: The screenshot can be found here:
http://forum.immunityinc.com/?topic=99.0
https://www.openrce.org/blog/view/919/Vista_Heap,_Controlling_the_Determinism.
Part of what we said on our Advance heap overflow trainning is that heap overflow are not about the unlink write4, but about controlling the determinism. This is gonna be part of my PacSec talk, Exploiting is far from just sending a string with a what and a where, It's about a methodology that includes a complete understanding of the allocation algorythm, different step that in the life of heap overflow and their layout and a deep as it can understanding of the server you are exploiting (At least, based on their allocation/deallocation patterns).
The objective now is aiming into the data (No matter how cool technique might came out for tricking the Vista algo).
Anyways, continuing with my statement, the Low Fragmentation Heap makes our life somehow easy to predict what we are overwriting either for small or a bigger application, since it allocates a big bucket of chunks of the same size all together.
(Now its a good time for checking the attached ScreenShot and see how a bucket looks like and how ID can tell you exactly the order where those chunks would be taken out when a chunk of that size is requested.)
So, if we have a Function Pointers, some structure and even a String we want to overwrite, apart of the usual magic we need to craft the 'overwriting' chunk as the same size of what we target. After that we would have everything on a 'small universe' where we can probably predict nicely.
PS: With the 'usual magic', I meant the usual holes filling, etc.
PS2: The screenshot can be found here:
http://forum.immunityinc.com/?topic=99.0
https://www.openrce.org/blog/view/919/Vista_Heap,_Controlling_the_Determinism.