OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, October 23 2007 19:04.34 CDT

Printer Friendly ...

Vista Heap, Controlling the Determinism.

Author: nicowow

# Views: 4255

Sometimes, I believe Microsoft made it easy for us with the introduction of the default Low Fragmentation Heap on Vista. You can probably tell me 'yeah, but unlink is dead'. The Unlink Write4 was already dead long time ago, when ASLR came out and we dont have much to write.

Part of what we said on our Advance heap overflow trainning is that heap overflow are not about the unlink write4, but about controlling the determinism. This is gonna be part of my PacSec talk, Exploiting is far from  just sending a string with a what and a where, It's about a methodology that includes  a complete understanding of the allocation algorythm, different step that in the life of heap overflow and their layout and a deep as it can understanding of the server you are exploiting (At least, based on their allocation/deallocation patterns).

The objective now is  aiming into the data (No matter how cool technique might came out for tricking the Vista algo).
Anyways, continuing with my statement, the Low Fragmentation Heap makes our life somehow easy to predict what we are overwriting either for small or a bigger application, since it allocates a big bucket of chunks of the same size all together.

(Now its a good time for checking the attached ScreenShot and see how a bucket looks like and how ID can tell you exactly the order where those chunks would be taken out when a chunk of that size is requested.)

So, if we have a Function Pointers, some structure and even a String we want to overwrite, apart of the usual magic we need to craft the 'overwriting' chunk as the same size of what we target. After that we would have everything on a 'small universe' where we can probably predict nicely.

PS: With the 'usual magic', I meant the usual holes filling, etc.
PS2: The screenshot can be found here:
  http://forum.immunityinc.com/index.php?topic=99.0

Blog Comments

jms	Posted: Wednesday, October 24 2007 10:38.11 CDT
Great work Nico, that's badass.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit