Presentation is loading. Please wait.

Presentation is loading. Please wait.

Heap Overflows. What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented.

Published byRhoda Strickland Modified over 7 years ago

Similar presentations

Presentation on theme: "Heap Overflows. What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented."— Presentation transcript:

1 Heap Overflows

2 What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented in glibc

3 What is a Heap?

4

5 Basic Heap Overflows /*notvuln.c*/ int main( int argc, char** argv) { char * buf; buf =(char*)malloc(1024); printf(“buf=%p”, buf); strcpy(buf, argv[1]); free(buf); }

6 Basic Heap Overflows /*basicheap.c*/ int main( int argc, char** argv) { char *buf; char *buf2; buf = (char*)malloc(1024); buf2 = (char*)malloc(1024); printf(“buf=%p buf2=%p\n”, buf, buf2); strcpy(buf, argv[1]); free(buf2); }

7 Basic Heap Overflows [pegleg@localhost] lstrace./basicheap `perl –e ‘print “A” x 5000’` … malloc(1024) = 0x080495b0 malloc(1024) = 0x080499b8 strcpy(0x080495b0, “AAAAAAAAAAAAAAAAAAAA”…) = 0x080495b0 free(0x080499b8) = --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ Heap Overflow!

8 Heap Overflows Overwrite the next chunk header

9 Heap Overflows Trace the behavior of free() using gdb buf=0x80495b0 bu2=0x80499b8 buf2’s boundary tags are overwritten

10 Heap Overflows (gdb) run `python –c ‘print “A”*1024+”\xff\xff\xff\xff”+””\xf0\xff\xff\xff”’` Set a breakpoint on _int_free() (called by free) Right before free is called, we see: (gdb) print/x $edi $10 = 0xfffffff0 (gdb) print/x $esi $11 = 0x80499b0

11 Heap Overflows free() arithmatic: –Address of the previous chunk = (Current chunk address) - (sizeof(previous buffer)) Since we overwrote the (sizeof(previous buffer)), we can control the address of the previous chunk free() writes to the address of what it thinks is the previous chunk After some more free() sillyness, we can eventually control where free() writes, and redirect program execution to the stack

12 Advanced Heap Overflows Can also overflow malloc() –trickier: once again corrupt chunk headers to redirect flow of execution –malloc() uses similar arithmatic to Not as easy because of differences in each version of glibc

13 Sources “The Shellcoder’s Handbook” (Jack Koziol) http://gee.cs.oswego.edu/dl/html/malloc.ht ml http://www.cs.ucsb.edu/~jzhou/security/ov erflow.html

Download ppt "Heap Overflows. What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented."

Similar presentations

Secure Coding in C and C++ Dynamic Memory Management

Secure Coding in C and C++ Dynamic Memory Management
Dynamic memory allocation

Dynamic memory allocation
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts 15-213: Introduction to Computer Systems 17 th Lecture, Oct. 21, 2010 Instructors: Randy Bryant.

Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts : Introduction to Computer Systems 17 th Lecture, Oct. 21, 2010 Instructors: Randy Bryant.
Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.

Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.
Lecture 10: Heap Management CS 540 GMU Spring 2009.

Lecture 10: Heap Management CS 540 GMU Spring 2009.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.

CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow.

Stack buffer overflow.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.

Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Run-Time Storage Organization

Run-Time Storage Organization
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Unix Process Environment. main Function A C program starts execution with a function called main. The prototype for the main function is: int main (int.

Unix Process Environment. main Function A C program starts execution with a function called main. The prototype for the main function is: int main (int.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Similar presentations

Ads by Google