Heap Overflows - PowerPoint PPT Presentation

1 / 13

About This Presentation

Title:

Heap Overflows

Description:

none – PowerPoint PPT presentation

Number of Views:43

Avg rating:3.0/5.0

Slides: 14

Provided by: acmU5

Category:

Tags: heap | overflows

Transcript and Presenter's Notes

Title: Heap Overflows

1
Heap Overflows
2
What is a Heap?

malloc(), free(), realloc()
Stores global variables
Automatic memory allocation/deallocation
Allocated at runtime
Implemented in glibc

3
What is a Heap?
4
What is a Heap?
5
Basic Heap Overflows

/notvuln.c/
int main( int argc, char argv)
char buf
buf (char)malloc(1024)
printf(bufp, buf)
strcpy(buf, argv1)
free(buf)

6
Basic Heap Overflows

/basicheap.c/
int main( int argc, char argv)
char buf
char buf2
buf (char)malloc(1024)
buf2 (char)malloc(1024)
printf(bufp buf2p\n, buf, buf2)
strcpy(buf, argv1)
free(buf2)

7
Basic Heap Overflows

pegleg_at_localhost lstrace ./basicheap perl e
print A x 5000
malloc(1024) 0x080495b0
malloc(1024) 0x080499b8
strcpy(0x080495b0, AAAAAAAAAAAAAAAAAAAA)
0x080495b0
free(0x080499b8) ltvoidgt
--- SIGSEGV (Segmentation fault) ---
killed by SIGSEGV
Heap Overflow!

8
Heap Overflows

Overwrite the next chunk header

9
Heap Overflows

Trace the behavior of free() using gdb
buf0x80495b0
bu20x80499b8
buf2s boundary tags are overwritten

10
Heap Overflows

(gdb) run python c print A1024\xff\xff\xff
\xff\xf0\xff\xff\xff
Set a breakpoint on _int_free() (called by free)
Right before free is called, we see
(gdb) print/x edi
10 0xfffffff0
(gdb) print/x esi
11 0x80499b0

11
Heap Overflows

free() arithmatic
Address of the previous chunk
(Current chunk address) - (sizeof(previous
buffer))
Since we overwrote the (sizeof(previous buffer)),
we can control the address of the previous chunk
free() writes to the address of what it thinks is
the previous chunk
After some more free() sillyness, we can
eventually control where free() writes, and
redirect program execution to the stack

12
Advanced Heap Overflows

Can also overflow malloc()
trickier once again corrupt chunk headers to
redirect flow of execution
malloc() uses similar arithmatic to
Not as easy because of differences in each
version of glibc

13
Sources

The Shellcoders Handbook (Jack Koziol)
http//gee.cs.oswego.edu/dl/html/malloc.html
http//www.cs.ucsb.edu/jzhou/security/overflow.ht
ml

Write a Comment

User Comments (0)

About PowerShow.com

Recommended Relevance Latest Highest Rated Most Viewed

Sort by:

Related More from user

CrystalGraphics Presentations

Introducing-PowerShowcom PowerPoint PPT Presentation

Introducing-PowerShowcom - Introducing-PowerShowcom (Without Music)

CrystalGraphics 3D Character Slides for PowerPoint PowerPoint PPT Presentation

CrystalGraphics 3D Character Slides for PowerPoint - CrystalGraphics 3D Character Slides for PowerPoint

Chart and Diagram Slides for PowerPoint PowerPoint PPT Presentation

Chart and Diagram Slides for PowerPoint - Beautifully designed chart and diagram s for PowerPoint with visually stunning graphics and animation effects. Our new CrystalGraphics Chart and Diagram Slides for PowerPoint is a collection of over 1000 impressively designed data-driven chart and editable diagram s guaranteed to impress any audience. They are all artistically enhanced with visually stunning color, shadow and lighting effects. Many of them are also animated. And they’re ready for you to use in your PowerPoint presentations the moment you need them. – PowerPoint PPT presentation

