Understanding Heap Overflows: An Introduction to Exploit Development

Learn about heap overflows in exploit development, including heap structure, memory maps, exploiting vulnerabilities, and controlling writes in the heap. Understand the difference between stack and heap, viewing heap in gdb, targeted exploit techniques, and the challenges of controlling EIP in the heap environment.

• Heap Overflow
• Exploit Development
• Memory Map
• GDB
• Control Flow

snyr Follow

Uploaded on Sep 10, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows

2. What is a Heap?

3. Memory Map In gdb, the "info proc map" command shows how memory is used Programs have a stack, one or more heaps, and other segments malloc() allocates space on the heap free() frees the space

4. Heap and Stack

5. Heap Structure Size of previous chunk Size of previous chunk Size of previous chunk Size of this chunk Size of this chunk Size of this chunk Pointer to next chunk Pointer to next chunk Pointer to next chunk Pointer to previous chunk Pointer to previous chunk Pointer to previous chunk Data Data Data

6. A Simple Example

7. A Simple Example

8. Viewing the Heap in gdb

9. Exploit and Crash

10. Crash in gdb

11. Targeted Exploit

12. The Problem With the Heap

13. EIP is Hard to Control The Stack contains stored EIP values The Heap usually does not However, it has addresses that are used for writes To fill in heap data To rearrange chunks when free() is called

14. Action of Free() Must write to the forward and reverse pointers If we can overflow a chunk, we can control those writes Write to arbitrary RAM Image from mathyvanhoef.com, link Ch 5b

15. Target RAM Options Saved return address on the Stack Like the Buffer Overflows we did previously Global Offset Table Used to find shared library functions Destructors table (DTORS) Called when a program exits C Library Hooks

16. Target RAM Options "atexit" structure (link Ch 4n) Any function pointer In Windows, the default unhandled exception handler is easy to find and exploit

17. Project Walkthroughs Proj 8 Exploiting a write to a heap value Proj 8x Taking over a remote server Proj 5x Buffer overflow with a canary