SlideShare ist ein Scribd-Unternehmen logo

Reliable Windows Heap Exploits

A
amiable_indian

Reliable Windows Heap Exploits

Technologie
1 von 81
Reliable Windows Heap Exploits Matt Conover & Oded Horovitz
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Introduction: Our Findings ,[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],PEB 2 nd Heap Default Heap Heaps Count 0x0080 Heap List 0x0090 Default Heap 0x0010 0x170000 0x70000
Windows Heap Internals ,[object Object],[object Object],[object Object],Management Structures Committed Reserved
Windows Heap Internals ,[object Object],Segments Look aside Table Segment Table Free Lists Table Free list usage bit map Virtual Allocation list
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],Reserved Committed
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],1400 2000 2000 2408 16 16 48 48 6 5 4 3 2 1 0
Windows Heap Internals ,[object Object],[object Object],[object Object],1400 2000 2000 2408 16 16 48 48 6 5 4 3 2 1 0 … 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],16 48 48 6 5 4 3 2 1 0
Windows Heap Internals ,[object Object],Overflow direction Previous chunk size Self Size Segment Index Flags Unused bytes Tag index (Debug) 0 1 2 3 4 5 6 7 8 01 – Busy 02 – Extra present 04 – Fill pattern 08 – Virtual Alloc 10 – Last entry 20 – FFU1 40 – FFU2 80 – No coalesce
Windows Heap Internals ,[object Object],Previous chunk size Self Size Segment Index Flags Unused bytes Tag index (Debug) Next chunk Previous chunk 0 1 2 3 4 5 6 7 8
Windows Heap Internals ,[object Object],Next virtually allocated chunk Previous virtually allocated chunk Commit size Reserve size 0 1 2 3 4 5 6 7 8 Previous chunk size Self Size Segment Index Flags Unused bytes Tag index (Debug)
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Search range … 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Windows Heap Internals ,[object Object],[object Object],Header found on free lists Requested length New header Back to caller Back to free list
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],Reserved Committed
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],A + B Coalesced Step 2: Buffer removed from free list Step 3: Buffer removed from free list Step 4: Buffer placed back on the free list A + B + C Coalesced Step 1: Buffer free B A C A C A
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object]
Windows Heap Internals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Heap Exploitation: Basic Terms ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite Explained ,[object Object],[object Object],[object Object],[object Object],< 0x40 9 01 – Busy 08 – Virtual Alloc Overflow start Address A Address B
Arbitrary Memory Overwrite Explained ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite Explained ,[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite Explained ,[object Object],[object Object],[object Object],[object Object],[object Object],Overflow start 40 – FFU2 Previous chunk Size < 0x40 0x40 Address A Address B
Arbitrary Memory Overwrite Explained ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite Explained ,[object Object],[object Object],[object Object],Fake Chunk B Fake Chunk C Fake Chunk A Overflow start Overflowed buffer ,[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite Explained ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite Explained ,[object Object],Can we improve on that? Medium rate of success (because of guessed address), SP Independent Guessed address or application specific PEB Locks Comments Address B Address A High rate of success, but SP dependent Stack location pointing to our buffer Vector Exception Handling High rate of success, but SP dependent Call [esi+xx] Or similar Unhandled exception filter
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],PEB Header ~1k of payload PEB lock/unlock function pointers 0x7ffdf020, 0x7ffdf024 0x7ffdf130
Arbitrary Memory Overwrite ,[object Object],[object Object],Address jump Table Shell code Function pointer Writable memory
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object],1.2.3.4ackdoors
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object],Lookaside table Original dispatch table Populated entry PEB Remapped table
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object],Original Lookaside table PEB Heap Remapped Lookaside table
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite ,[object Object],Coalescing with “last entry” makes the new bigger buffer becomes the last entry Last Entry Last Entry Segment X Heap header Using segment index We find pointer to the right segment Segment pointer to last entry gets updated
Arbitrary Memory Overwrite ,[object Object],Coalescing with “last entry” makes the new bigger buffer becomes the last entry This time, our fake header will Cause arbitrary memory overwrite Last Entry Segment X Using segment index We find pointer to the right segment Heap header Last Entry PEB Dummy Segment Segment pointer to last entry gets updated. Since the segment overlaps the PEB, the PEB lock function will automatically point to our coalesced buffer
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Arbitrary Memory Overwrite ,[object Object],[object Object],[object Object],[object Object]
Other Overflows? ,[object Object],[object Object],SizeLo Chunk A Header Overflowed Chunk Chunk B Header SizeHi … Set to 0
Off-By-Ones ,[object Object],[object Object],[object Object],[object Object]
Off-By-Ones ,[object Object],Chunk B Header Real Size 0x0110 * 8 = 2176 bytes Chunk C Header
Off-By-Ones ,[object Object],Real Chunk C Header Chunk B Header Real Size 0x0110 * 8 = 2176 bytes New Size 0x0100 * 8 = 2048 bytes Fake Chunk C Header User Controlled (part of Chunk B)
Off-By-Ones ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Other Overflows? ,[object Object],[object Object],[object Object],[object Object]
Double Free ,[object Object],Chunk B Header (Busy) Chunk A Header (Free)
Double Free ,[object Object],Former Chunk B Header Chunk A+B Header (Free) Former Chunk B Coalesced Chunk
Double Free ,[object Object],Fake Chunk Chunk A Header Old Chunk B Coalesced Chunk Flink Blink
Shellcode Notes ,[object Object],[object Object],[object Object],[object Object]
Shellcode Notes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XP Service Pack 2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XP Service Pack 2 ,[object Object],[object Object],[object Object],[object Object],[object Object]
XP Service Pack 2 ,[object Object],[object Object],[object Object],[object Object],[object Object]
XP Service Pack 2 ,[object Object],XP SP2 Header Current Header *reminder: overflow direction Previous chunk size Self Size Segment Index Flags Unused bytes Tag index (Debug) 0 1 2 3 4 5 6 7 8 Previous chunk size Self Size New Cookie Flags Unused bytes Segment Index
XP Service Pack 2 ,[object Object],[object Object],[object Object],[object Object],[object Object]
XP Service Pack 2 ,[object Object],[object Object],[object Object],[object Object],[object Object],Header to free A B C
XP Service Pack 2: Summary ,[object Object],[object Object],[object Object]
Other Protection Mechanisms ,[object Object],[object Object],[object Object],[object Object],[object Object]
Summary: Overwrite Types ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Summary: Overwrite Sources ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Summary: Overwrite Attacks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Empfohlen

Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Pool
guest215c4e
 

Empfohlen

Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Pool
guest215c4e
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
Angel Boy
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL Reloaded
Anthony LAOU-HINE TSUEI
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
Angel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
idsecconf
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015
CODE BLUE
 
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Apache Spark Data Source V2 with Wenchen Fan and Gengliang WangApache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Databricks
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
Angel Boy
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
x86
x86x86
x86
Wei-Bo Chen
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)
Sam Bowne
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
DbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesDbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slides
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 

Weitere ähnliche Inhalte

Was ist angesagt?

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Apache Spark Data Source V2 with Wenchen Fan and Gengliang WangApache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Databricks
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 

Was ist angesagt? (20)

Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL Reloaded
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015
 
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Apache Spark Data Source V2 with Wenchen Fan and Gengliang WangApache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
x86
x86x86
x86
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 

Andere mochten auch

DbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesDbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slides
Peter Hlavaty
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 

Andere mochten auch (9)

DbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesDbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slides
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
How2heap
How2heap How2heap
How2heap
 
Attacking the Webkit heap [Or how to write Safari exploits]
Attacking the Webkit heap [Or how to write Safari exploits]Attacking the Webkit heap [Or how to write Safari exploits]
Attacking the Webkit heap [Or how to write Safari exploits]
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 

Ähnlich wie Reliable Windows Heap Exploits

Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
guest215c4e
 
Tachyon_meetup_5-28-2015-IBM
Tachyon_meetup_5-28-2015-IBMTachyon_meetup_5-28-2015-IBM
Tachyon_meetup_5-28-2015-IBM
Shaoshan Liu
 

Ähnlich wie Reliable Windows Heap Exploits (20)

Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
 
Hash join
Hash joinHash join
Hash join
 
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
 
Engineering fast indexes
Engineering fast indexesEngineering fast indexes
Engineering fast indexes
 
amer-memory1.ppt
amer-memory1.pptamer-memory1.ppt
amer-memory1.ppt
 
Memory Management
Memory ManagementMemory Management
Memory Management
 
Tachyon_meetup_5-28-2015-IBM
Tachyon_meetup_5-28-2015-IBMTachyon_meetup_5-28-2015-IBM
Tachyon_meetup_5-28-2015-IBM
 
Performance Tuning
Performance TuningPerformance Tuning
Performance Tuning
 
Database Sizing
Database SizingDatabase Sizing
Database Sizing
 
CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
 
Unit-4 swapping.pptx
Unit-4 swapping.pptxUnit-4 swapping.pptx
Unit-4 swapping.pptx
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Lect1.pptx
Lect1.pptxLect1.pptx
Lect1.pptx
 
Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?
 
Online CPP Homework Help
Online CPP Homework HelpOnline CPP Homework Help
Online CPP Homework Help
 
Heaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.pptHeaps About Heaps - Brett Moore.ppt
Heaps About Heaps - Brett Moore.ppt
 
The reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memoryThe reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memory
 
DBMS
DBMSDBMS
DBMS
 
Parquet Twitter Seattle open house
Parquet Twitter Seattle open houseParquet Twitter Seattle open house
Parquet Twitter Seattle open house
 

Mehr von amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
amiable_indian
 

Mehr von amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Kürzlich hochgeladen

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Reliable Windows Heap Exploits

  • 1. Reliable Windows Heap Exploits Matt Conover & Oded Horovitz
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
  • 75.
  • 76.
  • 77.
  • 78.
  • 79.
  • 80.
  • 81.