Heap Overflow Exploitation Technology on Windows

Author:Mr_me

Translator:Riusksk(Quan Ge:Http://riusksk.blogbus.com)

 

Preface

In stack overflow, we usually control the instruction pointer.EIP, Or overwriteSEHIn this article, we will talk about and test the use technology, which has not been directly applied to coverage.EIPOrSEH. We will overwrite a controllable memory address to implement anyDWORDOverwrite. If your understanding of stack overflow is not yet in progress/High level, so I suggest you concentrate on learning. The techniques used in this article are old technologies that have been around for a long time. If you have any new techniques, please share them with us. Before reading this article, you must meet the following requirements:

●Windows XP SP1;

●Debugger (Olly Debugger,Immunity Debugger,WindbgAnd so on );

●C/C ++Compiler (Vcpp-4.9.9.2_setup.exe "target = _ blank>Dev C ++,Lcc-32, MS visual C ++ 6.0.);

●Script Language execution environment (this article usesPythonYou can also usePerl);

●Brain;

●Compilation andCLanguage knowledge, and how to debug them with a debugger;

●Olly DebuggerPlug-insHideDbg, OrImmunity DebuggerOf! HidedebugCommand plug-in;

●Time.

We focus on basic knowledge in this article. These technologies may be outdated and not used in the "real world", but you must remember that if you want to improve the technology, you must know the past and use its strengths for your own use!

 

Definition of heap and itsXPWorking Principle

A heap is a place where processes store data. Each process can dynamically allocate and release the heap memory required by the program and allow global access. It should be noted that the stack is directedZero x 00000000Growth, while heap is directed0 xFFFFFFFFGrowth. This means that if a process is called twice in a rowHeapAllocate ()Function, the memory address pointed to by the pointer returned by the second call of the function will be higher than that of the first call, so the first heap will overflow to the second heap memory.

For each process, both the default process heap and the dynamically allocated heap contain multiple data structures. One of the data structures is128ItemsLIST_ENTRYAn array of structures used to track idle blocks, that is, a well-known idle linked listFreeList. EveryLIST_ENTRYThe structure contains two pointers, which can be offsetHEAPStructureZero x 178The location of the byte. When a heap is created, both pointers point to the first idle block and are set to an empty table index.FreeList [0]Is used to organize idle heap blocks into two-way linked lists.

Let's assume there is a heap whose base address isZero x 00650000, The first available block is located inZero x 00650688Next, let's assume the following:4Addresses:

1.Address0 × 00650178 (Freelist [0]. Flink)Is a valueZero x 00650688(The first idle heap block) pointer;