ࡱ>  `!E0 DsSxMxڍO10 sZAEa,:>OKb; G9&* ETrE a%抽0!0S}_Yļ1LsޝFyg6O۶ٔWyη3e#ʟ-zfZ!VT'`!>_No4[ňMxڍO;0 }IU*cA`='(,T줡aÑ? pWKaV%E\HHz.0S|h7J^a,CwVEqzSҍ{:l-/Q+nw>nq~)QƮrijS~i'U}Y*%(`  FL )^http://cvs.opensolaris.org/source/s?defs=size_t^http://cvs.opensolaris.org/source/s?defs=size_tz*http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#_t_http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0_t_~+http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#WORDhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0WORD~,http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#WORDhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0WORD~-http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#WORDhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0WORD~.http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#WORDhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0WORD~/http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#WORDhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0WORD~0http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#WORDhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0WORDz1http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#t_shttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0t_sz2http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#w_ihttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0w_i3http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#BITS01http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0 BITS014Zhttp://cvs.opensolaris.org/source/s?path=set/Zhttp://cvs.opensolaris.org/source/s?path=set/5bhttp://cvs.opensolaris.org/source/s?path=set/testbhttp://cvs.opensolaris.org/source/s?path=set/test~6http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#LEFThttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0LEFT~7http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#TREEhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0TREE~8http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#LEFThttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0LEFT~9http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#TREEhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0TREE~:http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#TREEhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0TREE;http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#RSIZEhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0 RSIZE<http://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h#WORDSIZEhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h0WORDSIZE=Vhttp://cvs.opensolaris.org/source/s?defs=npVhttp://cvs.opensolaris.org/source/s?defs=np>Zhttp://cvs.opensolaris.org/source/s?defs=NEXTZhttp://cvs.opensolaris.org/source/s?defs=NEXT?Vhttp://cvs.opensolaris.org/source/s?defs=tpVhttp://cvs.opensolaris.org/source/s?defs=tp@^http://cvs.opensolaris.org/source/s?defs=ISBIT0^http://cvs.opensolaris.org/source/s?defs=ISBIT0AZhttp://cvs.opensolaris.org/source/s?defs=SIZEZhttp://cvs.opensolaris.org/source/s?defs=SIZEBVhttp://cvs.opensolaris.org/source/s?defs=npVhttp://cvs.opensolaris.org/source/s?defs=npCVhttp://cvs.opensolaris.org/source/s?defs=npVhttp://cvs.opensolaris.org/source/s?defs=npnDhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/libc/port/gen/malloc.c#Bottomhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/libc/port/gen/malloc.c0 BottomvEhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/libc/port/gen/malloc.c#t_deletehttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/libc/port/gen/malloc.c0t_deleteFVhttp://cvs.opensolaris.org/source/s?defs=npVhttp://cvs.opensolaris.org/source/s?defs=npGZhttp://cvs.opensolaris.org/source/s?defs=SIZEZhttp://cvs.opensolaris.org/source/s?defs=SIZEHVhttp://cvs.opensolaris.org/source/s?defs=tpVhttp://cvs.opensolaris.org/source/s?defs=tpIZhttp://cvs.opensolaris.org/source/s?defs=SIZEZhttp://cvs.opensolaris.org/source/s?defs=SIZEJVhttp://cvs.opensolaris.org/source/s?defs=npVhttp://cvs.opensolaris.org/source/s?defs=npKbhttp://cvs.opensolaris.org/source/s?defs=WORDSIZEbhttp://cvs.opensolaris.org/source/s?defs=WORDSIZELbhttp://cvs.opensolaris.org/source/s?defs=ISNOTREEbhttp://cvs.opensolaris.org/source/s?defs=ISNOTREEMVhttp://cvs.opensolaris.org/source/s?defs=opVhttp://cvs.opensolaris.org/source/s?defs=opNVhttp://cvs.opensolaris.org/source/s?defs=tpVhttp://cvs.opensolaris.org/source/s?defs=tpO`http://cvs.opensolaris.org/source/s?defs=LINKBAK`http://cvs.opensolaris.org/source/s?defs=LINKBAKPVhttp://cvs.opensolaris.org/source/s?defs=opVhttp://cvs.opensolaris.org/source/s?defs=opQVhttp://cvs.opensolaris.org/source/s?defs=spVhttp://cvs.opensolaris.org/source/s?defs=spR`http://cvs.opensolaris.org/source/s?defs=LINKFOR`http://cvs.opensolaris.org/source/s?defs=LINKFORSVhttp://cvs.opensolaris.org/source/s?defs=opVhttp://cvs.opensolaris.org/source/s?defs=opTZhttp://cvs.opensolaris.org/source/s?defs=NULLZhttp://cvs.opensolaris.org/source/s?defs=NULLU`http://cvs.opensolaris.org/source/s?defs=LINKBAK`http://cvs.opensolaris.org/source/s?defs=LINKBAKVVhttp://cvs.opensolaris.org/source/s?defs=spVhttp://cvs.opensolaris.org/source/s?defs=spWVhttp://cvs.opensolaris.org/source/s?defs=tpVhttp://cvs.opensolaris.org/source/s?defs=tpX`http://cvs.opensolaris.org/source/s?defs=LINKFOR`http://cvs.opensolaris.org/source/s?defs=LINKFORYVhttp://cvs.opensolaris.org/source/s?defs=tpVhttp://cvs.opensolaris.org/source/s?defs=tpZVhttp://cvs.opensolaris.org/source/s?defs=spVhttp://cvs.opensolaris.org/source/s?defs=sp[http://md.hudora.de/presentations/summerschool/2005-09-21/vansprundel-ctt-heapoverflows.pdfhttp://md.hudora.de/presentations/summerschool/2005-09-21/vansprundel-ctt-heapoverflows.pdf@\http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppthttp://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt]phttp://www.openwall.com/advisories/OW-002-netscape-jpeg/phttp://www.openwall.com/advisories/OW-002-netscape-jpeg/^https://www.usenix.org/publications/library/proceedings/lisa03/tech/full_papers/robertson/robertson_html/https://www.usenix.org/publications/library/proceedings/lisa03/tech/full_papers/robertson/robertson_html/_zhttp://doc.bughunter.net/buffer-overflow/heap-corruption.htmlzhttp://doc.bughunter.net/buffer-overflow/heap-corruption.html``http://www.w00w00.org/files/articles/heaptut.txt`http://www.w00w00.org/files/articles/heaptut.txtafhttp://cansecwest.com/csw04/csw04-Oded+Connover.pptfhttp://cansecwest.com/csw04/csw04-Oded+Connover.pptbPhttp://www.phrack.org/phrack/57/p57-0x09Phttp://www.phrack.org/phrack/57/p57-0x09cDhttp://cvs.opensolaris.org/source/Dhttp://cvs.opensolaris.org/source/@7http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppthttp://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt8http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppthttp://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt9fhttp://cansecwest.com/csw04/csw04-Oded+Connover.pptfhttp://cansecwest.com/csw04/csw04-Oded+Connover.ppt :xhttp://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdfxhttp://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf;Rhttp://www.securityfocus.com/infocus/1846Rhttp://www.securityfocus.com/infocus/1846<rhttp://www.securiteam.com/securityreviews/5MP020UHFI.htmlrhttp://www.securiteam.com/securityreviews/5MP020UHFI.htmlChttp://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppthttp://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt Fxhttp://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdfxhttp://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdfHRhttp://www.securityfocus.com/infocus/1846Rhttp://www.securityfocus.com/infocus/1846Krhttp://www.securiteam.com/securityreviews/5MP020UHFI.htmlrhttp://www.securiteam.com/securityreviews/5MP020UHFI.html/ 00DTimes New Romantt@0x: 0DArialNew Romantt@0x: 0 DTahomaew Romantt@0x: 0"0DWingdingsRomantt@0x: 0@ . @n?" dd@  @@`` ( p0M,*!  !$;[  !$%&'()*,-./ 0123456)789:;4$$$$2$E0 DsS$2$>_No4[ 0AAP___@8. g4MdMd<x: 0ppp@ <4BdBd@ 0t0g45d5dVx: 0p0 pxR ʚ;yac8ʚ;<4dddd@U 0@<4!d!d@U 0@<0___PPT10 ___PPT9/ 0& 4$? %O =  Abstract  The exploit can be achieved without the need of any call to the free() function. The overflowed memory is given a value such that a previous call to free() is simulated, causing next malloc() call to misinterpret that the memory was free'd before. We call this technique - Free Simulation. Though the Free Simulation technique demonstrated in this paper, has been tried successfully on AIX, Solaris and Windows XP SP2 it may be applicable on all systems having in-band heap memory management. L@   Introduction   Almost all the papers referenced in the References section [1] through [7], discuss about heap overflows, that seem to talk or provide sample code snippet where free() is being called. What if free() is never called and the process takes in user input that can lead to heap overflow? Is it still possible to exploit such a process that never calls free()? Answer to this is yes, and that's what this presentation is all about. PZZL   Core Ideas   Heap Overflow technique when the free() is being called, is usually referred to as 4-byte overwrite. The core idea is  to attack the memory management algorithm, first (publicly?) demonstrated by Solar Designer for a heap overflow found in the Netscape browser [3], [1]. This attack on memory management algorithm always necessarily involves pointer assignment instructions. LzTt { Logical Constructs  jLets refer to the primitive logical constructs involving these pointer assignments, that get executed on a call to free() [4  Section: Anatomy of a Heap Overflow Exploit] & [5]. J{Z:ZZs;  *$What exactly is the Free Simulation? %  Free Simulation is the allocation of address space on simulated free region in the memory with our choice of length, and in certain cases may be located anywhere we choose in the process address space. Free Simulation can be differentiated broadly into 2 cases: Arbitrary buffer allocation  The heap datastructure pointers are manipulated such that the simulated free buffer space, when allocated can exist arbitrarily anywhere in process memory address space (Free Simulation on AIX, Free Simulation on Solaris (<40 bytes buffer)) Arbitrary address over-write (4-byte i.e word-size overwrite)  The heap datastructure pointers are manipulated such that the pointer assignments causes an address to be overwritten arbitrarily anywhere in the process memory address space (Free Simulation on Solaris (>=40 bytes buffer), Windows XP SP-2)ZZZZ1Z=Z/     !    .What exactly is the Free Simulation? (contd.) / BAn example of the usual state of heap with a few allocated chunks.CC C 7&.What exactly is the Free Simulation? (contd.) /  Lets try to represent heap state at the moment of time when a number of chunks have been malloc'ed and a few have been free'd.(8 " P  .What exactly is the Free Simulation? (contd.) / *After the overflow and the Free Simulation++ + Conditional Triggers  The conditional triggers are instructions in the malloc call that check if there is some previous or last free'd memory available (of appropriate size) that can be used to allocate the new chunk. 'if ( previous free'd chunk available && requested size <= available free'd size ) then ... This logical free conditional primitive lies at the heart of successful Free Simulation. It triggers the execution of further pointer assignment instructions. VX   Free Simulation on Aix   ' Free Simulation on Aix (contd.) ! Usually, the PPF (Pointer to Previously Free d chunk) is NULL and NFP (Next Free Pointer) points to the last PPF (NULL), indicating availability of free memory We will try to understand what happens if PPF is not NULL, which is very important for the success of exploitation by Free Simulation. The PPF which is usually NULL, is assigned the value of the address of previously free'd chunk! The core idea is to overflow the malloc() allocated chunk by 2 words having the first word as an address so that it will be now interpreted as PPF and second word as some arbitrary size. >DPPoZ(  M  )   + Free Simulation on Aix (contd.) ! wHow about pointing PPF to the stack? Possible? Yes! In a