Presentation is loading. Please wait.

Presentation is loading. Please wait.

Heap Overflow Attacks.

Published byBrenda Parker Modified over 6 years ago

Similar presentations

Presentation on theme: "Heap Overflow Attacks."— Presentation transcript:

1 Heap Overflow Attacks

2 What is a heap? Heap is a collection of variable-size memory chunks allocated by the program e.g., malloc(), free() in C, creating a new object in Java creating a new object in Java script Heap management system controls the allocation, de-allocation, and reclamation of memory chunks. To do this some meta data is necessary for book-keeping

3 Heap overflow attacks What if heap memory is corrupted?
If a buffer is allocated on the heap and overflown, we could overwrite the heap meta data This can allow us to modify any memory location with any value of our chosen This could lead to running arbitrary code

4 Doug Lea’s malloc and free
P == 1: previous chunk is in use P == 0: previous chunk is free Size includes the first two control words

5 Double-linked free chunk list
struct chunk { int prev_size; int size; struct chunk *fd; struct chunk *bk; };

6 heap.c #define BUFSIZE 128 int main(int argc, char *argv[]) {
char *a, *b, *c; if(argc < 2) { printf("Usage: %s <buffer>\n", argv[0]); exit(-1); } a = (char *) malloc(BUFSIZE); b = (char *) malloc(BUFSIZE+16); c = (char *) malloc(BUFSIZE+32); printf("address of a: %p\n", a); printf("address of b: %p\n", b); printf("address of c: %p\n", c); strcpy(b, "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"); strcpy(c, "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"); strcpy(a, argv[1]); free(a); free(b); free(c);

7 The heap in memory free(a) bin_forward bin_back prev_free_size=0
Size=0x88 1 char *a free(a) Data (AAAAAAAAAAAAAAAAAAAAA) prev_free_size=0 Size=0x98 1 char *b Data (BBBBBBBBBBBBBBBBBBBBBB) prev_free_size=0 Size=0xa8 1 char *c Data (CCCCCCCCCCCCCCCCCCCCC)

8 After free(a) free(a) free(b) bin_forward bin_back prev_free_size=0
Size=0x88 1 char *a free(a) forward back prev_free_size=0x88 Size=0x98 char *b free(b) Data (BBBBBBBBBBBBBBBBBBBBBB) prev_free_size=0 Size=0xa8 1 char *c Data (CCCCCCCCCCCCCCCCCCCCC)

9 Data (CCCCCCCCCCCCCCCCCCCCC)
After free(b) bin_forward bin_back prev_free_size=0 Size=0x120 1 char *a free(a) forward back char *b free(b) prev_free_size=0x120 Size=136 char *c Data (CCCCCCCCCCCCCCCCCCCCC)

10 What if “b” was freed first?
bin_forward bin_back prev_free_size=0 Size=0x88 1 char *a free(a) Data (AAAAAAAAAAAAAAAAAAAAA) prev_free_size=0 Size=0x98 1 char *b free(b) forward back prev_free_size=0x98 Size=0xa8 char *c Data (CCCCCCCCCCCCCCCCCCCCC)

11 Data (CCCCCCCCCCCCCCCCCCCCC)
Then “a” was freed bin_forward bin_back prev_free_size=0 Size=0x120 1 char *a forward back char *b prev_free_size=0x120 Size=0xa8 char *c Data (CCCCCCCCCCCCCCCCCCCCC)

12 Key Observation When the chunk (A) to be free’ed is followed by a free chunk (B), chunk B will be unlinked from the free list, and A will be inserted into the free list. If the heap meta data in B has been corrupted, the unlink operation will be dangerous. Why?

13 Remove a chunk from the double-linked free list
unlink(P) P->fd->bk = P->bk; P->bk->fd = P->fd; Will create some trouble for us P forward forward forward back back back If the “fd” pointer is corrupted, we can control which memory cell to be modified If the “bk” pointer is corrupted, we can control what value to put into the memory cell Overwrite the “forward” field with “where-12”. Overwrite the “back” field with “what”.

14 A heap overflow attack Overwrite a heap memory chunk by running past the allocated space. Create a fake heap structure that pretends to be a free chunk. When the current chunk is free()’d, an arbitrary memory overwrite will occur. We can control the “where” and “what” of the memory overwrite.

15 The “where” By modifying certain memory locations, we can modify the EIP and make it point to injected malicious code. The Global Offset Table (GOT) contains the entry addresses of dynamically linked library functions (e.g. printf, malloc, free, exit, strcpy, etc.) We can overwrite a GOT entry that will likely be used by the program $ objdump -R heap heap: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE c R_386_GLOB_DAT __gmon_start__ R_386_JUMP_SLOT malloc R_386_JUMP_SLOT __libc_start_main c R_386_JUMP_SLOT printf R_386_JUMP_SLOT exit R_386_JUMP_SLOT free R_386_JUMP_SLOT strcpy

16 The “what” The “what” will be the address of the malicious code we injected into the buffer. But, P->bk->fd=P->fd will “puncture” our shellcode from bytes 8-12. Thus the shell code must “jump over” this hole.

17 Remove a chunk from the double-linked free list
unlink(P) P->fd->bk = P->bk; P->bk->fd = P->fd; Will create some trouble for us P forward forward forward back back back If the “fd” pointer is corrupted, we can control which memory cell to be modified If the “bk” pointer is corrupted, we can control what value to put into the memory cell Overwrite the “forward” field with “where-12”. Overwrite the “back” field with “what”.

18 How to make free() think the chunk after “a” is free
prev_free_size=0 Size=0x88 1 char *a Data (AAAAAAAAAAAAAAAAAAAAA) prev_free_size=0 Size=0x98 1 char * b Data (BBBBBBBBBBBBBBBBBBBBBB) prev_free_size=0x98 The second next chunk’s “size” word shall be an even number Size=0xa8 char *c Data (CCCCCCCCCCCCCCCCCCCCC)

19 Assembled heap-overflow payload
buffer XXXX YYYY This word will be overwritten by the second part of unlink statement \x90\x90\x90\x90 nop, nop, jmp + 4 ZZZZ Shellcode… Shellcode… fake heap structure Padding 0xffffffff (-1) 0xffffffff (-1) GOT_entry - 12 buffer + 8

Download ppt "Heap Overflow Attacks."

Similar presentations

Secure Coding in C and C++ Dynamic Memory Management

Secure Coding in C and C++ Dynamic Memory Management
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.

Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.
Dynamic Memory Allocation I Topics Basic representation and alignment (mainly for static memory allocation, main concepts carry over to dynamic memory.

Dynamic Memory Allocation I Topics Basic representation and alignment (mainly for static memory allocation, main concepts carry over to dynamic memory.
An overview Secologic Treffen Martin Johns

An overview Secologic Treffen Martin Johns
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Acknowledgement: These slides are based on author Seacord’s original presentation.

Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Acknowledgement: These slides are based on author Seacord’s original presentation.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua
Memory Layout C and Data Structures Baojian Hua

Memory Layout C and Data Structures Baojian Hua
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Secure Coding in C and C++ Pointer Subterfuge Lecture 5 Acknowledgement: These slides are based on author Seacord’s original presentation.

Secure Coding in C and C++ Pointer Subterfuge Lecture 5 Acknowledgement: These slides are based on author Seacord’s original presentation.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing.

Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Computer Security 2015 – Ymir Vigfusson. 2  We have talked extensively about stack overflows  But those are not as common anymore  Heap overflows 

Computer Security 2015 – Ymir Vigfusson. 2  We have talked extensively about stack overflows  But those are not as common anymore  Heap overflows 

Similar presentations

Ads by Google