Heap Overflows

Heap memory consists of large blocks of allocated memory. Each block has a small header that describes the size of the block and other details. If a heap buffer suffers from overflow, an attack overwrites the next block in the heap, including the header. If you overwrite the

Each exploit and software target has unique results, making this attack difficult. Depending

Exploitingon the code,Softwarethe pointsHow to Breakat whichCodememory can be corrupted will change. This isn't bad, it just

means that the exploit that you craft must be unique to the target.

ByGreg Hoglund,Gary McGraw

Heap overflows have been understood and exploited in the computer underground for several

Publisher: Addison Wesley

years, but the technique remains fairly esoteric. Unlike stack overflows (which have by now

Pub Date: February 17, 2004

been almost hunted to extinction), heap overflow vulnerabilities are still very prevalent.

ISBN: 0-201-78695-8

Typically,Pages:heap512 structures are placed contiguously in memory. The direction of buffer growth is shown in Figure 7-14.

Figure 7-14. Heap buffer growth in a typical platform.

How does software break? How do attackers make software break on purpose? Why are

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be

Attack patterns

Each OS and compiler uses different methods for managing the heap. Even different Reverse engineering

applications on the same platform may use different methods for heap management. The best thingClassictoattacksdo whenagainstworkingserveran exploitsoftwareis to reverse engineer the heap system in use, keeping in mind that each target application is likely to use slightly different methods.

Surprising attacks against client software

Figure 7-15 shows how Windows 2000 organizes heap header information.

Techniques for crafting malicious input

The technical details of buffer overflows

Figure 7-15. Under Windows 2000, this pattern is used to represent

Rootkits

the heap header.

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

Consider the following code:

•Table of Contents

•Index

Exploiting Software How to Break Code

BycharGreg*cHoglund= (char,Gary McGraw*) HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, 10);

char *d = (char *) HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, 32);

Publisher: Addison Wesley

Pub Date: February 17, 2004

char *e = (char *) HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, 10);

ISBN: 0-201-78695-8

Pages: 512

strcpy(c, "Hello!");

strcpy(d, "Big!");

How does software break? How do attackers make software break on purpose? Why are firewalls,strcpy(e,intrusion"World!");detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

techniques used by bad guys to break software. If you want to protect your software from

HeapFree( GetProcessHeap(), 0, e);

attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

and the heap

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

...

Surprising attacks against client software

00142ADC 00 00 00 00 ....

Techniques for crafting malicious input

00142AE0 07 00 05 00 ....

The technical details of buffer overflows

00142AE4 00 07 18 00 ....

Rootkits

00142AE8 42 69 67 21 Big! <- we control this buffer

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

00142AEC 00 00 00 00 .... <-

00142AF0 00 00 00 00 .... <- ...

00142AF4 00 00 00 00 ....

...

Malloc and the Heap

Malloc uses a slightly different header format, but the technique is the same. Two records are storednear one another in memory and one can overwrite the other. Consider the following code:

•Table of Contents

•Index

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

Pub Date: February 17, 2004

int main(int argc, char* argv[])

ISBN: 0-201-78695-8

{Pages: 512

char *c = (char *)malloc(10);

char *d = (char *)malloc(32);

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

strcpy(c, "Hello!");

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesstrcpy(d,used by"World!");bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the scriptfree(d);kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

return 0;

Attack patterns

} Reverse engineering

Classic attacks against server software

Surprising attacks against client software

After executing the two strcpys, the heap looks like this:

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

•Table of Contents

Exploiting Software How to Break Code

How does software break? How do attackers make software break on purpose? Why are

00321028 E0 0F 32 00 à.2. <- this value is used as an address

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers.

0032102C 00 00 00 00 ....

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and 00321030techniques used00 00by00bad00guys....to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

00321034 00 00 00 00 ....

This must-have book may shock you—and it will certainly educate you.Getting beyond the script00321038kiddie20treatment00 00 00found...in many<hacking- size books, you will learn about

0032103C 01 00 00 00 ....

Why software exploit will continue to be a serious problem

00321040 35 00 00 00 5...

When network security mechanisms do not work

00321044 FD FD FD FD

Attack patterns

00321048 57 6F 72 6C Worl

Reverse engineering

0032104CClassic64attacks21 00againstCD d!server.Í software

00321050SurprisingCD CDattacksCD CDagainstÍÍÍÍclient software

Techniques for crafting malicious input

00321054 CD CD CD CD ÍÍÍÍ

The technical details of buffer overflows

00321058 CD CD CD CD ÍÍÍÍ

Rootkits

0032105C CD CD CD CD ÍÍÍÍ

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

00321060 CD CD CD CD ÍÍÍÍ

software.

00321074 0D F0 AD BA .–º

00321078 AB AB AB AB ««««

0032107C AB AB AB AB ««««

•Table of Contents

•Index

Exploiting Software How to Break Code

You can plainly see the buffers in the heap. Also notable are the heap headers that specify theByGregsizeHoglundof the,GaryheapMcGrawblocks. We want to overwrite the address because it gets used in a later operation once free() is called:

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Pages: 512

00401E6CHow does softwaremov break? Howeax,dworddo attackeptrs[pHead]make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

00401E6FWhat tools canmovbe used to breakecx,dwordsoftware?ptrThis[eax]book provides<- ecxthehasanswersour value.

Exploiting00401E71 Softwaremov is loadededx,dwordwith examplesptr [pHead]of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack,00401E74you mustmov first learn eax,dwordhow real attacksptr [edx+4]are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the

00401E77 mov dword ptr [ecx+4],eax <- memory overwrite script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

Because values that we control in the header are being used in the free() operation, we

When network security mechanisms do not work

have the ability to overwrite any location in memory as we see fit. The memory overwrite

that is noted uses whatever is stored in the eax register. We also control that value, because Attack patterns

it's taken from the heap header as well. In other words, we have complete control over

writing a single 4 DWORD value to memory at any location. Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.