way, we are smashing the heap, simulating free() and then smashing the stack! Thus the simulated free space can be located anywhere in the process writable memory address space. The reason this is possible is because the malloc() function trusts the address retrieved, as a valid heap address for memory allocation.RZZZmG&  Y (,Free Simulation conditional trigger for Aix -  if ( Pointer to Previously Free'd chunk [PPF] != NULL && requested_size <= chunk_size ) ... [A] { consider the value of PPF as an address of previously free'd chunk and try to allocate memory on this free'd chunk } The above [A] is mere a logical summary of conditional instructions or statements. The  if condition may have been actually implemented as  while . The conditional statements make it very clear that triggering Free Simulation on Aix is quite easy.HP       P  *    )vFree Simulation on Solaris  I [size < 40 bytes] << <   xFree Simulation on Solaris  I [size < 40 bytes] (contd.)=4  = On Solaris, 2 types of data-structures are involved in the heap management, based on chunk size asked for. If the requested chunk size is less than 40 bytes then the linked-lists are involved and different section of code gets executed, while for sizes greater than 40 bytes, binary search tree structure is maintained. The decision to allocate or consider the previously free'd chunk of memory for allocation is based primarily on the bit0 and the bit1 of the size word on the Solaris. The size is specified in bytes and we get the last 2 bits free. bit0: 1 if chunk is allocated else 0. bit1: 1 if a previous block has been free'd in local list of the bin else 0. .@PPPsPP   Et b%L   vFree Simulation on Solaris  I [size < 40 bytes] (contd.)<3  < d The freelists are structured like lists in bins of various chunk sizes. In case malloc finds that bit1 state is  1 it considers that there is a previously free'd memory chunk. The word next to the immediate next word is considered as the address pointing to the previously free d chunk. In case of Solaris, we overflow the allocated chunks' boundary such that the bit1 of the size in the header of next chunk is set to  1 and the word next to immediate-next word maybe given the address where we would like to overwrite, on the next memory write operation.IPPPPPd 2 3 ,vFree Simulation on Solaris  I [size < 40 bytes] (contd.)<3  <   As before in AIX, again, the simulated free space can be located anywhere in the process writable memory address space. Again, the reason this is possible is because the malloc() function trusts the address retrieved, as a valid heap address for memory allocation.6 BtG&  Y  4Free Simulation conditional trigger for Solaris - I55 5 n If ( size.bit1 equals 1 ) .... [B] { After size checks, consider address next to immediate-next word as previously free'd chunk and assign it to the Next Pointer of Heap Data Structure. Again, after size checks this simulated free space will be used to allocate memory on any call to malloc() in the future. } As stated before in case of AIX, the above [B] is mere logical summary of conditional instructions for Solaris. The conditional  if is logical and it may be a conditional  while in actual implementation. \LZZZZb@      fFree Simulation on Solaris  II [size >= 40 bytes]44 4 ~ Once upon a free() paper [8] published in Phrack magazine demonstrates heap-overflow exploit by calls only to malloc() that further calls realfree(). The focus is on creation of the fake-chunk that leads to 4-byte overwrite when the heap-management data is manipulated. The paper also clearly mentions that --  Overflowed chunk must not be the last chunk . Again before, we will simulate free() by overflowing the last malloc'ed chunk. This is achieved using the 4-byte overwrite technique. We take advantage of delayed free calls and achieve 4-byte overwrite in the realfree()'s coalesce operation. This is similar to exploit mentioned in [8] but differing by overflowing last malloc'ed chunk.PP),k&@   t zFree simulation on Solaris  II [size >= 40 bytes] (contd.)>5  > We will refer the opensolaris site [9] for source code to better understand the exploit. Source: mallint.h 80 /* the proto-word; size must be ALIGN bytes */ 81 typedef union _w_ { 82 size_t w_i; /* an unsigned int */ 83 struct _t_ *w_p[2]; /* two pointers */ 84 } WORD; 86 /* structure of a node in the free tree */ 87 typedef struct _t_ { 88 WORD t_s; /* size of this element */ 89 WORD t_p; /* parent node */ 90 WORD t_l; /* left child */ 91 WORD t_r; /* right child */ 92 WORD t_n; /* next in link list */ 93 WORD t_d; /* dummy to reserve space for self-pointer */ 94 } TREE; Few important macros. Source: mallint.h 98 #define RSIZE(b) (((b)->t_s).w_i & ~BITS01) 112 /* set/test indicator if a block is in the tree or in a list */ 113 #define SETNOTREE(b) (LEFT(b) = (TREE *)(-1)) 114 #define ISNOTREE(b) (LEFT(b) == (TREE *)(-1)) 121 #define NEXT(b) ((TREE *)(((char *)(b)) + RSIZE(b) + WORDSIZE)) Pj 7    7  d     '   q  .  .    $   +  {  (        %             Q    $    "       )X 0*X 0+X 0jn,X 0-X 0.X 0/X 00X 0(,1X 02X 03X 04X 05X 06X 0(,7X 0378X 0[_9X 0gk:X 0;X 0<X 0zFree simulation on Solaris  II [size >= 40 bytes] (contd.)>5  > Sections of functions relevant to our exploit Source: malloc.c  realfree() 511 /* see if coalescing with next block is warranted */ 512 np = NEXT(tp); 513 if (!ISBIT0(SIZE(np))) { 514 if (np != Bottom) 515 t_delete(np); 516 SIZE(tp) += SIZE(np) + WORDSIZE; 517 } Source: malloc.c  t_delete() 756 /* if this is a non-tree node */ 757 if (ISNOTREE(op)) { 758 tp = LINKBAK(op); 759 if ((sp = LINKFOR(op)) != NULL) 760 LINKBAK(sp) = tp; 761 LINKFOR(tp) = sp; 762 return; 763 } Note, the above highlighted assignments in orange (760 and 761) are the two word assignments, where user controlled data (8-byte overwrite in this case, but we will still refer it as 4-byte) can be injected. We can summarize above operation in instructions as: 0xff2c7808 <t_delete+52>: st %o0, [ %o1 + 8 ] 0xff2c780c <t_delete+56>: st %o1, [ %o0 + 0x20 ]jPK S    X  *  5  W   b                                   V                                =X 0>X 0?X 0@X 0AX 0BX 0CX 0DX 0EX 0FX 0GX 0HX 0IX 0JX 0KX 0LX 0dlMX 0moNX 0OX 0PX 0QX 0RX 0SX 0TX 0UX 0VX 0WX 0XX 0YX 0ZX 0zFree simulation on Solaris  II [size >= 40 bytes] (contd.)