Advanced Heap Overflow exploitation skills (1)

Yuan Ge

Advanced Heap Overflow exploitation skills

1. The peb address is in the normal mode 0x7ffdf000, And the peb loading address in the 3 GB mode is 0x7ffff000. Normally, 3 GB is rarely used.

2. Global function pointer peb offset 0x20, 0x24, and so on.

3. The default stack address is 0x18 at the peb offset.

4. The current idle heap pointer is at the stack offset 0x17c.

5. Heap allocation and release all have idle memory merge operations. Two groups of write operations (four memory writes) can be performed at a time in the memory ).

1. General heap release process:

(1) check the validity of the released address;

(2) release address-8 to get the memory control block;

(3) len = * (word *) mcb. Check the usage mark of the memory control block. if it is not used, an error is returned. if (mcb [5]. 0 = 0) goto err.

(4) obtain the control block of the previous memory and check whether it is used. mcb2 = mcb-* (word *) (mcb + 2) * 8, if (mcb2 [5]. 0 = 1) goto (6 );

(5) delete from idle linked list, memory write operation p1 = * (int) (mcb2 + 8), p2 = * (int) (mcb2 + 0x0c ), * (p1 + 1) = p2, * p2 = p1; len + = * (word) mcb2, mcb = mcb2. Modify the memory control linked list again;

(6) obtain the address of the next memory block, mcb3 = mcb + len * 8, and check whether the memory is idle. If (mcb3 [5]. 0 = 1) goto (8 );

(7) delete from idle linked list, memory write operation p1 = * (int) (mcb3 + 8), p2 = * (int) (mcb3 + 0x0c ), * (p1 + 1) = p2, * p2 = p1 ;. Modify the memory control linked list again;

(8) Close processing and return.

2. General heap allocation process:

(1) check the validity of the allocation length and obtain the required length unit len = (size + 0x0f)/8 Based on the allocation memory length. This computation obviously contains 8 bytes of alignment, and the length of the memory block. Calculate the free block pointer address of the appropriate sub-heap according to len;

(2) mcb = address-8. Check whether the memory block length meets the requirements. if (len> * (word *) mcb) continue to find the next block;

(3) Delete from idle linked list, memory write operation p1 = * (int) (mcb + 8), p2 = * (int) (mcb + 0x0c ), * (p1 + 1) = p2, * p2 = p1 .. The memory allocation flag is not checked because it is the memory address obtained from the idle memory management structure. Normally, it must be unallocated;

(4) mcb2 = mcb + len * 8, * (word) mcb2 = * (word *) mcb-len, * (word *) mcb = len. Re-establish the memory control block mcb2;

(5) check whether the next memory is idle. Mcb3 = mcb2 + * (word *) mcb * 8, if (mcb3 [5]. 0 = 1) goto (7 );

(6) Delete from idle linked list, memory write operation p1 = * (int) (mcb3 + 8), p2 = * (int) (mcb3 + 0x0c ), * (p1 + 1) = p2, * p2 = p1;

(7) finish processing and return.

 

6. Find a writable function call address. When calling a function, a simple register or a passing parameter in the stack can pass shellcode. Use 5 to design a set of Memory Operation overwrite addresses as a fixed writable address, and a group of memory operations write a small jump shellcode to the selected writable address. After designing * (p1 + 1) = p2 and * p2 = p1, you can get 4 bytes of arbitrary code without any illegal error. This relies on the selection of writable function call function addresses.

Lea eax dword [ebp + 0 xxxxxxxxx]

Push eax

Call dword ptr [funaddress]

 

(1), p2 = funaddress, p1 = canwriteadd

(2) p2 = canwriteadd, p1 = canwriteadd & 0xffff0000 + 0xc350

// 0x50 0xc3 push eax, ret