Heap Spray details: stepping stone to high-risk Vulnerabilities

Network Trojans have become the greatest danger in today's online world, and their sources of dissemination come from well-known or unknown websites, quietly rooted in the victim's system and finally brought losses to the victim. This is a plague that is almost impossible to completely defend against.

After installing Kingsoft network security, Xiao Ru suddenly discovered how dangerous the online world is. In just ten minutes, Kingsoft network security has displayed more than thirty webpage Trojan alarms. What surprised her most is that she just checked some accounting data, and those websites seem to be normal.
Therefore, Xiaoru does not care too much. After closing the alarm window, he will continue to do his own thing.
A few days later, Xiaoru has been surprised by the warning box for blocking Trojans that appear from time to time. However, a frequently-occurring word still impressed her. The trojan blocker often finds that the iexplore.exe attempt to trigger the Heap Spray vulnerability has been successfully blocked !" .
What is "Heap Spray "? Xiao Ru found many websites, but only found some outdated webpage Trojan source code that has been disclosed with technical details. After some searching, this phrase became more mysterious ...... We can find in the dictionary that "Heap" means "Heap. So what is "heap? What is "Heap Spray?
Heap often appears at the same time as Stack. Many technicians are also used to connecting the two to read them as stacks ", they are actually two different concepts. In information security and programming, unless specifically specified as "Data Structure", the "Heap" and "stack" mentioned by everyone ", in fact, it refers to two different Memory Allocation Modes implemented by the operating system for memory management.

Stack: whether it is data structure or memory allocation, the structure description and usage of the Stack are similar. It is a special linear table that can only insert and delete data at one end. You can think of a stack as a package containing "pinke" potato chips. one end of this long cylinder is closed and one end is open. When there is no data in this long cylinder, we call it "Empty stack ". The process of filling a long cylinder in the assembly line with a piece of potato chips is called "PUSH". In the operating system, some data is entered into the stack structure. From this structure, we can easily see that when you want to retrieve data from the stack, you can only retrieve the last potato chips, instead of specifying the first potato chips at the bottom of the tube at the beginning, you cannot disrupt their order, however, we can only honestly get the first one from the last one. This is "post-import, first-out", and the data retrieval process is called "POP ).
Stack is usually allocated by the operating system itself in the system to store local variables and parameters required by functions. In Windows, the most common stack operation is the call of various system API functions.
Heap: the way in which the requested heap works in the data structure and memory allocation is different. In the data structure, heap is a special binary tree, the heap we usually mention is a type of memory allocation, which is similar to the structure of the linked list.
The operating system itself defines many linked lists. One of the linked lists is used to record memory addresses that are not currently in use. When a program requests an idle memory, it is requesting a heap. The system searches for a sufficient memory space in the idle memory address linked list and marks it, And then allocates it.
Heap is used to store dynamic data variables. You may wonder, isn't the stack structure mentioned above used to store data? They are indeed used for data storage. However, the stack is a memory block allocated by the system and predefined in size. The system manages the stack under strict control. The stack size is determined by the operating system. In Windows, the stack size is 1 MB or 2 MB. This setting is very suitable for storing temporary variables with frequent updates, however, it cannot pre-set the unknown data that the program needs to allocate during running, and heap will be used at this time.
Therefore, the heap is generally used to store data variables that do not know the quantity and size in advance, as well as large size objects that occupy more memory than the stack size. By default, the operating system assigns a heap to each program before it is executed to store the initial data of the process. When the program is running, you can apply for another heap as needed. After the heap is used, the system does not automatically clear the heap. The developer can only manually call the command to delete the used heap. If the developer does not process the used heap, it will stay in the memory space and waste resources. When all the space in the memory is exhausted, the program and the system itself will encounter exceptions or even system crashes. However, if the program is disabled, the system will automatically release all memory related to the process.
Stack Overflow and stack overflow a memory space of the specified size applied for. Both heap and stack are collectively referred to as "buffer" (Buf fer ). Because the system requires that the space must be larger than the actual data size, that is, it is often impossible to fill up 100 pieces of potato chips with a "maximum size of 100 pieces. But what if someone intentionally adds 100 potato chips to the package labeled "a maximum of 200 pieces can be loaded? There is no doubt that the extra 100 pieces will be scattered on the assembly line, and even fall into other potato chips. This phenomenon is "overflow ".
 

