Sie sind auf Seite 1von 66

HEAPS ABOUT HEAPS

This Talk Covers

Windows 2003
: Windows 2003 SP2
: Still most widely used windows server OS
: Still not a lot of heap exploits released
: Still not a lot of heap research released
: Vista -> Ben Hawkes BHUS08
Heap Explotation
: How the heap works
: Freelists vs Lookaside
: Exploitation Techniques
Heap Exploit Walkthrough
: From start to finish

Windows Heap

Multiple Heaps
: Process has default heap
: Can create separate heaps for different uses
: Some loaded .dll create their own heap
: Some .dlls hold pointer to the heap they use
State Of The Heap
: Server restart
: Service restart
: First request
: Long time live, multiple previous requests
Things That Matter
: Everything, IP address, server name, day of
the week

Heap Exploit Difficulties

Safe Unlinking
: On unlink, coalesce, relink from freelist
: Causes the link/unlink to fail if addresses
readable
: Raises a handled exception, execution
proceeds
: Chunk address still returned to caller
Cookie Check
: Cookie checked on free
: Invalid cookie prevents relinking of chunk
HeapSetInformation()
: HeapEnableTerminateOnCorruption()
Need To
Get Creative
In Exploitation
Methods
: Windows
Vista
and Windows
Server
2008

A Heap In Motion

Initial Heap
Heap
Management
Last Free
Chunk Header
Last Free
Chunk Space

The heap object initially starts as an


empty contiguous block of memory.
Two structures are written into the
heap.
The Heap Management structure
contains information regarding the
heap object, and tracks the heap
chunks.
There is always one Free Chunk in the
heap object and it points to the free
space at the end of the heap.

The Heap In Motion

Initial Heap
Heap
Management
Last Free
Chunk Header
Last Free
Chunk Space

Allocated
A,B,C
Heap
Management
Chunk A
Header
Chunk A Space
Chunk B
Header
Chunk B Space
Chunk C
Header
Chunk C Space
Last Free

After the allocation of


three memory chunks, the
heap layout now looks like
this

The Heap In Motion

Initial Heap
Heap
Management
Last Free
Chunk Header
Last Free
Chunk Space

Allocated
A,B,C
Heap
Management

Free B
Heap
Management
Chunk A Header

Chunk A
Header

Chunk A Space

Chunk A Space

Free Chunk
Header

Chunk B
Header

Free Chunk
Space

Chunk B Space
Chunk C Header
Chunk C
Header

Chunk C Space

Chunk C Space

Last Free Chunk


Header

Last Free

Last Free Chunk

Freeing a
chunk in
between
two busy
chunks,
creates a
Free Chunk

The Heap In Motion

Initial Heap
Heap
Management
Last Free
Chunk Header
Last Free
Chunk Space

Allocated
A,B,C
Heap
Management

Free B

Free A

Heap
Management

Heap
Management

Chunk A Header

Free Chunk
Header

Chunk A
Header

Chunk A Space

Chunk A Space

Free Chunk
Header

Chunk B
Free Chunk
Header Free chunks
that sit
Space
Chunk B Space
next to each other are

joinedChunk
(Coalesced)
C Header
together.
Chunk C
Chunk C Space
Header

Chunk C Space

Last Free Chunk


Header

Last Free

Last Free Chunk

Free Chunk
Space
Chunk C
Header
Chunk C Space
Last Free
Chunk Header
Last Free
Chunk Space

Heap Management Structure


Heap Management
Address

These
Flags
All
offsets
arehold
from
as
thesettings
base ofsuch
the Heap
The
maximum
size
isDebug,
Exceptionof
Object
an allocation
before a
Raising, and
Virtual
Memory
A four
Linked
listDWORD
of Heap
blocks
Executable
allocation
is bit
bitmask
with
allocated
fromeach
Virtual
Pointer
to
the first
performed
set
if the
Memory
chunk
in FreeList[0]
corresponding
FreeList[0]
is used
Start
of double
linked
FreeList[n]
is to
Pointer
toFree>
store
Free
Chunks
lists
to
store
populated
Pointer to Function()
CriticalSection
that is
1016
bytes
Chunks
thatto
is lock
called
when
used
the
heap
Pointer
to
the
front
theduring
heap ischanges
expanded
endmore
allocator.
and
pages
Pointer
Flag
to the
stores
Last
This
iscommitted
a that
pointer
the
Start
of
the 48 to
byte
settings
FreeLookaside
Chunk
about
in the
the
Lookaside
list headers
front end
heap
allocator