Related Presentations

Buffer Overflows PowerPoint PPT Presentation

Buffer Overflows - Dump of assembler code for function main: 0x0040107f main 0 : push ëp ... Dump all the bytes to the screen as hex: (gdb) x/61bx main 3 ... | PowerPoint PPT presentation | free to view

HEAP Overflows Desmitificados PowerPoint PPT Presentation

HEAP Overflows Desmitificados - ... dificulta el trabajo del exploiter y le obliga a realizar an lisis superfluos ... Los exploiters son vagos por naturaleza. ... | PowerPoint PPT presentation | free to view

Exploiting Buffer Overflows on PowerPoint PPT Presentation

Exploiting Buffer Overflows on - Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC Buffer Overflow Buffer overflow is a famous/infamous hacking technique in computer security. | PowerPoint PPT presentation | free to view

Parallel garbage collection with a block-structured heap PowerPoint PPT Presentation

Parallel garbage collection with a block-structured heap - Parallel garbage collection with a block-structured heap Simon Marlow (Microsoft Research) Simon Peyton Jones (Microsoft Research) Roshan James (U. Indiana) | PowerPoint PPT presentation | free to view

Windows Heap Exploitation (Win2KSP0 through WinXPSP2) PowerPoint PPT Presentation

Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - Title: Reliable Windows Heap Exploits Author: Ohorovitz Last modified by: blah Created Date: 3/25/2004 6:59:27 AM Document presentation format: On-screen Show | PowerPoint PPT presentation | free to view

Buffer Overflows: Attack and Defense PowerPoint PPT Presentation

Buffer Overflows: Attack and Defense - Buffer overflow vulnerabilities are the most common way to gain control of a remote host Most common security vulnerability | PowerPoint PPT presentation | free to view

Priority Queue (Heap) PowerPoint PPT Presentation

Priority Queue (Heap) - G. F. B. E. J. D. H. I. 2110211 Intro. ... public static void main( String [ ] args ) int numItems = 10000; ... Find the kth smallest element in a list. Algorithm A ... | PowerPoint PPT presentation | free to view

Sploit 101 Buffer Overflows, Format Strings, Heap Overflows PowerPoint PPT Presentation

Sploit 101 Buffer Overflows, Format Strings, Heap Overflows - GCC, NASM (if you roll your own shellcode, not covered in this presentation) ... Turn off exec-shield (e.g. Fedora Core 3) # echo '0' /proc/sys/kernel/exec-shield ... | PowerPoint PPT presentation | free to view

Windows Heap Exploitation Win2KSP0 through WinXPSP2 PowerPoint PPT Presentation

Windows Heap Exploitation Win2KSP0 through WinXPSP2 - If size = 512K, virtual memory is used (not on heap) If 1K, ... Requested size is 1K (to fit the table) ... We must be the first one to allocate that size ... | PowerPoint PPT presentation | free to view

Trust PowerPoint PPT Presentation

Trust - Buffer Overflows. Technique: writes more data to a buffer than the buffer can hold. Stack vs. Heap overflows. Mitigation. Validate and filter user input ... | PowerPoint PPT presentation | free to view

Reliable Windows Heap Exploits PowerPoint PPT Presentation

Reliable Windows Heap Exploits - First copy all our shell code to a known location ... Zero area will serve as good empty Lookaside space. If Lookaside is remapped over non zero area, we need ... | PowerPoint PPT presentation | free to view

Samurai : Protecting Critical Heap Data in Unsafe Languages PowerPoint PPT Presentation

Samurai : Protecting Critical Heap Data in Unsafe Languages - Samurai keeps 3 copies of every object at random locations in heap (to minimize ... Samurai required a heap size of 4MB but recovered from all faults successfully ... | PowerPoint PPT presentation | free to view

Heaps and the Heapsort PowerPoint PPT Presentation

Heaps and the Heapsort - A heap is a data structure used to implement an efficient priority queue. ... remove items from the top, localised rearrangements along single branches will ... | PowerPoint PPT presentation | free to view