Overflow in the memory space often complicate the situation, because the address of each instruction and data in the memory is quite compact, there is not much idle memory to accept the excess data. Where will the data go? It may overwrite the stack data of another API and become a parameter of another user, or overwrite its next command, causing the CPU to execute an unexecutable command, memory exceptions eventually occur. In the early Win98 system, this problem will directly lead to a blue screen. In a well-developed and rigorous NT architecture system with a memory management mechanism, such memory exceptions can trigger the Exception Handling Mechanism of the system as long as they do not occur in the kernel field, this forces the system to stop abnormal programs, so we can see program crashes caused by overflow. This mechanism leads to the Heap Spray technology, the main character of today.
Heap Spray. However, we can use the following simple experiment to reproduce overflow. In Windows XP, select "Start | run", enter "cmd", Press enter to open the command line Input window, and enter "dir? AAAAA ......" (For A with more than four lines), stack overflow occurs because the API used to copy strings in the command line Input window ignores the length check, overflow string data is encoded as "00 41" (Unicode encoding of A) in the memory, because "41" does not correspond to any assembly instructions, therefore, after the overflow occurs, the memory space of many processes is affected. The most direct impact is to overwrite the commands executed by the CPU in the Next Step into the "41 00" that cannot be parsed and executed ". This triggers the program Exception Handling mechanism SEH (Structured Exception Handling, Structured Exception Handling), and the memory space required for the SHE operation has been overwritten by the same "41 00, in the end, the preset exception processor cannot be executed and crashes and exits.
If "A" is used as "q" for overflow, the process will be different again, because the Unicode encoding of "q" is "00 71". After overflow, the CPU executes the command "7 1", which corresponds to the Assembly command "JNO" (No overflow jump ). After the overflow content is executed, the "00" that follows "71" will be regarded as the jump address, so this command eventually means "NOP" (empty command, do not jump to any place ). At this time, because the remaining commands are all "empty", the CPU will not exit when the command cannot be executed, so it is difficult for users to find exceptions. However, if the overflow is run by a hacker, it may be an attack command.
The difficulty of overflow lies in finding its overflow source, overflow type, and related addresses. It is effective not to enter some characters randomly on a program interface. The existence of the "program exception handling mechanism" (SEH) makes overflow more difficult. Sometimes, although the malicious code executed by the attacker has successfully triggered the overflow, however, if it is triggered, the program will jump to the exception handling process specified by SEH. This will enable the attacker to construct the command to trigger only one error prompt or program crash.
Therefore, attackers must find a way to overwrite the SHE jump when overflow occurs with another address, so as to control the flow of code executed after the program encounters an exception, once the CPU is successfully taken to the location where the attacker places the attack code, the attacker's intention is reached.
For effective overflow attacks, attackers repeatedly apply for a heap using the Shellcode content of a specific size and fill in Shellcode data, this data block must be large enough to ensure its real functions can be implemented after overflow. Currently, Shellcode has many opportunities to be used in Webpage Trojans, and must be executed in JavaScript, if a user opens a large number of webpages, the memory requested by JavaScript may not be within the expected range, therefore, attackers can increase the hit rate by repeatedly filling in one piece of memory space. Generally, the heap application steps are completed before triggering overflow. As long as the overflow is successfully triggered, the SHE can usually be invalidated and malicious code execution can be realized. This method is collectively referred to as "Heap Spray ".
If you are interested in network security and learn some overflow tutorials, you will find that most of these tutorials will tell you how to write malicious commands to the memory location "0x0C0C0C0C, this is determined by the JavaScript features. When requesting the heap, The JavaScript interpreter requests the memory block from the "0x00000000" position. If the attacker requests only one heap, in this case, the overflow program cannot jump to the memory location where the specified command is located. Therefore, attackers need to construct at least several hundred heaps. The content in each heap is the same. Eventually, a heap is allocated to the memory location of "0x0c0c0c, this process is "Heap Spraying ".
Attack: visit the web page is recruited below we take the latest 0-day vulnerability outbreak in July this year "MPEG-2 ActiveX Remote Buf fer Over f low Exploi t" as an example, this section describes how Head Spray successfully executes malicious code.
The root cause of this vulnerability is that the system function ReadFile in the msvidctl. dll module of the MPEG2 Video component has passed an incorrect parameter type. This hidden danger will not be exposed when everyone is a "good baby". However, some people do not play cards as expected.
First, attackers write a piece of Shellcode (malicious command), which is less than the space that can be constructed to effectively overflow the code. Then, use the empty command NOP that occupies a total of 0x30000 bytes and the Shellcode code at the end to construct a data block of 0x040404 size. By repeatedly applying for 300 heap data blocks, you can ensure that at least the last memory block is 0x0c0c0c.
If someone has observed a variety of vulnerability overflow examples using code, they will find that almost all of them start with a large number of empty commands. Why not simply use Shel lcode itself?