003600
00

Value

Description
Base Address

003600
0C

0000000 Flags
2

003600
10

0000000 ForceFlags
0

003600
14

0000FE0 VirtualMemoryThresh
0
old

003600
50

0036005 VirtualAllocatedBlock
0
s List

003601
58

0000000 FreeList Bitmap


0

003601
78

00361E9 FreeList[0]
0

003601
80

0036018 FreeList[n]
0

003605
78

0036060 HeapLockSection
8

Heap Management Structure - Virtual Memory Allocation


Heap Management

EBX is set to Base


Address
Check threshold

Address

Value

Description

003600
14

0000FE0 VirtualMemoryThresh
0
old

003600
50

0036005 VirtualAllocatedBlock
FLINK
0
s0036005
List
0

7C82AE14 CMP EDI,DWORD PTR DS:


0036005
BLINK
[EBX+14]
4
7C82AE17 JBE ntdll.7C82A2FC
...
Load BLINK
7C82AE8E LEA EAX,DWORD PTR DS:
[EBX+50]
...
ECX is @NewChunk
7C82AE97 MOV EDX,DWORD PTR DS:
[EAX+4]
...
Write @NewChunk to
7C82AEA0 MOV DWORD PTR DS:
@BLINK+4
[ECX],EAX
If the VirtualAllocatedBlocks->BLINK
can be overwritten then
7C82AEA2
MOV DWORD PTR DS:
the address of the NewChunk can be written to an arbitrary
[ECX+4],EDX
7C82AEA5 MOV DWORD PTR DS:location
[EDX],ECX

Heap Management Structure - FreeList Bitmap


Heap Management
Address

Bitmap is populated
when chunk added to
FreeList[n]
8
0

0
0

0-7

0
0

0
2

2431

0
0

0
0

8
0

4855

003601
58
0
0

0
0

0
0

Value

Description

0000000 FreeList Bitmap


0
0
0

7C82A291 LEA ESI,DWORD PTR DS:


[EBX+EDX*4+158]
...
7C82A2A8 AND EAX,DWORD PTR DS:[ESI]
...
7C82A2B8 JNZ ntdll.7C82CB46
7C82A2BE TEST EAX,EAX
7C82A2C0 JNZ ntdll.7C82C8C9
7C82A2C6 MOV EAX,DWORD PTR DS:[ESI]

0
0

0
0

0
0

0
0

00

Bitmap is checked
when looking for a
FreeList[n] that fits
the request

If a match is found
then the
corresponding
FreeList[n] is used for
the allocation.
If the Bitmap can be manipulated then a pointer to an empty
FreeList[n] can be returned, allowing the overwrite of
management structures. [nico]

Heap Management Structure - FreeList Bitmap


Heap Management
Address

FreeList[7] is
populated
8
0

0
0

0
0
1

0
2

0
0

003601
58
0
0

8
0

FreeList[16] is
Modify bitmap
empty

0
0

0
0

0
0

Value

0000000 FreeList Bitmap


0
0
0

0
0

0
0

0
0

0
0

00

FreeLists
Address
003601
B0

Request for block 16


Request for block 16
will create a new
will return 003601F8
block and return it

Description

...
003601
F8

Value

Description

00364D FreeList[7]
78
...

...

XXXXXX
003601 Overwrite
FreeList[16]
XX
F8
XXXXXX Overwrite
XX

If the Bitmap can be manipulated then a pointer


to an
empty
XXXXXX
Overwrite
FreeList[n] can be returned, allowing the overwrite
of
XX
management structures. [nico]
XXXXXX Overwrite
XX

Heap Management Structure - FreeList Bitmap


Part Of The Bitmap Loading Code
7C82C8AB MOVZX EAX,AH
7C82C8AE MOVSX EAX,BYTE PTR DS:
[EAX+7C82BAB8]
7C82C8B5 ADD EAX,8
7C82C8B8 JMP ntdll.7C82C830
[ 7C82BAB8 ]
7C82C8BD MOVSX EAX,BYTE PTR DS:
A Static Pointer To A
[ECX+7C82BAB8]
Bit Mask Table That
7C82C8C4 JMP ntdll.7C82C830
7C82C8C9 LEA EDX,DWORD PTR DS:
Can Be Modified To
[EBX+178]
Manipulate The
7C82C8CF JMP ntdll.7C82C808
Bitmap Result
7C82C8D4 SHR EAX,18
7C82C8D7 MOVSX EAX,BYTE PTR DS:
[EAX+7C82BAB8]
7C82C8DE ADD EAX,18
If the Bitmap
can be manipulated then a pointer to an empty
7C82C8E1
JMP ntdll.7C82C830

