Scribd
Upload
8 views

Heap Overflow

Uploaded by

Nisarg Upadhyay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
8 views

Heap Overflow

Uploaded by

Nisarg Upadhyay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 19

Heap Overflow Attacks

1
What is a heap?
• Heap is a collection of variable-size memory
chunks allocated by the program
– e.g., malloc(), free() in C,
creating a new object in Java
creating a new object in Java script

• Heap management system controls the allocation,


de-allocation, and reclamation of memory chunks.
– To do this some meta data is necessary for book-
keeping

2
Heap overflow attacks
• What if heap memory is corrupted?
– If a buffer is allocated on the heap and
overflown, we could overwrite the heap meta
data
– This can allow us to modify any memory
location with any value of our chosen
– This could lead to running arbitrary code

3
Doug Lea’s malloc and free

P == 1: previous chunk is in use


P == 0: previous chunk is free
Size includes the first two control words

4
Double-linked free chunk list

struct chunk {
int prev_size;
int size;
struct chunk *fd;
struct chunk *bk;
};
5
heap.c
#define BUFSIZE 128

int main(int argc, char *argv[])


{
char *a, *b, *c;

if(argc < 2) {
printf("Usage: %s <buffer>\n", argv[0]);
exit(-1);
}

a = (char *) malloc(BUFSIZE);
b = (char *) malloc(BUFSIZE+16);
c = (char *) malloc(BUFSIZE+32);

printf("address of a: %p\n", a);


printf("address of b: %p\n", b);
printf("address of c: %p\n", c);

strcpy(b, "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB");
strcpy(c, "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC");
strcpy(a, argv[1]);

free(a);
free(b);
free(c); 6
}
The heap in memory
bin_forward bin_back
prev_free_size=0
Size=0x88 1
char *a
Data free(a)
(AAAAAAAAAAAAAAAAA
AAAA)
prev_free_size=0
Size=0x98 1
char *b
Data
(BBBBBBBBBBBBBBBBB
BBBBB)
prev_free_size=0
Size=0xa8 1
char *c
Data
(CCCCCCCCCCCCCCCC
CCCCC) 7
After free(a)
bin_forward bin_back
prev_free_size=0
Size=0x88 1
char *a
forward free(a)
back

prev_free_size=0x88
Size=0x98 0
char *b
Data free(b)
(BBBBBBBBBBBBBBBBB
BBBBB)
prev_free_size=0
Size=0xa8 1
char *c
Data
(CCCCCCCCCCCCCCCC
CCCCC) 8
After free(b)
bin_forward bin_back
prev_free_size=0
Size=0x120 1
char *a
forward free(a)
back

char *b
free(b)

prev_free_size=0x120
Size=136 0
char *c
Data
(CCCCCCCCCCCCCCCC
CCCCC) 9
What if “b” was freed first?
bin_forward bin_back
prev_free_size=0
Size=0x88 1
char *a
Data free(a)
(AAAAAAAAAAAAAAAAA
AAAA)
prev_free_size=0
Size=0x98 1
char *b
forward free(b)
back

prev_free_size=0x98
Size=0xa8 0
char *c
Data
(CCCCCCCCCCCCCCCC
CCCCC) 10
Then “a” was freed
bin_forward bin_back
prev_free_size=0
Size=0x120 1
char *a
forward
back

char *b

prev_free_size=0x120
Size=0xa8 0
char *c
Data
(CCCCCCCCCCCCCCCC
CCCCC) 11
Key Observation
• When the chunk (A) to be free’ed is
followed by a free chunk (B), chunk B will
be unlinked from the free list, and A will be
inserted into the free list.
• If the heap meta data in B has been
corrupted, the unlink operation will be
dangerous.
– Why?

12
Remove a chunk from the
double-linked free list
• unlink(P)
P->fd->bk = P->bk;
P->bk->fd = P->fd; Will create
P some trouble
for us

forward forward forward


back back back

If the “fd” pointer is corrupted, If the “bk” pointer is corrupted,


we can control which memory we can control what value to
cell to be modified put into the memory cell 13
Overwrite the “forward” field with “where-12”. Overwrite the “back” field with “what”.
A heap overflow attack
• Overwrite a heap memory chunk by
running past the allocated space.
• Create a fake heap structure that pretends
to be a free chunk.
• When the current chunk is free()’d, an
arbitrary memory overwrite will occur.
• We can control the “where” and “what” of
the memory overwrite.
14
The “where”
• By modifying certain memory locations, we can
modify the EIP and make it point to injected
malicious code.
• The Global Offset Table (GOT) contains the
entry addresses of dynamically linked library
functions (e.g. printf, malloc, free, exit, strcpy,
etc.)
– We can overwrite a GOT entry that will likely be used by the
program $ objdump -R heap
heap: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
0804975c R_386_GLOB_DAT __gmon_start__
08049744 R_386_JUMP_SLOT malloc
08049748 R_386_JUMP_SLOT __libc_start_main
0804974c R_386_JUMP_SLOT printf
08049750 R_386_JUMP_SLOT exit
08049754 R_386_JUMP_SLOT free 15
08049758 R_386_JUMP_SLOT strcpy
The “what”
• The “what” will be the address of the
malicious code we injected into the buffer.

• But, P->bk->fd=P->fd will “puncture” our


shellcode from bytes 8-12.

• Thus the shell code must “jump over” this


hole.
16
Remove a chunk from the
double-linked free list
• unlink(P)
P->fd->bk = P->bk;
P->bk->fd = P->fd; Will create
P some trouble
for us

forward forward forward


back back back

If the “fd” pointer is corrupted, If the “bk” pointer is corrupted,


we can control which memory we can control what value to
cell to be modified put into the memory cell 17
Overwrite the “forward” field with “where-12”. Overwrite the “back” field with “what”.
How to make free() think the chunk after “a” is free

prev_free_size=0
Size=0x88 1
char *a
Data
(AAAAAAAAAAAAAAAAA
AAAA)
prev_free_size=0
Size=0x98 1
char * b
Data
(BBBBBBBBBBBBBBBBB
BBBBB)
prev_free_size=0x98
The second next chunk’s “size”
Size=0xa8 0
char *c word shall be an even number
Data
(CCCCCCCCCCCCCCCC
CCCCC) 18
Assembled heap-overflow
payload
buffer
XXXX YYYY
This word will be \x90\x90\x90\x90 nop, nop, jmp + 4
overwritten by the ZZZZ Shellcode…
second part of
unlink statement Shellcode…

fake heap
Padding
structure

0xffffffff (-1) 0xffffffff (-1)


GOT_entry - 12 buffer + 8

19

You might also like