Understanding Heap Overflows: An Introduction to Exploit Development

Slide Note
Embed
Share

Learn about heap overflows in exploit development, including heap structure, memory maps, exploiting vulnerabilities, and controlling writes in the heap. Understand the difference between stack and heap, viewing heap in gdb, targeted exploit techniques, and the challenges of controlling EIP in the heap environment.


Uploaded on Sep 10, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows

  2. What is a Heap?

  3. Memory Map In gdb, the "info proc map" command shows how memory is used Programs have a stack, one or more heaps, and other segments malloc() allocates space on the heap free() frees the space

  4. Heap and Stack

  5. Heap Structure Size of previous chunk Size of previous chunk Size of previous chunk Size of this chunk Size of this chunk Size of this chunk Pointer to next chunk Pointer to next chunk Pointer to next chunk Pointer to previous chunk Pointer to previous chunk Pointer to previous chunk Data Data Data

  6. A Simple Example

  7. A Simple Example

  8. Viewing the Heap in gdb

  9. Exploit and Crash

  10. Crash in gdb

  11. Targeted Exploit

  12. The Problem With the Heap

  13. EIP is Hard to Control The Stack contains stored EIP values The Heap usually does not However, it has addresses that are used for writes To fill in heap data To rearrange chunks when free() is called

  14. Action of Free() Must write to the forward and reverse pointers If we can overflow a chunk, we can control those writes Write to arbitrary RAM Image from mathyvanhoef.com, link Ch 5b

  15. Target RAM Options Saved return address on the Stack Like the Buffer Overflows we did previously Global Offset Table Used to find shared library functions Destructors table (DTORS) Called when a program exits C Library Hooks

  16. Target RAM Options "atexit" structure (link Ch 4n) Any function pointer In Windows, the default unhandled exception handler is easy to find and exploit

  17. Project Walkthroughs Proj 8 Exploiting a write to a heap value Proj 8x Taking over a remote server Proj 5x Buffer overflow with a canary

More Related Content