FreeList[n] can be returned, allowing the overwrite of


management structures. [nico]

Heap Management Structure FreeList[n]


Heap Management

FreeList[0] is similar
to FreeList[n] but
holds chunks > 1016
bytes

Address

Value

003601
78

00361e9 FreeList[0]
0

003601
80

0036018 FreeList[n]
0036018
0
0
0036018
4

Free Chunk Header


Header
Links

Self
Size

Prev
Size

CK

FLINK

FL

U
N

Links

Self
Size

Prev
Size

FLINK

FLINK
BLINK

SI

BLINK

Free Chunk Header


Header

Description

CK

FL

U
N

BLINK

SI

Double Linked
List connects
free chunks
together

Heap Management Structure - Commit Routine Pointer


Heap Management

Custom function()
called when
committing more
memory to the Heap

Address
003605
7C

Value

Description

0000000 Commit Routine Ptr


0

Initially set to nothing


7C833BF9 MOV ECX,DWORD PTR DS:
[EAX+57C]
7C833BFF TEST ECX,ECX
7C833C01 JNZ ntdll.7C852C9E
...
7C852C9E PUSH EBX
7C852C9F LEA EDX,DWORD PTR SS:
[EBP+14]
7C852CA2 PUSH EDX
7C852CA3 PUSH EAX
7C852CA4 CALL ECX

Loaded into ECX and


called

This is a static pointer that can be overwritten to gain


execution control

Heap Management Structure Lookaside[n]


Heap Management

Lookaside[0] and
Lookaside[1] are not
used
Lookaside List Header
Addres
s

+04

Depth

+06

Max Depth

+08

...

Description

0000000 Lookaside[n]
0

003606
48 byte
E8

Lookaside[2]

structure
Lookaside Chunk Header

Pointer To First
Chunk

+10

003606
88

Value

Description

+00

+0C

Address

Allocation
tracking for
automatic
Lookaside Fine
Tuning

Header
Links

Self
Size

Prev
Size

CK

FL UN

SI

FLINK
Lookaside Chunk Header

Header
Links

Self
Size

Prev
Size

FLINK

CK

FL UN

SI

Heap Chunks
A Used Chunk
Header

Self
Size

Prev
Size

CK

Chunk Flags
FL UN

SI

Data
Chunk On Lookaside
Header
Links

Self
Size

Prev
Size

CK

FL UN

SI

FLINK

Data
Chunk On FreeList
Header
Links
Data

Self
Size

Prev
Size

FLINK

CK

FL UN
BLINK

SI

00

Free

01

Busy

02

Extra Present

04

Fill Pattern

08

Virtual Alloc

10

Last Entry

20

FFU1

40

FFU2

80

No Coalesce

Lookaside Lists
Lookaside
Starts Empty
Chunk
Lookaside[n]Chunk
Removed
Added
From
>FLINK
To Top
Topis
Of
Of
Lookaside
corrupted
Lookaside

About To Allocate
Overwrite the FLINK of
From The
the top chunk
Lookaside[n]

Lookaside[n]
FLINK

0000000
0036210
003620E
XXXXXX
003620
D0
XX
0
8
Address
FLINK
003621 003620E
003620
0000000
XXXXXX
003620
D0
00
E8
D0
XX
0
8
Address
FLINK

This
Copied
Value
To
GetsHere
Copied

003620 0000000
003620
D0
E8
D0
0
Address
FLINK
003620
D0

0000000
0

There is no Safe Unlinking or Cookie check for Lookaside Lists


Well known attack is to overwrite the FLINK of a chunk on a
Lookaside. This will populate the Lookaside[n]->FLINK with an
arbitrary value to be returned at allocation.