Exploiting Buffer Overflows on PowerPoint PPT Presentation

Exploiting Buffer Overflows on - Buffer overflow conditions are caused by missed boundary checks of user-supplied ... Buffer overflow exploitations on non-intel platforms are nearly as trivial as on ... | PowerPoint PPT presentation | free to view

Control Hijacking Attacks PowerPoint PPT Presentation

Control Hijacking Attacks - Control Hijacking Attacks Buffer overflows and format string bugs | PowerPoint PPT presentation | free to view

Address Space Layout Permutation PowerPoint PPT Presentation

Address Space Layout Permutation - Low entropy: heap 13 bit, mmap 16 bit, stack 24 bit ... of stack, heap, and mmap()-ed regions. Mitigates attacks on the stack , heap, and shared library ... | PowerPoint PPT presentation | free to view

Buffer Overflows: A Technical Discussion PowerPoint PPT Presentation

Buffer Overflows: A Technical Discussion - ... buffer overflow protection. Both specific and generic protection against buffer overflow ... Protect against all 3 major buffer overflow techniques. Feedback ... | PowerPoint PPT presentation | free to view

Smashing the Stack Buffer Overflows for Fun and Profit PowerPoint PPT Presentation

Smashing the Stack Buffer Overflows for Fun and Profit - Places a 'canary' (32 bit number) on the stack between local variables and ... Before using the return address, it checks the canary with the initial value. ... | PowerPoint PPT presentation | free to view

Reliable Windows Heap Exploits PowerPoint PPT Presentation

Reliable Windows Heap Exploits - Applications for arbitrary memory overwrite exploitation demos ... DCOM (seems to be the inflection point), Messenger, MSMQ, Script Engine ... | PowerPoint PPT presentation | free to view

Buffer Overflows, Race Conditions, and Privilege Escalations PowerPoint PPT Presentation

Buffer Overflows, Race Conditions, and Privilege Escalations - Assignment 1 due this Wednesday (Jan. 13th) ... C idiom of allocating a small buffer to get user or parameter input is so common ... | PowerPoint PPT presentation | free to view

Windows Heap Exploitation Win2KSP0 through WinXPSP2 PowerPoint PPT Presentation

Windows Heap Exploitation Win2KSP0 through WinXPSP2 - ... still can't find any free entry, extend heap as ... If the chunk 1K and the lookaside is full, put it on the free list ... Heap header cookie calculation ... | PowerPoint PPT presentation | free to view

CMSC 341 PowerPoint PPT Presentation

CMSC 341 - Heap efficiency results, in part, from the implementation ... put in heap order in O ... Binary heaps support insert, findMin, deleteMin, and ... | PowerPoint PPT presentation | free to view

Parallel garbage collection with a block-structured heap PowerPoint PPT Presentation

Parallel garbage collection with a block-structured heap - Parallel garbage collection with a block-structured heap Simon Marlow (Microsoft Research) Simon Peyton Jones (Microsoft Research) Roshan James (U. Indiana) | PowerPoint PPT presentation | free to view

Smashing the Stack for Fun and Profit PowerPoint PPT Presentation

Smashing the Stack for Fun and Profit - Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem Implementing the Exploit | PowerPoint PPT presentation | free to view

Exterminator: Automatically Correcting Memory Errors with High Probability PowerPoint PPT Presentation

Exterminator: Automatically Correcting Memory Errors with High Probability - dead canary = corruption # = object id (allocation time) Isolating Buffer Overflows ... Canaries in freed space detect corruption. Run multiple times with ' ... | PowerPoint PPT presentation | free to view

Database Systems (?????) PowerPoint PPT Presentation

Database Systems (?????) - Slow update in comparison to heap file. ... Heap file with unclustered hash index on search key age, salary 27. Operations to Compare ... | PowerPoint PPT presentation | free to view

Reversing For Vulnerabilities PowerPoint PPT Presentation

Reversing For Vulnerabilities - Define Buffer Overflows. Discuss Bad calls and their ... Buffer Overflows ... Unchecked user input buffer = Glass too full. What to Look for ... | PowerPoint PPT presentation | free to view