>5  > !Malloc'ed heap chunk and overflow"P" "  5Free Simulation conditional trigger for Solaris - II66 6 1. if ( size.bit0 equals 0 ) ....[C] { consider this as a free chunk, check if next chunk is also free and if coalesce is possible. } 2. if ( next chunk size.bit0 equals 0 ) { Next chunk in contiguous memory block is free proceed with coalesce. } 3. size should be such that NEXT(p) calculation will return our fake-chunk as next chunk. 4. The returned fake chunk should bypass is-bottom check [np != Bottom]. Would be automatically taken care of. 5. The value of left-node pointer t_l of fake chunk must be '-1' for interpretation as list node rather than tree node. 6. If ( value of left-node equals -1) ....[D] { interpret it as list-node and proceed further with coalesce operation involving pointer assignments. } As stated before for AIX, the above [C] and [D] are mere logical summaries of conditional instructions for Solaris. Step [C] indicates Free Simulation. The remaining steps including [D] indicate the trigger to coalesce, the fake-chunk creation, and the coalesce operation that involves pointer assignments for the linked-list.1P]P'RY8g^&   . Free Simulation - Windows XP SP2 !  4-byte overwrite or arbitrary 4*n bytes overwrite still possible on older windows = (windows < XP-SP2) Since SP-2 MS introduced Heap Protection Is Free Simulation still possible on XP SP2?  /:Windows Heap Overflow Exploit Research (Time Progression);; ; Halvar Flake - "Third Generation Exploitation" http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt David Litchfield - "Windows Heap Overflows" http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt Matt Conover, Oded Horowitz - "Reliable Windows Exploits" http://cansecwest.com/csw04/csw04-Oded+Connover.ppt Alexander Anisimov - "Defeating Windows XP SP2 Heap protection and DEP bypass" http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf Nicolas Falliere - A new way to bypass Windows heap protections http://www.securityfocus.com/infocus/1846 Brett Moore - Exploiting Freelist[0] on Windows XP Service Pack 2 http://www.securiteam.com/securityreviews/5MP020UHFI.html $ZZ u ) I . ^   ( 3    = <    0 ) C 9  7X 0/x8X 09X 0@s:X 0;X 0Bk<X 00@Free Simulation  Windows XP SP2 ! Presenters research did lead to possibility of heap overflow exploitation on SP2 using Free Simulation. It turned out though, to be very similar to something that has been discussed in Brett Moore s paper, with few minor differences. Similar to the examples shown in previous slides, we will be overwriting 4-byte word on stack address having a function return address, with an address now pointing to heap. The value overwritten is partially controlled, pointing back to address containing the [stack s address  4].  Z   1 lFree Simulation  Windows XP SP2 Reaching Freelist[0]77 7 The malloc() calls try to allocate a chunk of requested size in certain order shown below for chunks < 512k: Lookaside (for size <1k) Freelist [indices > 0] (for size <1k) Freelist[0] (for size >1k or if none found in 1, 2 for <1k) When not pointing to any free d chunk, Freelist[0] points to the free-region beyond last chuck. If such a case or when no free d chunk in Freelist[0] with size big enough of the requested size, allocation takes place in the free-region, beyond last chunk Our focus would be to make malloc() reach Freelist[0] and re-apply the concepts of Free-Simulation for successful exploitation.bmz" " mz    c     s  [    _ 2!nFree Simulation  Windows XP SP2 Library function calls88 8  Many library functions use malloc() internally. These functions usually need varying chunk sizes. Such functions form excellent candidates for this exploit technique, as they have greater chance of hitting Freelist[0]. &   3"nFree Simulation  Windows XP SP2 Library function calls88 8 In our example we exploit the malloc() called by printf() function. We will focus on exploitation and change of control flow using only one overflow. Brett Moore s paper aptly hints, that such technique if used, needs the address to constitute a valid instruction We will see, one of the address of low level function on stack called by malloc() itself does form valid instruction that gets executed, in our example. Our shell-code starts right from the next word! F ZZZ1Z       { 4#@Free Simulation  Windows XP SP2 !  5$jFree Simulation  Windows XP SP2 Conditional Trigger66 6 6The allocation code must somehow reach Freelist[0] Freelist[0] must point to the header of our simulated free chunk The simulated free chunk s size must be greater than the size of the requested chunk+8. This would trigger the re-link and our 4-byte overwrite. The stack address at the function return pointer is overwritten with address pointing back to heap, should be interpretable as valid instruction.vZ  6%LFree Simulation  Windows XP SP2 Demo!'' '  Though exploiting heap overflow using Free Simulation on SP2 is still a possibility, Heap Protection definitely puts forth many limitations.   9(!Advantages of the Free Simulation " mRelatively easy to exploit. Provides a consistent and generic model to pursue the heap overflow-based exploits. For processes / applications where free() is never called, Free Simulation maybe the best technique to exploit. Usually data-write follows after a chunk from malloc has been obtained, favoring Free Simulation exploitation. Some heap algorithms do not actually free the memory at the free() call. This delayed/lazy free() is feasible due to certain supportive free-structures like free-list / flist (Solaris). Whenever a malloc() is called it internally calls free() or rather the realfree() (especially on Solaris) that actually free's the memory. Hence focus on malloc() calls might provide easier approach and save time. Usually, malloc() and realloc() calls are called more frequently compared to free(). Exploitation can be triggered at a considerably earlier stage in a process's life cycle because of the fact that the malloc() (memory allocation) always precedes free(). Enables arbitrary overwrites anywhere in the process memory regions including stack, heap, function pointers, Procedure Linkage Table. 