Freelist[n] Lists
Freelist
Freelist
Starts
Is
Empty
Chunk Added
To Bottom
Chunk
Chunk Added
Removed
To Bottom
From Bottom

Freelist[n]
Lookaside[n]
Address
FLINK
BLINK
FLINK
0000000
0036210
003620E
003620
D0
0
8
003601 003621
003601
003601
003621
90
90
30
90
60
30
Address
FLINK
BLINK
003621
30
Address

003601
003621
60
90
FLINK

003601
90
BLINK

003621
60

003601
90

003621
30

Safe Unlinking and Cookie checks will prevent Unlinking


Overwriting the Freelist[n]->BLINK will cause the address of
the Freed Chunk to be written to an arbitrary location

Freelist[n] Lists

Freelist Searching
: If a freelist[n] of requested size not available
bitmap is used to find larger populated
freelist[n]
Chunk Size
: Size field of the chunk header used as offset to
bitmap
: Bitmap is updated on allocate/free if needed
: Size field is used to calculate freelist[n] to free
to
Manipulating Size Field
: Allocation can control bitmap flipping
Header
Self
Prev
CK FL UN SI
: Free can have chunk
freed
to
different
Size
Size
lookaside/freelist

Flipping Bitmap On Allocate


Size Is Overwritten
FLINK / BLINK Can Be
Overwritten

Chunk On FreeList
Header

####

Links

Prev
Size

FLINK

CK

FL UN

SI

BLINK

Data
7C82C8E6 MOVZX ECX,WORD PTR DS:[ESI]
; Load
Self Size
7C82C8E9 MOV EDX,ECX
..
7C82C902 8DBC1A 58010000 LEA EDI,DWORD PTR DS:
If Last Chunk[EDX+EBX+158]
On Freelist Then Bitmap

Updated

If FLINK and BLINK Overwritten with


Valid For Read and
FLINK == BLINK
Then Bitmap Updated
Bitmap Attack Explained Earlier

Calculate
Bitmap

Free To Arbitrary Lookaside[n]/FreeList[n]


Chunk To Be Freed

Size Is Overwritten
Cookie Is Left Intact

Header

####

Prev
Size

CK

FL UN

SI

Data

Freeing To
Freeing To
Lookaside[n
Freelist[n]
]

7C82A84C MOVZX
7C829F1B
MOVZX EAX,WORD
EAX,WORD PTR
PTR DS:[ESI]
SS:[EBP-20] ; Load
self size
selfsize
7C829F1E MOV
7C82A850
LEA EBX,DWORD
DWORD PTR PTR
SS:[EBP-20],EAX
DS:[EDI+EAX*8+178] ;
7C829F217C82A857
Calculate
CMP EAX,80
MOV DWORD PTR SS:[EBP-88],EBX
7C829F26 JNB
7C82A85D
CMPntdll.7C82A7BC
DWORD PTR DS:[EBX],EBX
; Check
7C829F2C PUSH DWORD PTR SS:[EBP+10]
Freelist
7C829F2F
LEA Is
EAX,DWORD
DS:[EAX+EAX*2]
Coalescing
A ProblemPTR
That
Needs To Be Dealt ;
Calculate Lookaside
With
7C829F32 SHL EAX,4
7C829F35 ADD EAX,ECX
7C829F37 PUSH EAX
7C829F38 CALL ntdll.7C829F8F
; Push to
Lookaside

Could This Be Useful When Filling In Gaps?

FreeList[0] - Free
Freelist[0]

Populate
d
Freelist[
0]

Address

FLINK

BLINK

003601
78
Address

00361E
90
FLINK

00362B
60
BLINK

00361E
90
Address

003622
D0
FLINK

003601
78
BLINK

003622
D0
Address

00362B
60
FLINK

00361E
90
BLINK

00362B
60

003601
78

003622
D0

Load Freelist[0]>FLINK
Check Size Is Larger
Not
Load
ThanGreater,
Chunk Been
Chunk->FLINK
Freed
Check Size Is Great
Chunk Been
IfThan
It Is Greater
Then
Freed
Insert
Chunk

Exploitable Condition On Freelist[0] Insert

Exploiting FreeList[0] - Free


An Overwritten Chunk In Freelist[0] Can Be Exploited To
Write The Address Of The Chunk Being Freed To An Arbitrary
Location
7C82A982 CMP DX,WORD PTR DS:[EAX]
7C82A985 JA ntdll.7C82FDC4
next

; Compare chunk size


; To large move to

7C82A98B LEA EAX,DWORD PTR DS:[ESI+8]


