Heap Overflows

What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented in glibc

What is a Heap?

Basic Heap Overflows /*notvuln.c*/ int main( int argc, char** argv) { char * buf; buf =(char*)malloc(1024); printf(“buf=%p”, buf); strcpy(buf, argv[1]); free(buf); }

Basic Heap Overflows /*basicheap.c*/ int main( int argc, char** argv) { char *buf; char *buf2; buf = (char*)malloc(1024); buf2 = (char*)malloc(1024); printf(“buf=%p buf2=%p\n”, buf, buf2); strcpy(buf, argv[1]); free(buf2); }

Basic Heap Overflows lstrace./basicheap `perl –e ‘print “A” x 5000’` … malloc(1024) = 0x080495b0 malloc(1024) = 0x080499b8 strcpy(0x080495b0, “AAAAAAAAAAAAAAAAAAAA”…) = 0x080495b0 free(0x080499b8) = --- SIGSEGV (Segmentation fault) killed by SIGSEGV +++ Heap Overflow!

Heap Overflows Overwrite the next chunk header

Heap Overflows Trace the behavior of free() using gdb buf=0x80495b0 bu2=0x80499b8 buf2’s boundary tags are overwritten

Heap Overflows (gdb) run `python –c ‘print “A”*1024+”\xff\xff\xff\xff”+””\xf0\xff\xff\xff”’` Set a breakpoint on _int_free() (called by free) Right before free is called, we see: (gdb) print/x $edi $10 = 0xfffffff0 (gdb) print/x $esi $11 = 0x80499b0

Heap Overflows free() arithmatic: –Address of the previous chunk = (Current chunk address) - (sizeof(previous buffer)) Since we overwrote the (sizeof(previous buffer)), we can control the address of the previous chunk free() writes to the address of what it thinks is the previous chunk After some more free() sillyness, we can eventually control where free() writes, and redirect program execution to the stack

Advanced Heap Overflows Can also overflow malloc() –trickier: once again corrupt chunk headers to redirect flow of execution –malloc() uses similar arithmatic to Not as easy because of differences in each version of glibc

Sources “The Shellcoder’s Handbook” (Jack Koziol) ml erflow.html