0mPPl      6  )    @       -Limitations of Free Simulation    * Usually works well and easily when the overflow occurs in last malloc'ed chunk. For overflows in in-between malloc'ed chunks, depends on implementation of the memory allocation algorithm. On Windows XP SP2, can be triggered only for allocation of chunks in free-space pointed by the Freelist[0]. ,**@@   $    8'Preventive Measures  x Best preventive measure is at the code-implementation level itself by altogether avoiding or by careful usage of function calls that may potentially lead to the memory overflows. Implementation of heap algorithm with total removal of in-band memory management information between data can completely protect against any manipulation. Many such implementations are already available for *nix platforms and can be linked with the systems library. Some have also integrated such protection schemes into default distros (OpenBsd). At system level NX [Non Executable pages], non-executable data region (that includes heap with stack, on AIX  sedmgr), cookies, write protected guard bands between heap data segments and heap management structures, can make heap overflow exploitation almost impossible. Implementation and integration of such preventive measures by various operating systems is already pushing (4*1) or (4*n) memory over-writes in history. FPPPPZ    s  5 # References   http://md.hudora.de/presentations/summerschool/2005-09-21/vansprundel-ctt-heapoverflows.pdf - Generic Heap Overflow Exploitations. http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt  Third Generation Exploitation. http://www.openwall.com/advisories/OW-002-netscape-jpeg/ - Solar Designer https://www.usenix.org/publications/library/proceedings/lisa03/tech/full_papers/robertson/robertson_html/ - Run-time Detection of Heap-based Overflows (Anatomy of a Heap Overflow Exploit, Logical Constructs). http://doc.bughunter.net/buffer-overflow/heap-corruption.html http://www.w00w00.org/files/articles/heaptut.txt http://cansecwest.com/csw04/csw04-Oded+Connover.ppt http://www.phrack.org/phrack/57/p57-0x09  Once Upon a free() http://cvs.opensolaris.org/source/ - Solaris source code on OpenSolaris website http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt David Litchfield - "Windows Heap Overflows" http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf Alexander Anisimov -  Defeating Windows XP SP2 Heap protection and DEP Bypass http://www.securityfocus.com/infocus/1846 Nicolas Falliere - A new way to bypass Windows heap protections http://www.securiteam.com/securityreviews/5MP020UHFI.html Brett Moore - Exploiting Freelist[0] on Windows XP Service Pack (D" PvP" PvP_ % K ! :  m f   # . _ + ? P * B : A  BD^ ' I # 8  i i =  0  3  (          ^ . <    > )    2 9 B [X 0^\X 0]X 0)^X 0<_X 0K`X 0M}aX 0bX 0cX 0CX 0DFX 0 HX 0]KX 0$ Questions   ?"X  /8%&u   0` ^WN̙f` ^WNff3` 999MMM` ^WNf` ff33` ff33` ^WN̙f>?" dd@ ?vdd@ @" `s n?" dd@   @@``@n?" dd@  @@``PV   @ ` `$p>>  %0) (   `  s *___"` |  c $  @  Kliknij, aby edytowa style tekstu z Wzorca Drugi poziom Trzeci poziom Czwarty poziom Pity poziom,   cJ  T1?P  Slide * / 388   &   hh88f ) 0___"0  s *, "`P0  ? Slide title  Z  B޽h))? ? ^WNff3 $WspBczesny prosty~  0 .&@ (    s *lM@ 0  19-21 October 2006& 2 P   f   0___" Z  B޽h))? ? ^WNff3v 0  $(  ҏ $ $ NDv_v_ W8  @ n*  \..\\ $ NX@v_v_  8 D p*  \..\\d $ c $ ?`  D $ NDv_v_  B D Kliknij, aby edytowa wzorce stylu tekstu Drugi poziom Trzeci poziom Czwarty poziom Pity poziom*   a  $ TDv_v_ (W`  D n*  \..\\  $ T%Dv_v_ ( ` D p*  \..\\H $ 0!i@ ? ̙3380___PPT10.qJFx 0(  H  0!i@ ? ̙3380___PPT10.qPbx> 0 + A9 t(  t t 0, @0c l Smashing Heap by Free Simulation!!  ! &  t 0 *Sandip Chaudhari sandipchaudhari@gmail.com*+N         t 0@ P 7Acknowledgements Thanks to everyone in my Security Team for their support and encouragement, especially to Jonathan Leonard, Jeremy Jethro and Nick Seidenman.4@       H t 0޽h ? ^WNff3___PPT10i.q`u+D=' = @B +  0 % x0(  xx x c $:D P0  D x x c $(&  @ D H x 0޽h ? ^WNff3___PPT10i.B+D=' = @B +  0 0(  x  c $iD P0  D x  c $xjD  @ D H  0޽h ? ^WNff3___PPT10i.H +D=' = @B +  0 0(  x  c $t{D P0  D x  c $L|D  @ D H  0޽h ? ^WNff3___PPT10i.П?+D=' = @B +   0    } (  x  c $D P0  D x  c $D P ` D      #"    <dD ?   )#define frontlink(A, P, S, IDX, BK, FD) { [1] FD = start_of_bin(IDX); [2] while ( FD != BK && S < chunksize (FD) ) { [3] FD = FD->fd; } [4] BK = FD->bk; [5] FD->bk = BK->fd = P; }    @`?  <D ?   o#define unlink(P, BK, FD) { [1] FD = P->fd; [2] BK = P->bk; [3] FD->bk = BK; [4] BK->fd = FD; } pp p  @`  <D ?  k frontlink()     @`  <D ?  hunlink()     @`fB   6o ?`B   01 ?fB   6o ?  fB   6o ? `B   01 ?   fB  6o ? v  <|D ` Note: Both the above macros are a set of logical statements that explain pointer assignments. Either or both of these maybe executed on call to free().  P is the pointer that has been passed to be free'd.@0 ##8#  H  0޽h ? ^WNff3___PPT10i.`fe+D=' = @B +}  0 $(  r  S  ; P0   r  S ;  @  H  0޽h ? ^WNff3___PPT10i.+D=' = @B +  0 @#l(  x  c $Q P0   x  c $`R  @=  4F q  # oP Z  s *X99?q H   C /   BCDEF  @/   <TT? VHeap"F"     xBCDEFxx @`  HB   C   HB  C   V  C "`p :   B$CtDEF Rtt$$tRt @p : H  C 0 :   BCuDEF ~uuu~u @0 :   <[f8 r;  [ allocated" F  H  C % <   BC CwDEF wwC C ww @% <   <z8 ^;  ] unallocated" F  H  C  Y:   BCuDEF ~uuu~u @ Y:   <@c 8 ;  [ allocated" F  H  C   :   BCuDEF uuuu @  :   <ph8 ;  [ allocated" F  HB  C   HB  C   HB  C , K HB   C j p H ! C V %C  " BCDEF  @V %C H  0޽h ? ^WNff3___PPT10i.¦|+D=' = @B +(0  0 ?/7/}(.(  (r ( S L P0   .F zPP ( PzP ( 6D 0 P  --N zPp ( zPpS,N zPp ( zPpT  ( c $X99?zPp  ( 61TG Yheaders"FL  <B  (B # ;W<B  (B # + =<B  (B # Oa<B (B # r<B (B # a|<B (B # +F<B (B # <B (B # <B (B # %6<B (B # PHkZ<B (B # l5}<B (B # <B (B # <B ( # <\<B ( # |<B ( # <B ( #  <B ( # @!`<B ( # (.<B ( # !<B ( # 0?