; Header of freed
chunk
7C82A98E MOV DWORD PTR SS:[EBP-7C],EAX
7C82A991 MOV EDX,DWORD PTR DS:[ECX+4] ; Load BLINK of
current chunk
7C82A994 MOV DWORD PTR SS:[EBP-84],EDX
7C82A99A MOV DWORD PTR DS:[EAX],ECX
; Set freed->FLINK
== current
7C82A99C MOV DWORD PTR DS:[EAX+4],EDX ; Set freed->BLINK
==current->BLINK
7C82A99F MOV DWORD PTR DS:[EDX],EAX
; Write @freed to
Exploitable Condition On Freelist[0]
Insert
[current->BLINK]
7C82A9A1 MOV DWORD PTR DS:[ECX+4],EAX ; Set current->BLINK

Exploiting FreeList[0] - Free


Chunk To Be Freed @003622D0
8400

Prev
Prev
Size
Size

00361E90

CK

FL
FL UN
UN

SI

Chunk Is Inserted Before The


Overwritting Chunk.
FLINK and BLINK updated
Overwritten Chunk
@00361E90

00360718
FFFF

????

??

FFFFFFFF

02

??

003622D0
00360718

Place Where We Want To Write


003622D0
Could Be A Function Table, This Is A
Overwritten Lookaside Now
Lookaside
Populated
Three Requests And We Get Our Set
Location
Exploitable Condition On Freelist[0] Insert

??

FreeList[0] - Allocate
Freelist[0]

Populate
d
Freelist[
0]

Address

FLINK

BLINK

003601
78
Address

00361E
90
FLINK

00362B
60
BLINK

00361E
90
Address

003622
D0
FLINK

003601
78
BLINK

003622
D0
Address

00362B
60
FLINK

00361E
90
BLINK

00362B
60

003601
78

003622
D0

Load Freelist[0]>BLINK
>FLINK
Check Size Is Large
Too For
Small,
Enough
Request
Load Chunk->FLINK
Check Size Is Large
LargeFor
Enough,
Enough
Request
Return Chunk
Check Size Is Large
Enough For Request

Exploitable Condition On Freelist[0] Allocate

Exploiting FreeList[0] - Searching

Request Made For Size


0x0BF8

Chunk Returned To
Caller
This Address Is In
The Freelists

Overwritten Chunk
@003622C8
0100

????

00360188

??

??

??

????????

FLINK Points To
Fake
FakeChunk+8
Chunk
Fake Chunk @00360180
8001

3600

00360188

= Requested Size
(+1 block)

??

80

01

36

00

00360188

Must Be Readable

Exploitable Condition On Freelist[0] Allocate - Searching

Allocation Relinking
If Chunk Is Larger
Than Request It Will
Get Split

Chunk Header Chunk Header


Chunk Space Chunk Space

New Chunk New Chunk


Header
Header

Chunk Returned To
Caller

New Chunk New Chunk


Space
Space

New Header Is
Written Into The
Existing Chunk
Space
Chunk Inserted
Into FreeLists

Exploiting FreeList[0] - Relinking


Request Made For Size
Smaller Than Our
Overwrite
Relink Chunk
Address Written To
00360580
This Is The
FrontEndHeap
(Lookaside Base)
> Relink Chunk
Size

Overwritten Chunk
@003622C8
0202

????

??

0036057C

??

??

??

READ

XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXX
FLINK Points To
XXXXX.....

Fake
FakeChunk+8
Chunk

Fake Chunk @00360574


7005

3600

????????

08

06

36

00360688

Must Be
Read/Write

Exploitable Condition On Freelist[0] Allocate - Relinking

00

Splitting / Resizing

When Allocated Chunk Is To Large


: Checked when allocation from other list
: Chunk is cut to size, New header is written
: Chunk is inserted to freelist[n] or freelist[0]
: Size manipulated to put new chunk into
arbitrary
Freelist
7C82A3DB
CMP EBX,1
; Larger than one block
difference
7C82A3DE JE ntdll.7C82E5A4
7C82A3E4 MOV EAX,DWORD PTR SS:[EBP-48] ; Load requested size
7C82A3E7 LEA EDI,DWORD PTR DS:[ESI+EAX*8]
; Move to
create the new chunk
Can Skip By
..
7C82A3F3 MOV BYTE PTR DS:[EDI+5],CL
; Store new
Setting
flag As Last
7C82A3F6 MOV WORD PTR DS:[EDI+2],AX
; Store Prev Size
Chunk
..
7C82A400 MOV WORD PTR DS:[EDI],BX
; Store new size
7C82A403 TEST CL,10
; Is chunk new LAST CHUNK
7C82A406 JNZ ntdll.7C82A65E
; Jump if chunk is last chunk
7C82A40C LEA EAX,DWORD PTR DS:[EDI+EBX*8]
; Move to
NEXT chunk based on size

