Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing.

Published byBrooke Gallagher Modified over 9 years ago

Similar presentations

Presentation on theme: "Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing."— Presentation transcript:

1 Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing

2 Software attacks Lorenzo Dematté Heap overflow void func(void* arg, int len) { char* ptr = malloc(100); memcpy(ptr, arg, len); //buffer overflow if len>100... } Overflows on the heap can be exploited as well as stack overflows However, this is a data-overwrite attack. How can we use it to inject an arc (redirect program control flow) and allow arbitrary code execution? We don’t have RETs on the heap! => This is possible due to arbitrary memory writing as we’ll see later

3 Software attacks Lorenzo Dematté Heap overflow One paper on secure coding suggested to solve the problem of stack overflows moving the buffers to heap! This is not the solution: exploiting a heap overflow is harder, but feasible. See: –Heap Buffer Overrun in JPEG Processing (GDI+) Allows Code Execution (MS04-028) (it’s sufficient to preview image in explorer – IE) gdiplus.dll –Windows RPC DCOM Long Filename Heap Overflow Exploit (MS03-039) rpcss.exe

4 Software attacks Lorenzo Dematté Heap overflow They are much more architecture dependent than stack overflows Heap is a more complex architecture – its layout is influenced by the OS and by the C- C++ runtime We are going to explore some possible exploits for Win32 A lot of exploits for linux-gcc exist as well (w00w00 on heap) <- room for a seminary!

5 Software attacks Lorenzo Dematté The Heap API The Virtual Memory Manager allocates and deallocates with the granularity of one page (4k) Process Address Space 0x00000000 0x7fffffff VirtualAlloc(lpAddress, 2, AllocationType, flProtect ); Only 2 bytes A whole page (4k) is allocated Even the stack region grows and shrink in pages (done automatically by the OS)

6 Software attacks Lorenzo Dematté The Heap API We need a more flexible structure!! We want not to waste space and have allocations of few bytes char* buff = malloc(2 * sizeof(char)); and of MBs void* buff = malloc(1048576); This is done using the structure called Heap API for the heap is provided by the C runtime library (malloc, free, delete, new) In Win32, Heap API is provided by the OS too!

7 Software attacks Lorenzo Dematté The Heap API Kernel32.dll GlobalAllocLocalAllocHeapAlloc RtlAllocateHeap mallocnew msvcrt.dll ntdll.dll GlobalFreeLocalFreeHeapFree RtlFreeHeap freedelete msvcrt.dll ntdll.dll Kernel32.dll

8 Software attacks Lorenzo Dematté The Heap structures In order to handle different size, and cope well with problems (fragmentation) the Heap has a complex structure It uses several algorithms too: –Allocation algorithm (different strategies for different size) –Free algorithm –Coalesce (fusion of 2 adiacent free segments)

9 Software attacks Lorenzo Dematté The Heap structures PEB Default Heap 0x0010Default Heap 0x0080Heaps Count 0x0090Heap List 0x70000 0x170000 This is the structure that holds Process properties. Its location is fixed at 7ffdf000 (or go via TEB -> PEB) mov eax, dword ptr fs:[18] mov eax, dword ptr[eax+0x30] So we can easily access to the Heap address. This will be useful later!

10 Software attacks Lorenzo Dematté The Heap structures Segments Look aside Table Segment Table Free Lists Table Free list usage bit map Virtual Allocation list typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY;

11 Software attacks Lorenzo Dematté The Heap structures Management Structures When a heap is first created there are two pointers that point to the first free block set in FreeList[0]. Assuming the heap base address is 0x00350000 then first available block can be found at 0x00350688. 0x00350178 (FreeList[0].Flink) = 0x00350688 (First Free Block) 0x0035017C (FreeList[0].Blink) = 0x00350688 (First Free Block) 0x00350688 (First Free Block) = 0x00350178 (FreeList[0]) 0x0035068C (First Free Block+4) = 0x00350178 (FreeList[0]) The heap management structures reside in the heap!

12 Software attacks Lorenzo Dematté The Heap structures When an allocation occurs these pointers are updated accordingly. As more allocations and frees occur these pointers are continually updated and in this fashion allocated blocks are tracked in a doubly linked list. When a heap based buffer is overflowed the control information is overwritten When the buffer (allocated block) is freed and it comes to updating the pointers in the FreeList array there’s going to be an access violation

13 Software attacks Lorenzo Dematté The Heap structures Access violation / Memory overwrite Observe the following code: mov dword ptr [ecx],eax If we own both EAX and ECX we have an arbitrary DWORD overwrite. We can overwrite the data at any 32bit address with a 32bit value of our choosing. In RtlHeapFree we have such a line of code!!

14 Software attacks Lorenzo Dematté Heap Structures this The instructions to remove an entry from a double linked list are: prev_chunk->FLink = next_chunk next_chunk->BLink = prev_chunk Where next_chunk is this->FLink and prev_chunk is this- >BLink

15 Software attacks Lorenzo Dematté Heap smashing If we assume that prev_chunk->FLink is loaded in ECX (and since prev_chunk->FLink == &Prev_chunk + 0 in ECX is prev_chunk ) And that next_chunk is in EAX… If we build a fake header with prev_chunk and next_chunk of our choiche we have (from the previous code) mov dword ptr [ecx],eax EAX (Address A) written in the address pointed by ECX (Address B) Arbitrary memory overwrite will happen on free of our faked chunk!