<B  ( # N]<B !( # ,lI|<B "( # f<B #( # <B $( # <B %( #  0 <B &( # M i <B '( #  ! 0<B (( #  @ O<B )( #  ] l<B *( # 3 {P <B +( # m   ,( 6 S w%Heap in-band header with pointers to "&%F &  -( 6ؔ previously free'd chunks"F&    P .( 3 "`Pd-  /( B(&CDEF (&(& @BV! B 0( 3  #  1( BGCDEF GG @ #  2( 6̛9}  [ allocated" F  B 3( 3 [#  4( B CDEF   @[#  5( 6  ] unallocated" F  B 6( 3 ^- #  7( BGCDEF GG @- #  8( 6 Z`  ffree'd"F  B 9( 3  #  :( BHCDEF HH @ #  ;( 6ĭA   [ allocated" F  B <( 3 #  =( BCDEF  @# B >( 3 #  ?( BCDEF  @# <B @( # $<B A( # Cc<B B( # <B C( # <B D( #  <B E( # > ] <B F( # |  &<B G( #  / 7<B H( #  @ H<B I( # 8 QW X<B J( # w a i<B K( #  r z<B L( #   <B M( # 3 R <B N( # q  <B O( #   <B P( #   <B Q( # - L <B R( # k  <B S( #   <B T( #   <B U( # ( G "<B V( # f ) 2<B W( #  : C<B X( #  KT<B Y( # !\Ad<B Z( # `lu<B [( # }<B \( # <B ]( # 1<B ^( #  ! 3< <B _( # FW Yq <B `( # l  <B a( #   <B b( #   <B c( # , G <B d( # b | <B e( # , ? <B f( # R f <B g( # y  <B h( # 8 S <B i(B # ! 'A <B j(B #  a  <B k(B #   <B l(B #   <B m(B # ! A <B n(B # `  <B o(B #   <B p(B #   <B q(B #  @ <B r(B # ` f  s( xBCDEF @`b   t( BCDE0F8 22Ev@l#   u( 6+ `  "Pointer to previously free'd chunk"#"F&   BB v( 3 z{ | BB w( 3 { | BB x( 3 { | BB y( 3 <{ B| B z( 3 zP {( B>CDEF >> @zP |( 6ǨYC VHeap"F$   }( xBCDEFzz @`! Y B ~( BCDEXF`U^ G  $  [ '^<2k& -0@!  t ( 6f&"`P p H ( 0޽h ? ^WNff3___PPT10i. +D=' = @B +!  0 80P1: (  x  c $d P0   x  c $<  @  F R : R`B 7 0D  `  0A|S f  6Ahb    6 0  JTarget 2  H   C RX  BCDEF BB @RX  <,Yf VHeap"F  H  C  >   BCDEF BB @ >   <DM >  WStack"F  HB  C HB  C 'HB  C =THB  C jnH  C n`    B'CDEF '' @n`  HB  C = A V  C "`` -   B CDEF   @` -   <@` J  W Simulated B     < R `  X free chunk B   ! xBCDEF @` \  " ZBCDE|FlY)66E1 r  Z@m1~ [W5,X $ <jG c?@@P 0  # <D P T  "Pointer to previously free'd chunk"#"F &    $ xBC,DEF, @` ^  % BZ C)DE0F8 Z ))),)) )))@ - V & C "`n   ' B'CDEF '' @n H ( C   ) BCDEF  @  * < [ ] allocated$ F  H + C _  , B CDEF    @_  - < p _ unallocated$ F  H . C B   / BCDEF  @B   0 < d   ] allocated$ F   1 <0'  #  \ [overflow]" F  H 2 C  b  3 BCDEF  @ b H 4 C   5 BCDEF  @  6 <X+B   ] allocated$ F  z   <f&"`  z  <f&"` H  0޽h ? ^WNff3___PPT10i.`r+D=' = @B +  0 `0(  x  c $K P0   x  c $L  @  H  0޽h ? ^WNff3___PPT10i.pw=+D=' = @B +  0 pSZ A(  x  c $ \ P0   ^  6A?(   <P0 8Heap  Malloc'ed chunks [MC]$0 #    <ap kHeap Data Structure [HDS]"0 #  D8 `p? Z`p?z~N p? Y p?Z   s *X99?p?oKT  L-!  V#  L-! V   C "`    BCDEF  @   <g k% ]<__heaps+1056>:B     <hl , jtotal heap space allocated B   V  C "` P  BCDEF  @ L  <q  ^<__heaps+1040>: B     <u `J anext free pointer B     <:B     <ą} 7 dtotal number of heap B     <ĉ Z  zchunks malloc'ed B &    V  C "` C    BCDEF  @ C    < %  ]<__heaps+1068>:B     < oH  cpointer to current  B     <hV E   Z chunk [CP] B   V  C "` !    BCDEF  @ !  ! <` c  ]<__heaps+1076>:B    " <\ d   gpointer to the address  B    # <0 5  ^of pointer of B    $ < 2 ~  cprevious free chunk B    % <   V[PPPF] B    & xBCDEF9. @`*-nHB ' C   HB ( C   HB ) C   HB * C   HB + C   HB , C i n HB - C ] i HB . C [ ] HB / C F H HB 0 C 5 F HB 1 C  " HB 2 C   HB 3 C   HB 4 C   HB 5 C   HB 6 C u  HB 7 C N b HB 8 C . ; HB 9 C ( . HB : C   HB ; C   HB < C   HB = C   HB > C   HB ? C h { HB @ C B U HB A C  . HB B C   HB C C   HB D C  HB E C  HB F C  HB G C b nHB H C [ bHB I C 5 HHB J C  !HB K C  HB L C  HB M C  HB N C u HB O C N aHB P C ( ;HB Q C  HB R C  HB S C  HB T C  HB U C  HB V C h {HB W C A UHB X C  .HB Y C  HB Z C  HB [ C  HB \ C  HB ] C  HB ^ C h nHB _ C chHB ` C ]cHB a C M NHB b C IM c xBCDEF @` Y HB dB C  ) *HB eB C  ) *HB fB C c )y *HB gB C A )L *HB hB C 6 *A +HB iB C  * +HB jB C  + ,HB kB C  + ,HB lB C  - .HB mB C U /k 0HB nB C * 1> 3HB oB C ( 3* 4HB pB C  4 6HB qB C  9 ;HB rB C  ; <HB sB C  @ BHB tB C  B DHB uB C  D EHB vB C  E MHB w C  ` aHB xB C  a sHB y C   HB z C   HB { C   HB | C   HB } C   HB ~ C   HB  C   3HB  C  F YHB  C  l HB  C   HB  C   HB  C   HB  C   HB  C  , 9HB  C  9 @HB  C  S fHB  C  y HB  C   HB  C   HB  C   HB  C   HB  C   &HB  C  9 LHB  C  ` kHB  C  k sHB  C   HB  C   HB  C   HB  C    HB  C   HB  C  3 HB  C  F Y HB  C  l HB  C  HB  C  HB  C  HB  C    HB  C    HB  C  - @ HB  C  S f HB  C  y HB  C  HB  C  HB B C  HB B C  HB B C  HB B C Z q HB B C > D   xBCDEFrr @` eS HB  C  " % HB  C    HB  C    HB  C n    HB  C m  n  HB  C [ b HB  C Y [ HB  C U V HB  C U V HB  C U V HB  C U t V HB  C U n V t HB  C U G V Z HB  C U ! V 4 HB  C U V  HB  C U V HB  C U V HB  C U V HB  C U aV tHB  C U :V NHB  C U "V 'HB  C U V "HB  C U V HB  C U V HB   C U V HB à C U zV HB Ġ C U TV gHB Š C U -V AHB Ơ C U V HB Ǡ C U V HB Ƞ C U V HB ɠ C U V HB ʠ C U rV HB ˠ C U mV rHB ̠ C U GV ZHB ͠ C U !V 4HB Π C U V HB Ϡ C U V HB Р C U V HB Ѡ C U V HB Ҡ C U aV tHB Ӡ C U :V MHB ՠ C U V 'HB ֠ C U V HB נ C U V HB ؠ C U V HB ٠ C P U HB ڠ C ; A HB ۠ C 3 ; HB ܠ C  & HB ݠ C   HB ޠ C   HB ߠB C   HB  C   HB B C   HB B C   HB B C a v HB B C ` a HB B C 3 I HB B C   HB B C   HB B C   HB B C   HB B C   HB B C R h H  C     BVC DEF  VV  @    <9+ Actual malloc'ed memory$F &    H  C # :  BVCmDEF mmVVmm @ :  <  w7 d0x00000000 else $F     <4 ipointer to previously$F     <+ tfree'd chunk [PPF]$F      < <= S "F  V  C ff"`:   BVCmDEF mmVVmm @:   <^ pUser specified size of chunk$F     <8/ pelse real size of previously$F     <4b,> n free'd chunk$ F   H  C  3  BVCDEF VV @ 3  <" R fUnallocated memory$F   V  C "`~ BB B 3 h ~ BB B 3 ; Q BB B 3  $ BB B 3   BB B 3   BB B 3   BB B 3 Z p BB B 3 - C BB B 3   BB B 3   BB B 3   BB  B 3 y  BB  B 3 L c BB  B 3  6 BB  B 3   BB  3   BB  3   BB  3   BB  3 f y BB  3 @ S BB  3  , BB  3   BB  3   BB  3   BB  3   BB  3 ~  BB  3 2~ H BB  3 _~ u BB  3 ~  BB  3 ~  BB  3 ~  BB  3 ~ ) BB  3 ?~ V BB  3 l~  BB   3 ~  BB ! 3 ~  BB " 3 ~  BB # 3  ~ 7 BB $ 3 M~ d BB % 3 z~  BB & 3 ~  BB ' 3 ~  BB ( 3 ~  BB ) 3 .~ E BB * 3 [~ r BB + 3 ~  BB , 3 ~  BB - 3 ~  BB . 