CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.
-
Upload
cora-warren -
Category
Documents
-
view
231 -
download
3
Transcript of CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.
![Page 1: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/1.jpg)
CNIT 127: Exploit Development
Ch 4: Introduction to Heap Overflows
![Page 2: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/2.jpg)
What is a Heap?
![Page 3: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/3.jpg)
Memory Map
• In gdb, the "info proc map" command shows how memory is used
• Programs have a stack, one or more heaps, and other segments
• malloc() allocates space on the heap• free() frees the space
![Page 4: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/4.jpg)
Heap and Stack
![Page 5: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/5.jpg)
Heap Structure
Size of previous chunk
Size of this chunk
Pointer to next chunk
Pointer to previous chunk
Data
Size of previous chunk
Size of this chunk
Pointer to next chunk
Pointer to previous chunk
Data
Size of previous chunk
Size of this chunk
Pointer to next chunk
Pointer to previous chunk
Data
![Page 6: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/6.jpg)
A Simple Example
![Page 7: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/7.jpg)
A Simple Example
![Page 8: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/8.jpg)
Viewing the Heap in gdb
![Page 9: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/9.jpg)
Exploit and Crash
![Page 10: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/10.jpg)
Crash in gdb
![Page 11: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/11.jpg)
Targeted Exploit
![Page 12: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/12.jpg)
The Problem With the Heap
![Page 13: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/13.jpg)
EIP is Hard to Control
• The Stack contains stored EIP values• The Heap usually does not• However, it has addresses that are used for
writes– To fill in heap data– To rearrange chunks when free() is called
![Page 14: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/14.jpg)
Action of Free()
• Must write to the forward and reverse pointers• If we can overflow a chunk, we can control those
writes• Write to arbitrary RAM– Image from mathyvanhoef.com, link Ch 5b
![Page 15: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/15.jpg)
Target RAM Options
• Saved return address on the Stack– Like the Buffer Overflows we did previously
• Global Offset Table– Used to find shared library functions
• Destructors table (DTORS)– Called when a program exits
• C Library Hooks
![Page 16: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/16.jpg)
Target RAM Options
• "atexit" structure (link Ch 4n)• Any function pointer• In Windows, the default unhandled exception
handler is easy to find and exploit
![Page 17: CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows.](https://reader033.fdocuments.us/reader033/viewer/2022052317/56649f495503460f94c6aa49/html5/thumbnails/17.jpg)
Project Walkthroughs
• Proj 8– Exploiting a write to a heap value
• Proj 8x– Taking over a remote server
• Proj 5x– Buffer overflow with a canary