Coalesced Chunks

When Chunk Is Freed To Freelist


: Size field is used to locate previous and next
chunk
Test Flag
: Requires valid FLINK/BLINK on chunks to
Of
colaesce
Previous

7C82A6F6 JE SHORT ntdll.7C82A702


; If prev size is 0 jump
Chunk
7C82A6F8 TEST BYTE PTR DS:[ESI+5],1
; Is prev chunk BUSY?
7C82A6FC JE ntdll.7C82CA7A
; If not then coalesce
7C82A702 TEST BYTE PTR DS:[EDI+5],10
; Is our chunk
the last chunk?
Test Flag
7C82A706 JNZ ntdll.7C82A7B3
; If so can't coalesce
7C82A70C MOV EAX,DWORD PTR SS:[EBP+10]
Of Next
7C82A70F MOV EAX,DWORD PTR DS:[EAX]
; Load our block size
Chunk
7C82A711 LEA ESI,DWORD PTR DS:[EDI+EAX*8]
; Move to
next chunk
7C82A714 TEST BYTE PTR DS:[ESI+5],1
; Is next chunk BUSY?
7C82A718 JNZ ntdll.7C82A7B3
; Yup, so don't colaesce

: An overflow can control all of this to prevent


Self
Prev
CK FL UN SI
coalesce Header Size
Size

Preventing Coalesce

How To Prevent A Coalesce


: Set the chunk being freed prev size to ZERO
: Set the chunk being freed FLAG to last
chunk
: Set the chunk being freed self size > 0xFE00
: Set the prev/next chunks flag to PASS the
BUSY check
: Control the size to fake the prev/next
chunks location
Why Prevent A Coalesce()
: Coalescing an overwritten chunk normally
blows up
: Linking, resizing, and relinking is very
complex

Coalesced Chunks
????

????

??

??

??

??

Chunk A
Data Stored In

DATA

BUSY
Chunk
FFFF

BUSY
Chunk

Chunk A Will Be
Freed And We
Want To Prevent
Coalescing

FFFF

FF

DATA

01
FF

FF

FF

Chunk B
We
Overflowing

Keep The Flag


Set To BUSY

Coalesced Chunks
????

????

??

??

??

??

Chunk A
Data Stored In

DATA

BUSY
Chunk

FFFF

FFFF

FF

01

FF

FF

FF

FF

FF

01

FF

FF

DATA
0200
FFFF

BUSY
Chunk

0200
FFFF

FF

DATA
FFFF

Chunk B Will Be
Freed And We
Want To Prevent
Coalescing

FFFF

FF

DATA

Create Two Fake Chunks


And Set Size In Header
Of Chunk B To Point To
The Fake Chunks
Flag Set To Busy

Chunk B
We
Overflowing

Coalesced Chunks
????

????

??

??

??

??

Chunk A
Data Stored In

DATA

BUSY
Chunk
FFFF

BUSY
Chunk

Chunk B Will Be
Freed And We
Want To Prevent
Coalescing

0000
FFFF

FF

DATA

10
FF

FF

FF

Chunk B
We
Overflowing

Set The Flag To


Contain The
Last Chunk
Flag

Preventing A Free

How To Prevent A Free


: Set the chunks flag to FAIL the BUSY check
Move To
Chunk Header
Load Flag and
Test If Busy

Why Prevent A Free()


: Remove chunk from Lookaside
Can be overwritten before allocation
: Remove chunk from Freelist[]
Flag gets reset on allocation
Bypass Cookie Check
: Will cause a heap exception, doesnt stop
execution

Example Removing Chunk From Lookaside


Before
Allocation
Overwrite Flag
Self
Size

Prev
Size

CK

FL UN

SI

Self
Size

Prev
Size

CK

FL UN

SI

0300

0300

06

01

00

0101

0101

01

02

01

After
Allocation

After Free()