3 ~ % BB / 3 <~ R BB 0 3 i~  BB 1 3 ~  BB 2 3 ~  BB 3 3 ~   BB 4 3   BB 5 3   BB 6 3   BB 7 3    BB 8 3  %  8 BB 9 3  L  _ BB : 3  r  BB ; 3   BB < 3   BB = 3   BB >B 3   BB ?B 3   BB @B 3   BB AB 3 _ v BB BB 3 2 I BB CB 3   BB DB 3   BB EB 3   BB FB 3 ~  BB GB 3 Q h BB HB 3 $ ; BB IB 3   BB JB 3   BB KB 3   BB LB 3 ~   M <,<   cUnallocated memory  B    N <A j  helse size of previously  B    O < F4p ]  k free'd memory  B   H P C # ~  Q BVCmDEF mmVVmm @ ~  R <pK  w{  d0x00000000 else $F    S <tPx   ipointer to previously$F    T <S o  tfree'd chunk [PPF]$F     U <LZ <  S "F  z   <f&"`` H  0޽h ? ^WNff3___PPT10i.޻u+D=' = @B +  0 0(  x  c $` P0   x  c $a  @  H  0޽h ? ^WNff3___PPT10i.`˨+D=' = @B +}  0 $(  r  S  P0   r  S H  @  H  0޽h ? ^WNff3___PPT10i. +D=' = @B +  0 0(  x  c $ P0   x  c $  @  H  0޽h ? ^WNff3___PPT10i.w+D=' = @B +  0 }8(  x  c $ P0     <! 8Heap  Malloc'ed chunks [MC]$0 #    <P kHeap Data Structure [HDS]"0 #  F P   P ɍN P   P Z  s *X99?P oHN q c  q cH   C #l    BCDEF    @l    <$5 gData: if allocated $F     <X2 lelse, Next Free Pointer $F     <x} i[NFP]: if unallocated$F    <(.   else, Pointer to Previous Free'd$! F&     <$cs_ U $F    <u_ chunk [PPF]: if free'd$F&     <]  rBased on bit0 and bit1 of size$F  H  C l   BCDEF    @l   <L] _ 0x0 or junk$ F    <DZ d[alignment word]$F  H  C l BB B 3   BB B 3   BB B 3 e w BB B 3 @ R BB B 3  . BB B 3   BB B 3   BB B 3   BB B 3   BB  B 3 d v BB !B 3 ? Q BB "B 3  , BB #B 3   BB $B 3   BB %B 3   BB &B 3   BB 'B 3 b u BB (B 3 > P BB )B 3  + BB * 3 p  BB + 3 N _ BB , 3 + = BB - 3   BB . 3 BB / 3 BB 0 3 BB 1 3 BB 2 3 _pBB 3 3 <MBB 4 3 +BB 5 3  BB 6 3 BB 7 3 .BB 8 3 @SBB 9 3 ewBB : 3 BB ; 3 BB < 3 BB = 3  BB > 3 /BB ? 3 ATBB @ 3 fxBB A 3 BB B 3 BB C 3 BB D 3  BB E 3 0BB F 3 BUBB G 3 gzBB H 3 BB I 3 BB J 3 BB K 3  BB L 3 1BB M 3 DVBB N 3 h{BB O 3 BB P 3 BB Q 3 BB R 3  BB S 3  2 BB T 3 E W BB U 3 i | BB V 3   BB W 3   BB X 3   BB Y 3   BB Z 3 ! 3 BB [ 3 F X BB \ 3 k l BB ] 3 l m BB ^ 3 l m BB _ 3 l m BB ` 3 l 0m ABB a 3 l Rm cBB b 3 l tm BB c 3 l m BB d 3 l m BB e 3 l m BB f 3 l m  BB g 3 l  m 0 BB h 3 l A m R BB i 3 l c m t BB j 3 l m BB kB 3 d l BB lB 3 ? Q BB mB 3  - BB nB 3   BB oB 3  BB pB 3  BB qB 3  BB rB 3 c u BB sB 3 > P BB tB 3  + BB uB 3   BB vB 3   BB wB 3   BB xB 3   BB yB 3 a t BB zB 3 = O BB {B 3  * BB |B 3   BB }B 3    ~ <d Actual malloc memory$F&   H  C ffl   BCDEF    @l   <X4 kAvailable chunk size or$F    <bPcBB B 3 b+cBB  3 CTBB  3 !2BB  3 BB  3 BB  3 BB  3 BB  3 vBB  3 TeBB  3 2CBB  3 !BB  3   BB  3   BB  3   BB  3   BB  3 e v BB  3 C T BB  3 : 0; BB  3 B: U; BB  3 g: z; BB  3 : ; BB  3 : ; BB  3 : ; BB  3 : ; BB  3 : 1; BB  3 D: V; BB  3 h: {; BB  3 : ; BB  3 : ; BB  3 : ; BB  3 : ; BB  3  : 2; BB  3 E: W; BB  3 i: |; BB  3 : ; BB  3 : ; BB  3 : ; BB  3 : ; BB  3 !: 3; BB  3 F: X; BB  3 j: }; BB  3 : ; BB  3 : ; BB  3 : ; BB  3 :  ; BB  3 " : 4 ; BB  3 G : Y ; BB  3 l : ~ ; BB  3  : ; BB  3  : ; BB  3  : ; BB  3  :  ; BB  3 # : 6 ; BB  3 H : Z ; BB  3 l : m K BB  3 l ] m n BB  3 l  m BB  3 l m BB  3 l m BB  3 l m BB  3 l m BB  3 l )m ;BB  3 l Lm ]BB  3 l nm BB  3 l m BB  3 l m BB  3 l m BB  3 l m BB  3 l m *BB  3 l ;m LBB  3 l ]m bBB B 3 _ bl cBB B 3 ; bM cBB B 3  b( cBB B 3  b cBB B 3  b cBB B 3  b cBB B 3  b cBB B 3 ^ bq cBB B 3 : bL cBB B 3  b' cBB B 3 b cBB B 3 bcBB B 3 bcBB B 3 bcBB B 3 ]bocBB B 3 8bKcBB B 3 b&cBB B 3 bcBB B 3 bc  <0fz*w fUnallocated Memory$F  H  C # q :   BCDEF    @ q :   <l   U $F    <p   fNext Free Pointer $F    <u} D  i[NFP]: if unallocated$F    <8tB 4   else, Pointer to Previous Free'd$! F&     <h x  U $F    <|z   chunk [PPF]: if free'd$F&     < $  rBased on bit0 and bit1 of size$F    xBCDEFLee @`q t HB B C Li Dz LHB B C LR TY XHB B C LK XR _HB  B C L8 l? sHB  B C L5 s8 zHB  B C L* , HB  B C L' * HB   C L$ % HB  C L$ % HB  C L$ % HB  C L$ % HB  C L$ % !HB  C L$ 2% DHB  C L$ U% fHB  C L$ w% HB  C L$ % HB  C L$ % HB  C L$ % HB  C L$ % HB  C L$ !% (HB  C L$ (% 3HB  C L$ D% UHB  C L$ f% wHB  C L$ % HB  C L$ % HB  C L$ % HB   C L$ % HB ! C L$ % "HB " C L$ 3% DHB # C L$ U% fHB $ C L$ w% HB % C L$ % HB & C L$ % HB ' C L$ % HB ( C L$ %  HB ) C L$ " % + HB * C L$ + % 3 HB + C L$ D % U HB , C L$ f % w HB - C L$ % HB . C L$ % HB / C L$ % HB 0 C L$ % HB 1 C L$ % HB 2 C L$  %  HB 3 C L$  % " HB 4B C L 3 # : HB 5B C L : C HB 6B C L S  d HB 7B C L d  e HB 8B C L r s HB 9B C L s   HB :B C L HB ;B C L HB <B C L HB =B C L HB >B C L  ? xBCDEFfffHH @`l  HB @ C ffff z HB AB C fff@ S HB B C fff - HB C C fff  HB D C fff  HB EB C fff  HB F C fff  HB G C fff  HB H C fff  HB I C fff h zHB J C fff E WHB K C fff ! 3HB L C fff  HB M C fff  HB N C fff  HB O C fff  HB P C fff  HB Q C fff p HB R C fff L ^HB S C fff ) :HB T C fff  HB U C fff  HB V C fff  HB W C fff  HB X C fff  HB Y C fff | HB Z C fff w |HB [ C fff S eHB \ C fff 0 AHB ] C fff  HB ^ C fff  HB _ C fff  HB ` C fff  HB a C fff  HB b C fff  HB c C fff  HB dB C fff  HB eB C fff  V f C "`z {> g BNCLDEF 'LLNNL'L @z {> h <pF R Y : B   i <c 4 gNext Free chunk Pointer B   j <, 2  Ror B   k < |K Previous Free'd chunk Pointer B&    V l C "`z D m B^CDEF /^^/ @z D n <@< CX t : B&    o < G index or count of free'd chunk B&    p < w. _in a bin's list B  V q C "`z D  r B^C DEF / ^^ / @z D  s < b  O<B   t <8 a   &flist  flist+124>: B   u <`   List of free'd pointers B&    V v C "`z DT  w B_CDEF 0__0 @z DT  x <U C F  r: B&    y <L< #  List of bins / nodes of flists B&    z xBCDEFmm @`HB { C pHB | C HB } C z ~ <f&"`` H  0޽h ? ^WNff3___PPT10i.1+D=' = @B +  0 0(  x  c $l P0   x  c $D  @  H  0޽h ? ^WNff3___PPT10i.pӼ+D=' = @B +  0 0(  x  c $  P0   x  c $   @  H  0޽h ? ^WNff3___PPT10i.0+D=' = @B +}  0 $(  r  S H P0   r  S    @  H  0޽h ? ^WNff3___PPT10i.×+D=' = @B +  0 0(  x  c $# P0   x  c $$  @  H  0޽h ? ^WNff3___PPT10i.pqU+D=' = @B +  0 0(  x  c $7 P0   x  c $8  @  H  0޽h ? ^WNff3___PPT10i.@Y+D=' = @B +e  0 |t (  f  0"`@ pf  0"`  x  c $F  @[  x  c $G P0   H  0޽h ? ^WNff3___PPT10i.Py +D=' = @B +)  0 @8 (  x  c $Y P0   f  0"`@f  0"`@f  0"`0 p f  0"` p l  6f W"` @ l  6f W"` p x  c $4f  @  H  0޽h ? ^WNff3___PPT10i.`ۋ+D=' = @B +w  0 q(  x  c $@{ P0   x  c $|      |    #"        <ԥ ?  