16 Software attacks Lorenzo Dematté Heap smashing ntdll!RtlpCoalesceFreeBlocks+0x2fb: 784ac8d4 call ntdll!RtlpUpdateIndexRemoveBlock (784624a3) 784ac8d9 mov ecx,[edi+0xc] 784ac8dc mov eax,[edi+0x8] 784ac8df cmp eax,ecx 784ac8e1 mov [ecx],eax ds:0023:f1f1f1f1=???????? 784ac8e3 mov [eax+0x4],ecx In fact, two heap algorithms (Free of very large (I.e. virtually allocated) blocks and coalesce) adjust the list in this way!!

17 Software attacks Lorenzo Dematté The Heap structures Previous chunk size Self Size Segment Index Flags Unused bytes Tag index (Debug) 012345678 01 – Busy 02 – Extra present 04 – Fill pattern 08 – Virtual Alloc 10 – Last entry 20 – FFU1 40 – FFU2 80 – Don ’ t coalesce

18 Software attacks Lorenzo Dematté The Heap structures Free chunk structure – 16 Bytes Previous chunk size Self Size Segment Index Flags Unused bytes Tag index (Debug) 012345678 Next chunkPrevious chunk

19 Software attacks Lorenzo Dematté Heap smashing Exploit: fake a freed buffer Utilize coalescing algorithms of the heap Arbitrary overwrite happens when either the overflowed buffer gets freed (usually guaranteed) or when the buffer AFTER the faked buffer gets freed Previous chunk Size < 40 0x40 Address A Address B 40 – FFU2 This is overwritten on the old control structure (overflow) Our buffer

20 Software attacks Lorenzo Dematté The Heap structures Virtually Allocated chunk structure – 32 Bytes 012345678 Previous chunk size Self Size Segment Index Flags Unused bytes Tag index (Debug) Next chunkPrevious chunk Commit sizeReserve size

21 Software attacks Lorenzo Dematté Heap smashing Exploit: fake a virtual allocated block Arbitrary memory overwrite will happen when the buffer we faked is freed (the one next to the overflowed buffer) < 0x40 | 9 Address AAddress B 01 – Busy 08 – Virtual Alloc This is written at the end of our buffer This is overwritten on the old control structure (overflow)

22 Software attacks Lorenzo Dematté Heap smashing: coalesce algo Buffer already freedBuffer removed from free list This buffer is just freed Buffer placed back in free list AB C B.BLink.FLink (A.FLink) = B.Flink (C) B.FLink.Blink (C.BLink) = B.Blink (A) *(B.Blink) = B.Flink => *AddressB = AddressA Arbitrary memory overwrite!

23 Software attacks Lorenzo Dematté Heap smashing: repairing the heap Many of the Windows API calls use the default process heap. After the overflow the heap is corrupt, so there will be surely an access violation. We then repair the heap following Litchfield’s method: we reset the heap making it “appear” as if it is a fresh new heap.

24 Software attacks Lorenzo Dematté Heap smashing: repairing the heap Get a pointer to the Thread Information Block at fs:[18] Get a pointer to the Process Environment Block from the TEB. Get a pointer to the default process heap from the PEB We now have a pointer to the heap. Read the TotalFreeSize dword of the heap structure (at offset 0x28) Write this to our heap control structure. In the heap control structure, also set the flags to 0x14 (first segment) and and the next 2 bytes to 0 At heap_base+0x178 we have FreeLists[0]. Set FreeLists[0].Flink and write edx into FreeLists[0].Blink to this Finally set the pointers at the end of our block to point to FreeLists[0]

25 Software attacks Lorenzo Dematté Arbitrary memory write So, as in the data pointer overwrite, we have an arbitrary DWORD memory overwrite This can be used to overwrite particular function pointers (Exception handlers VEH + SEH, atexit(), stack cookie exception handler, Lock and Win32k function pointers in PEB) These arguments will be place for a seminar by one of you! =)

Download ppt "Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing."

Similar presentations

Windows Heap Exploitation (Win2KSP0 through WinXPSP2)

Windows Heap Exploitation (Win2KSP0 through WinXPSP2)
Windows Heap Overflows David Litchfield. Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows.

Windows Heap Overflows David Litchfield. Windows Heap Overflows Introduction This presentation will examine how to exploit heap based buffer overflows.
Part IV: Memory Management

Part IV: Memory Management
Dynamic Memory Management

Dynamic Memory Management
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Memory management.

Memory management.
Lecture 10: Heap Management CS 540 GMU Spring 2009.

Lecture 10: Heap Management CS 540 GMU Spring 2009.
ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.

ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Memory/Storage Architecture Lab Computer Architecture Virtual Memory.

Memory/Storage Architecture Lab Computer Architecture Virtual Memory.
Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.

Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
CS 342 – Operating Systems Spring 2003 © Ibrahim Korpeoglu Bilkent University1 Memory Management - 2 CS 342 – Operating Systems Ibrahim Korpeoglu Bilkent.

CS 342 – Operating Systems Spring 2003 © Ibrahim Korpeoglu Bilkent University1 Memory Management - 2 CS 342 – Operating Systems Ibrahim Korpeoglu Bilkent.
Memory Management (continued) CS-3013 C-term 20081 Memory Management CS-3013 Operating Systems C-term 2008 (Slides include materials from Operating System.

Memory Management (continued) CS-3013 C-term Memory Management CS-3013 Operating Systems C-term 2008 (Slides include materials from Operating System.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Computer Organization and Architecture

Computer Organization and Architecture
1 Memory Management in Representative Operating Systems.

1 Memory Management in Representative Operating Systems.

Similar presentations

Ads by Google