OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, May 26 2009 05:36.55 CDT

Modified: Tuesday, May 26 2009 05:41.47 CDT

Printer Friendly ...

Heap Spraying

Author: valkyriex

# Views: 5036

Heap Spraying: Introduction

Heap spraying has become one of the most prevalent technique to exploit vulnerability in browser. IE �createTextRange()� and Mozilla Firefox �InstallVersion.compareTo()� are the examples of this technique. Because it is undocumented technique � actually not well document, I decide to start to study what is it and how it work.

This technique was introduced by hacker named �SkyLined�. He used Heap Spraying technique to attack the vulnerability in IE, MS04-040 and MS05-020. However I also found the technique like heap spraying, it was mentioned in Microsoft Internet Information Services Remote Buffer Overflow.

After I had read these exploit codes, I got some point about this technique. Heap spraying is used when the vulnerable program (IE, Firefox in this case) call or jmp into invalid memory. This invalid memory must be in the possible heap range address - not in DLL virtual address, PEB, TEB, etc. And it must not higher than 0x7fffffff because above this address is kernel address space. See
Windows Memory Layout for detail. This is one of the limitation of heap spraying technique.

So, what can we do if it jumps into the possible heap range but invalid memory? The answer depends on the nature of the vulnerable program. If we can't control (actually "injected") the application's heap - Gave Over. But if we can, we will inject heap as much as possible until the invalid memory become the valid memory. Sure, the injected heaps contain our nop + shellcode, so the vulnerable program will landing on our nop and shellcode :) That's why this technique is called "Heap Spraying"

Now, there is another limitation of this technique - we have to able to control the application's heap. As I known, there are few applications that we are able to control heap. Web browser is the one of these - inject heap via JavaScript

Here is a simple picture to demonstrate the basic concept about it.
URL: http://photos1.blogger.com/blogger/5848/3241/1600/Heap.Spray.jpg

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit