exploiting heap overflows

•

5 gefällt mir•1,720 views

primelude

Technologie

Windows Heap Overflows David Litchfield <david@ngssoftware.com>

This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap overflows have been well documented on *nix platforms, for example Matt Connover’s paper – w00w00 on heap overflows, but they’ve not been well documented on Windows, though Halvar Flake’s Third Generation Exploits paper covered the key concepts. Windows Heap Overflows Introduction

[object Object],[object Object],Windows Heap Overflows Heap based buffers are safe…. ?????

[object Object],Windows Heap Overflows What is a heap?

[object Object],Windows Heap Overflows Heap Design

[object Object],[object Object],[object Object],[object Object],[object Object],Windows Heap Overflows Heap Design

[object Object],Windows Heap Overflows So where’s the problem?

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Windows Heap Overflows So where’s the problem?

[object Object],[object Object],[object Object],[object Object],[object Object],Windows Heap Overflows Exploiting Heap Overflows

[object Object],[object Object],Windows Heap Overflows Repairing the heap

[object Object],Windows Heap Overflows Repairing the heap

[object Object],Windows Heap Overflows Exploit: Using the Unhandled Exception Filter

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Windows Heap Overflows Exploit: Using the Unhandled Exception Filter

[object Object],[object Object],Windows Heap Overflows Exploit: Using the Unhandled Exception Filter

[object Object],[object Object],[object Object],Windows Heap Overflows Exploit: Using the Unhandled Exception Filter

[object Object],[object Object],Windows Heap Overflows Exploit: Using Vectored Exception Handling

[object Object],Windows Heap Overflows Exploit: Using Vectored Exception Handling

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Windows Heap Overflows Exploit: Using Vectored Exception Handling

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Windows Heap Overflows Exploit: Using Vectored Exception Handling

[object Object],[object Object],[object Object],[object Object],Windows Heap Overflows Exploit: Using Vectored Exception Handling

[object Object],[object Object],[object Object],Windows Heap Overflows Exploit: RtlEnterCriticalSection pointer in the PEB

[object Object],Windows Heap Overflows Exploit: RtlEnterCriticalSection pointer in the PEB

[object Object],[object Object],Windows Heap Overflows Exploit: RtlEnterCriticalSection pointer in the PEB

[object Object],Windows Heap Overflows Exploit: TEB Exception Handler Pointer

[object Object],[object Object],Windows Heap Overflows Exploit: TEB Exception Handler Pointer

[object Object],Windows Heap Overflows Exploit: Getting Creative!

[object Object],[object Object],Windows Heap Overflows Exploit: Getting Creative!

[object Object],[object Object],Windows Heap Overflows Conclusion

[object Object],Windows Heap Overflows Thanks for coming!

Empfohlen

Checking Intel IPP Samples for Windows - ContinuationPVS-Studio

200 Open Source Projects Later: Source Code Static Analysis ExperienceAndrey Karpov

App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance

Computer Science Homework HelpProgramming Homework Help

Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash

Linux Shellcode disassemblingHarsh Daftary

Computer Science Assignment HelpProgramming Homework Help

Rust LDN 24 7 19 Oxidising the Command LineMatt Provost

Empfohlen

Checking Intel IPP Samples for Windows - ContinuationPVS-Studio

200 Open Source Projects Later: Source Code Static Analysis ExperienceAndrey Karpov

App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance

Computer Science Homework HelpProgramming Homework Help

Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash

Linux Shellcode disassemblingHarsh Daftary

Computer Science Assignment HelpProgramming Homework Help

Rust LDN 24 7 19 Oxidising the Command LineMatt Provost

06 file processingIssay Meii

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest

Lab4siragezeynu

Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON

D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me

Seh based attackMihir Shah

Picking Mushrooms after CppcheckAndrey Karpov

Flowchart - Building next gen malware behavioural analysis environment isc2-hellenic

Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo

Writing Metasploit Pluginsamiable_indian

The State of PHPUnitEdorian

Valgrind overview: runtime memory checker and a bit more aka использование #v...Minsk Linux User Group

The State of PHPUnitEdorian

Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash

Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance

Sandboxie process isolation with kernel hooksKarlFrank99

No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs

The state of PHPUnitEdorian

Splint the C code static checkerUlisses Costa

FreeRTOS Xilinx Vivado: Hello World!Vincent Claes

Heap overflows for humans – 101Craft Symbol

Low Level Exploitshughpearse

Weitere ähnliche Inhalte

Was ist angesagt?

06 file processingIssay Meii

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest

Lab4siragezeynu

Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON

D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me

Seh based attackMihir Shah

Picking Mushrooms after CppcheckAndrey Karpov

Flowchart - Building next gen malware behavioural analysis environment isc2-hellenic

Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo

Writing Metasploit Pluginsamiable_indian

The State of PHPUnitEdorian

Valgrind overview: runtime memory checker and a bit more aka использование #v...Minsk Linux User Group

The State of PHPUnitEdorian

Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash

Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance

Sandboxie process isolation with kernel hooksKarlFrank99

No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs

The state of PHPUnitEdorian

Splint the C code static checkerUlisses Costa

FreeRTOS Xilinx Vivado: Hello World!Vincent Claes

Was ist angesagt? (20)

06 file processing

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket

Lab4

Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]

D2 t2 steven seeley - ghost in the windows 7 allocator

Seh based attack

Picking Mushrooms after Cppcheck

Flowchart - Building next gen malware behavioural analysis environment

Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...