0E

01

Clearing The Lookaside

Top Chunk On A Lookaside Is Overwritten


: Flags set to not BUSY, Flink set to
0x00000000
Before
Allocation

Overwrite Flag And FLINK


Self
Size

Prev
Size

CK

FL UN

SI

Self
Size

Prev
Size

CK

FL UN

SI

0300

0300

06

01

00

0101

0101

01

02

01

00362100

0E

00000000

After
Overwrite
Allocation And Free Will Clear The Lookaside List

01

The Exploitation Process

The Steps
: Exploit the heap
: Overwrite a function pointer or other to gain
execution
: Flip the heap onto the stack to get ret-tolibc style control
: Turn off Data Execution Protection (DEP)
: Return to shellcode
Exploit The Heap
: Application dependant
Overwrite A Function Pointer
: Application dependant?

Heap / Stack Flipping

What Is Heap/Stack Flipping


: Exploit data is on the heap
: For fine grained control, it needs to be on
the stack
Requirements
: Pointer to exploit data; on stack, in a
register, in [reg +/- n]
: Locate instructions to manipulate pointer
and pop esp, ret
EBX ->
EBP ->
ECX ->
EAX->
: Overwrite
function
pointer
to
return
DATA
DATA
DATA
DATAto
instructions
PUSH
EBX
LEAVE
MOV
XCHG
POP ESP
RET
ESP,ECX
EAX,ESP
Populate
ESP
With
The
Pointer
To
Exploit Data
POP EBP
RET 8
RET
RET

Heap / Stack Flipping

Exploit Data

Stack

Registers

Code Gets
Executed
Flipping Code

Heap / Stack Flipping

Exploit Data

New Registers

New Stack
Code That We Returned
Into

Bypassing DEP

Entirely Ret-to-Libc
: Entire shellcode in borrowed instructions
: Inject into process that is not DEP enabled
: Very difficult
HeapCreate()
: Create new heap with
HEAP_CREATE_ENABLE_EXECUTE
: Allocate new chunk, memcpy shellcode across
: Doable, but sounds like a lot of work
Registry
: 'Image File Execution Options
: Would turn it off on a restart
: Not really very helpful

Bypassing DEP

SetProcessDEPPolicy()
: Not available on 2003
Copy Shellcode To RWE Memory Page
: Copy shellcode and then return to address

VirtualProtect()
: Use the PAGE_EXECUTE_READWRITE flag to
reset heap
: Return to shellcode

Bypassing DEP

VirtualAlloc()
: Allocate new memory with
PAGE_EXECUTE_READWRITE
: Address is returned in EAX
: Copy shellcode and return to it
NtSetInformationProcess()
: Skape and Skywing ret-to-libc to deactivate
DEP
: Easier on windows 2003
NtSetInformationProcess(
NtCurrentProcess(), //
(HANDLE)-1
ProcessExecuteFlags, //
0x22
&ExecuteFlags, // ptr to 0x2
sizeof(ExecuteFlags)); // 0x4

Bypassing DEP
Perfect
Instruction
Set

BUT!

Requires [ESI+37] To Be
Writable
Correctly Set Stack

NtSetInformationProcess(
NtCurrentProcess(), //
(HANDLE)-1
ProcessExecuteFlags, //
0x22
&ExecuteFlags, // ptr to 0x2
sizeof(ExecuteFlags)); // 0x4

Heap Exploitation

Step By Step
: The vulnerability
: Reproduction
: Understanding the bug
: Finding an overwrite
: Find a pointer
: Flipping the heap to stack
: Bypassing DEP
: The working

The Vulnerability

Citrix

Citrix
ImaSrv.exe
TCP Port 2512 or 2513
User-supplied -> Memory
Allocation
Undersized Allocation
Overflow The Heap Buffer

TCP Port 2512 or


2513
Overflow The Heap
Buffer

ImaSrv.e
User-suppliedxe
-> Memory
Allocation

Reproducing The Vulnerability

Usual Integer Overflow


: Usual packet size bug
Length Of
Data

DATA

Usual Basic Fuzz Test


while !crashed
{
inc buffer length
fill buffer with 0xFF
send to TCP 2512
}
\
xFF\xFF\xFF\x
FF

\
xFF\xFF\xFF\xFF\xFF\xF
F

I Am
Listening
On TCP
2512

Reproducing The Vulnerability


ntdll!A RtlAllocateHeap
Crash

In the good ol days, it would now be as easy as overwriting


the UEF.
But those days are over.

