Home > Cloud Computing > Cloud Security

Heap block double release vulnerability debugging skills

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

 

Tip 1:

 

 

Disconnection:

 

Bu 3440D279 ". if (1) {. echo EnterVulnFunc; gc }"

 

Bu 6e0000b6c ". if (1) {. echo Free heap block; dd esp l4; gc }"

 

 

 

Output result:

 

EnterVulnFunc

 

Free heap block

 

0011bc5c 3441e2a2138f00203b906313 10027b64

 

Free heap block

 

0011bc5c 3441dc6c138f0020 3b906313 10027b64

 

(1508. e84): Accessviolation-code c0000005 (first chance)

 

First chanceexceptions are reported before any exception handling.

 

This exception may beexpected and handled.

 

Eax = 138f0018ebx = 138f0020 ecx = 6e287a7e edx = 10028a70 esi = 008a0000 edi = 00000000

 

Eip = 77691f88esp = 0011bbe8 ebp = 0011bbf8 iopl = 0 nv up ei pl zr na pe nc

 

Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246

 

Ntdll! RtlFreeHeap + 0x3a:

 

77691f8880780705 cmp byte ptr [eax + 7], 5 ds: 0023: 138f001f = ??

 

0: 000> kb

 

ChildEBP RetAddr Args to Child

 

0011bbf8 75aaf14c008a0000 00000000 138f0020 ntdll! RtlFreeHeap + 0x3a

 

0011bc0c 6e0000c39008a0000 00000000 138f0020 kernel32! HeapFree + 0x14

 

0011bc58 3441dc6c138f0020 3b90631310027b64 MSVCR80! Free + 0xcd

 

 

 

Tip 2:

 

0: 000> kb

 

ChildEBP RetAddr Args to Child

 

0012fbe4 7c85079b 015b1000 0012fc94 0012fc70 ntdll! DbgBreakPoint

 

0012fbf4 7c87204b 00000007 7c8722f8 015b1000 ntdll! RtlpPageHeapStop + 0x72

 

0012fc70 7c873305 015b100000000004 003f5858 ntdll! RtlpDphReportCorruptedBlock + 0x11e

 

0012fca0 7c8734c3 015b1000 003f0000 01001002 ntdll! RtlpDphNormalHeapFree + 0x32

 

0012fcf8 7c8766b9 015b0000 01001002 003f5858 ntdll! RtlpDebugPageHeapFree + 0x146

 

0012fd60 7c860386 015b0000 01001002 003f5858 ntdll! RtlDebugFreeHeap + 0x1ed

 

0012fe38 7c81d77d 015b0000 01001002 003f5858 ntdll! RtlFreeHeapSlowly + 0x37

 

0012ff1c 78134c3b 015b0000 01001002 003f5858 ntdll! RtlFreeHeap + 0x11a

 

0012ff68 00401016 003f5858 003f5858 00000064 MSVCR80! Free + 0xcd

 

 

 

0: 000>! Heap-p-a 0x3f5858

 

Address 003f5858 found in

 

_ HEAP @ 3f0000

 

In HEAP_ENTRY: Size: Prev Flags-UserPtr UserSize-state

 

3f5830: 0014: N/A [N/A]-3f5858 (70)-(free DelayedFree)

 

Trace: 004f

 

7c860386 ntdll! RtlFreeHeapSlowly + 0x00000037

 

7c81d77d ntdll! RtlFreeHeap + 0x0000011a

 

78134c3b MSVCR80! Free + 0x000000cd // The callstack has been released once.

 

401010 win32! Main + 0x00000010

 

77e523cd kernel32! BaseProcessStart + 0x00000023

 

 

 

0: 000> uf 00401010

 

74 00401000 56 push esi

 

75 00401001 6a64 push 0x64

 

75 00401003 e0000000000 call win32! Operator new [] (0040102c)

 

75 00401008 8bf0 mov esi, eax

 

76 0040100a 56 push esi

 

76 0040100b e828000000 call win32! Operator delete (00401038)

 

77 00401010 56 push esi

 

77 00401011 e81c000000 call win32! Operator delete (00401032)

 

 

Tip 3:

 

Because heap blocks are dynamically allocated, the heap block addresses allocated by the processes are different each time a debugging task is loaded. To improve analysis efficiency, we can save Virtual Machine snapshots when debugging to a certain extent. When we need to re-load and debug, we can directly restore Virtual Machine snapshots, in this way, the heap block address for each debugging is fixed.

 

 

From riusksk's blog

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
cortana skills heap insert heap array heap metadata heap crm gdb heap heap example
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More