Writing Metasploit Plugins

The State of PHPUnit

Valgrind overview: runtime memory checker and a bit more aka использование #v...

The State of PHPUnit

Finding Xori: Malware Analysis Triage with Automated Disassembly

Killing any security product … using a Mimikatz undocumented feature

Sandboxie process isolation with kernel hooks

No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)

The state of PHPUnit

Splint the C code static checker

FreeRTOS Xilinx Vivado: Hello World!

Ähnlich wie exploiting heap overflows

Heap overflows for humans – 101Craft Symbol

Low Level Exploitshughpearse

Exploitation Crash CourseUTD Computer Security Group

CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory

DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeFelipe Prado

Re-checking the ReactOS project - a large reportPVS-Studio

AntiRE en MasseKurt Baumgartner

SEH overwrite and its exploitabilityFFRI, Inc.

How to recover malare assembly codesFACE

Virtual machine re buildingMartin Dominguez Alvarez

Buffer Overflow - Smashing the StackironSource

Buffer overflow – Smashing The StackTomer Zait

How to drive a malware analyst crazyMichael Boman

44CON London 2015 - How to drive a malware analyst crazy44CON

Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)Dmitry Vostokov

Creating a Fibonacci Generator in Assembly - by Willem van KetwichWillem van Ketwich

CNIT 127 Ch 8: Windows overflows (Part 1)Sam Bowne

Bugs found in GCC with the help of PVS-StudioPVS-Studio

CNIT 127: Ch 8: Windows overflows (Part 1)Sam Bowne

Heading for a Record: Chromium, the 5th CheckPVS-Studio

Ähnlich wie exploiting heap overflows (20)

Heap overflows for humans – 101

Low Level Exploits

Exploitation Crash Course

CyberLink LabelPrint 2.5 Exploitation Process

DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee

Re-checking the ReactOS project - a large report

AntiRE en Masse

SEH overwrite and its exploitability

How to recover malare assembly codes

Virtual machine re building

Buffer Overflow - Smashing the Stack

Buffer overflow – Smashing The Stack

How to drive a malware analyst crazy

44CON London 2015 - How to drive a malware analyst crazy

Fundamentals of Complete Crash and Hang Memory Dump Analysis (Revision 2)

Creating a Fibonacci Generator in Assembly - by Willem van Ketwich

CNIT 127 Ch 8: Windows overflows (Part 1)

Bugs found in GCC with the help of PVS-Studio

CNIT 127: Ch 8: Windows overflows (Part 1)

Heading for a Record: Chromium, the 5th Check

Kürzlich hochgeladen

So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda

Infrared simulation and processing on Nvidia platformsYoss Cohen

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal

2024 April Patch TuesdayIvanti

A Journey Into the Emotions of Software DevelopersNicole Novielli

Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes

React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech

Accelerating Enterprise Software Engineering with PlatformlessWSO2

Decarbonising Buildings: Making a net-zero built environment a realityIES VE

A Glance At The Java Performance ToolboxAna-Maria Mihalceanu

Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple

QCon London: Mastering long-running processes in modern architecturesBernd Ruecker

Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll

4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica

UiPath Community: Communication Mining from Zero to HeroUiPathCommunity

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney

Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq

Connecting the Dots for Information Discovery.pdfNeo4j

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765

Kürzlich hochgeladen (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf

Infrared simulation and processing on Nvidia platforms

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...

2024 April Patch Tuesday

A Journey Into the Emotions of Software Developers

Glenn Lazarus- Why Your Observability Strategy Needs Security Observability

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes

React Native vs Ionic - The Best Mobile App Framework

Accelerating Enterprise Software Engineering with Platformless

Decarbonising Buildings: Making a net-zero built environment a reality

A Glance At The Java Performance Toolbox

Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...

QCon London: Mastering long-running processes in modern architectures

Emixa Mendix Meetup 11 April 2024 about Mendix Native development

4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector

UiPath Community: Communication Mining from Zero to Hero

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...

Genislab builds better products and faster go-to-market with Lean project man...

Connecting the Dots for Information Discovery.pdf

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration

exploiting heap overflows

1. Windows Heap Overflows David Litchfield <david@ngssoftware.com>

2. This presentation will examine how to exploit heap based buffer overflows on the Windows platform. Heap overflows have been well documented on *nix platforms, for example Matt Connover’s paper – w00w00 on heap overflows, but they’ve not been well documented on Windows, though Halvar Flake’s Third Generation Exploits paper covered the key concepts. Windows Heap Overflows Introduction

5. Windows Heap Overflows Heap functions

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

21.

22.

23.

24.

25.

26.

27.

28.

29.

30.

31.

32.

33.

34.

35.

36.

37.

38.

39.

40.

41.

42.

43.

44.

45.

46.

47.