Understanding The Bug

Need To Trace From Start To FinishWSARecv


: bp WSARecv and send overflow again
Stack

Buffer Size

Buffer Address

Understanding The Bug

Need To Trace From Start To Finish


: After WSARecv our buffer is loaded

Understanding The Bug

Trace Through Code To Determine Paths


: This code checks buffer sizes
Load First DWORD
Of Packet Into EAX

Jump If Our Packet


Specified A Size
Larger Than 0x408

Compare Against
Size Of Current
Buffer 0x408

Understanding The Bug

Trace Through Code To Determine Paths


ESI == First
: Eventually get to here

DWORD From
Packet

EAX == ESI
+ 3C

Is Going To
Allocate A
Buffer Of Size
EAX

Understanding The Bug

But its not over yet


: Trace down to ntdll!RTLAllocateHeap

Allocate From Heap


00320000

Allocate 3B Bytes

Understanding The Bug

Still Thats Just An Undersized Buffer


: Keep tracing the code

EAX Points To The


Newly Allocated
Buffer

Bunch Of Stuff Is
Written Into The New
Buffer
This Is A Custom
Header And Is 0x3C
Bytes Long

Understanding The Bug

Finally....
: A memmove instruction overflows the buffer

New
Buffer+3C
Packet Data

KABOOM!

This Is The Size Of


The Packet That We
Sent

Understanding The Bug

The Result
: We can cause the allocation of a size 0x01
0x03B
: We can overflow the chunk with 0x408 bytes
The Limitations
: Can only allocate chunk 2 through to 9
That range is
FFFFFFC5 == 0x01 ==
Chunk 2
To
FFFFFFFF == 0x3b ==
Chunk 9
: The first 0x3C bytes are not controlled by us
due to the custom header

The Request LifeCycle

RTLAllocateHea
p()

WSARecv()

memmove()

RTLFreeHeap()

So Now What?
: We know we can cause an allocation of a lower
chunk
: Lets look at the Lookaside lists at the time of the
allocation

The Lookaside Lists

0x0a871c38
0x0a871bd0
= 0x68

Lookaside[8] Has A Top Chunk


That Sits After Lookaside[7] Top
Chunk On All Runs
AND
The Difference Is Greater Than
0x3C

0x0a871cc8
0x0a871c60
= 0x68

0x0a871d00
0x0a871c98
= 0x68

Lets Try It

First Request
: Request Lookaside[7]
: Overwrite Lookaside[8]
: Free Request
Problem
: If we now had two allocations of Lookaside[8]
: But we only have one
Solution
: Set flag of top chunk of Lookaside[8] to be
FREE
: Then when free() is called it will be skipped

Lets Try It

First Request
: Request Lookaside[7]
: Overwrite Lookaside[8]
: Free Request
Second Request
: Request Lookaside[8]
: Top Chunk Is Popped
: Free Request
Third Request
: Request Lookaside[8], Our Address Is
Returned

What Address To Overwrite

Function Pointer
: Trace code looking for pointer
: None found before WSARecv()
Lucky For Us That
Winsock Uses Static
Pointers

EAX Points To
Stack

0x71C14044 Is A Static
Pointer That Can Be
Overwritten

Winsock Structure

Winsock
: Holds a structure

Static
Pointer To
Handle

: Structure holds pointer to function pointer


table on the default heap
Load Address Of
Pointer Table
Static Within
Heap

Call Function

Exploiting The Bug

Pointer Table Address


: 0x142360
Set Lookaside Address
: Need to account for header
: Set lookaside to 0x01431D0
Heap/Stack Flip Local
Overwrite The Pointer Table
To Citrix DLLS
: We now control execution
Set The Stack
: EAX points to the pointer table
: EAX points to our data
: Search for a heap/stack flip
Return Down The Stack
: Return to Anti-DEP
: Return to shellcode on pointer table

Da Greetz
Acknowledgement to those who shared
current information, some of which was used
in this presentation

Nico
Caddis
mxatone

Acknowledgement to those who have


published past heap research

0ded
Shok
Sotirov
Sandip Chaudhari
A. Anisimov
N. Falliere
Halvar
Litchfield
+ All Others