h b We have 2 structures involved: t1.t_* and t2.t_* t_s : Size. We assign this to - 2 so that np = NEXT(p) will return np pointing to t1.t_j and bit0 is '0' for both t1.t_s and t2.t_s. t_j : As every pointer in this structure occupies 2 words owing to alignment logic, we can consider all t_j as junk. t_p : Pointer to previous node, can be junk for t1.t_p, and t2.t_p can be the address with which the return address on the stack is to be replaced. t_l : can be junk for t1.t_l but must be  -1 for t2.t_l, thus guarantee that malloc() would not interpret the node as a tree node but would interpret it as a list node. t_r : can be completely ignored and hence can be junk. t_n : t1.t_n can be junk but t2.t_n will be the address we would like to overwrite  8. t_d : Maybe ignored and can be junk for both t1.t_d and t2.t_d.          6  b  J 2  '  p  q      W  `  6  b  J  @`fB  6o ?  fB  6o ? fB  6o ?  fB   6o ? F P  PZ  s *X99?P:T 32 # 32  lB CDEF  @`!BB   3 jBB ! 3 BB " 3 B # 3 u+ $ BCDEF  @u+ % 6p ft1.t_s [ > - 4 < 0 ]"F   B & 3 ffu<B 'B #  <B (B # <B )B # <B *B # m<B +B # @V<B ,B # )<B -B # <B .B # <B /B # <B 0B # \r<B 1B # .E<B 2B # <B 3B # <B 4B # <B 5B # x<B 6 # ucvz<B 7 # u7vM<B 8 # u v <B 9 # uv<B : # uv<B ; # uv<B < # <B = # <B > # <B ? # '<B @ # >U<B A # l<B B # <B C # <B D #  <B E # "9<B F # Pf<B G # }<B H # <B I # <B J # <B K # 4J<B L # ax<B M # <B N # <B O # <B P # .<B Q # E\<B R # s<B S # <B T # <B U # <B V # )@<B W # Wn<B X # <B Y # <B Z # <B [ # <B \ # *<B ] # @V<B ^ # m<B _B # <B `B # Tk<B aB # '=<B bB # <B cB # <B dB # <B eB # p<B fB # CY<B gB # ,<B hB # <B iB # <B jB # <B kB # _u<B lB # 1H<B mB #   n 6fF dAllocated memory$F   B o 3 u j<B pB # j k<B qB # jk<B rB # jk<B sB # mjk<B tB # @jVk<B uB # j)k<B vB # jk<B wB # jk<B xB # jk<B yB # \jrk<B zB # .jEk<B {B # jk<B |B # jk<B }B # jk<B ~B # xjk<B  # u?vV<B  # uv)<B  # uv<B  # uv<B  # uv<B  # u`vv<B  # u3vJ<B  # uv<B  # u v <B  # u v <B  # u v <B  # uT vj <B  # u' v= <B  # u v <B  #   <B  #   <B  #   <B  #   # <B  # : Q <B  # h ~ <B  #   <B  #   <B  #   <B  #  5 <B  # L b <B  # y  <B  #   <B  #   <B  #   <B  # 0 F <B  # ] t <B  #   <B  #   <B  #   <B  #  * <B  # A X <B  # o  <B  #   <B  #   <B  #   <B  # % < <B  # S j <B  #   <B  #   <B  # ( ? <B  # U k <B  #   <B  #   <B  #   <B  # <B  # 5K<B  # ax<B  # <B  # <B  # <B  # *<B  # AW<B B # jk<B B # \jsk<B B # /jEk<B B # jk<B B # jk<B B # jk<B B # xjk<B B # Kjak<B B # j4k<B B # jk<B B # jk<B B # jk<B B # gj}k<B B # 9jPk<B B #  j"k  61 q fUnallocated memory$F   P  3 "`uU    BCDEF  @uU    6i   Xt2.t_d"F     lBCDEF @`ABB  3 BB  3 BB  3 BB  3  BB  3  BB  3 -.BB  3 .1BB  3 12BB  3 12BB  3 122HBB  3 1_2mBB B 3 )m1nBB B 3 mnBB B 3 mn  lBCDEF @`-uBB  3 3<BB  3 BB  3 BB  3 BB  3 BB  3 BB  3  BB  3  BB  3 ,0BB  3 0CBB  3 YpBB  3 HB  C HB  C HB  C HB  C  "HB  C 9OHB  C ejHB  C j|HB  C HB  C HB  C  HB  C  . HB  C E [ HB  C r  HB  C   HB  C   HB  C   HB  C   HB  C $ ; HB  C Q g HB  C ~  HB  C   HB  C   HB  C   HB  C   HB  C 0 G HB  C ] o HB  C o t HB  C   HB  C   HB  C   HB  C  % HB  C % & HB  C = A HB  B C  A Q HB  B C  Q S HB  B C h n HB  B C n } HB  B C   HB B C   HB B C   HB B C   HB B C   HB B C   HB  C a u% HB  C I M HB  C = I HB  C , - HB  C " , HB  C   HB  C   HB  C   HB  C   HB  C X n HB  C + B HB  C   HB  C   HB  C   HB ! C x  HB " C L b HB # C  5 HB $ C   HB % C   HB & C   HB ' C   HB ( C l  HB ) C @ V HB * C % ) HB + C  % HB , C HB - C HB . C HB / C `vHB 0 C 3JHB 1 C HB 2 C HB 3 C HB 4 C HB 5 C HB 6 C ^jHB 7 C T^HB 8 C '>HB 9 C HB : C HB ; C HB < C HB = C {HB > C u{HB ? C ^_HB @ C I^HB A C $1'4HB B C '&/1HB C C /"2&HB D C ERHB E C R[HB F C ps  G <a Vt1$F    H <\1|  Vt2$F   V I C 3f"`!+ J BCDEF  @!+ K <8"`@ \t2.t_s&F   V L C "`u+! M BCDEF  @u+! N <Y@2 Xt1.t_j"F   V O C 3f"`u(g P BCDEF    @u(g Q <$RBZ \t1.t_p&F   V R C "`(g S BwCDEF ww @(g T < *Z Xt2.t_j"F   V U C 3f"`!g V BCDEF  @!g W <.{ \t2.t_p&F   H X C fug! Y # BCDEF  @"`ug! Z <d4Y{2 Xt1.t_j"F   V [ C 3f"`u( \ BCDEF    @u( ] <@9`9 \t1.t_l&F   V ^ C "`( _ BwCDEF ww @( ` <> Xt2.t_j"F   V a C 3f"`!@  b BCDEF  @!@  c <C4  \t2.t_l&F   V d C "`u!@  e BCDEF  @u!@  f <IY24  Xt1.t_j"F   V g C 3f"`p0 #  h BCDEF    @u@ (  i <MYT 8  \t1.t_r&F   V j C "`(@   k BwCDEF ww @(@   l <lST   Xt2.t_j"F   V m C 3f"`! {  n BCDEF  @! {  o <HX o  \t2.t_r&F   V p C "`u !{  q BCDEF  @u !{  r <]Y 2o  Xt1.t_j"F   V s C 3f"`u{ (  t BCDEF    @u{ (  u <bR B  \t1.t_n&F   V v C "`({   w BwCDEF ww @({   x <h   Xt2.t_j"F   V y C 3f"`!   z BCDEF  @!   { <l.   \t2.t_n&F   V | C "`u !  } BCDEF  @u !  ~ <trY. 2  Xt1.t_j"F   V  C 3f"`u (U   BCDEF    @u (U   <PwR BH  \t1.t_d&F   V  C "`( U   BwCDEF ww @( U   <| H  Xt2.t_j"F   H  0޽h ? ^WNff3___PPT10i.Đ+D=' = @B +  0 0(  x  c $ P0   x  c $  @  H  0޽h ? ^WNff3___PPT10i.p8*+D=' = @B +}  0 $(  r  S D P0   r  S   @  H  0޽h ? ^WNff3___PPT10i. 0XFI+D=' = @B +}  0 $(  r  S  P0   r  S   @  H  0޽h ? ^WNff3___PPT10i. @+D=' = @B +}  0   $(   r   S  P0   r   S L  @  H   0޽h ? ^WNff3___PPT10i. H+D=' = @B +}  0 0$(  r  S p P0   r  S H  @  H  0޽h ? ^WNff3___PPT10i. `+D=' = @B +}  0 @$(  r  S D P0   r  S   @  H  0޽h ? ^WNff3___PPT10i. +D=' = @B +}  0 P$(  r  S  P0   r  S p  @  H  0޽h ? ^WNff3___PPT10i. 4>+D=' = @B +5  0 LD`&(h(  r  S $  P0   8  (  6w UHDS"0 2  T p #  Pz  <"`p  <"`pP [ Freelist[0] 0    ZB   s *Dpp ZB   s *Dp p   <"`pP [ Freelist[1] 0       <"`p \ HDS Header" 0       <0"`p   \ Lookaside[0] 0      <"`p P  \ Lookaside[1] 0      B"``    B"`0rb B BG @HI6` a   B"` 0@ y_heap_alloc_dbg 0 &   xb  HG0*H]I0`   6H!   VHeap"0 2    6% WStack"0 2    BP$"``   \ Chunk Header 0    t  6"``  @ z  < "`` @ `   H,̙ "`` `  eSimulated Free Chunk 0   z  <"` @ t  6"`` @ ` z  <"`@   6p0   Z Chunk Data 0 2     BD5"`0 0P  dprintf 0   `B  0D `B   0D@ `B ! 0D  `B " 0D  l" # <HiI@x  `B $ 0DP  % 6;  b Shell Code( 0( 2    & B<@"` 0  dmalloc 0   `B ' 0D  H  0޽h ??`# ^WNff3___PPT10i. d"+D=' = @B +  0 p :(   r   S H P0      S N  @  "P@08@H   0޽h ? ^WNff3___PPT10i.  ӱn+D=' = @B +}  0 $$(  $r $ S pX P0   r $ S HY  @  H $ 0޽h ? ^WNff3___PPT10i. #e+D=' = @B +}  0 0$(  0r 0 S a P0   r 0 S b  @  H 0 0޽h ? ^WNff3___PPT10i. `u+D=' = @B +  0 P(    < {  "`P0   r  S {  @  H  0޽h ? ^WNff3___PPT10i.P+D=' = @B +}  0 ,$(  ,r , S L P0   r , S   @  H , 0޽h ? ^WNff3___PPT10i. Ps+D=' = @B +  0 @F(  x  c $0 P0     c $  @  "p`PpH  0޽h ? ^WNff3___PPT10i.+D=' = @B +  0 P0(  x  c $4@ P0  @ x  c $4@  @ @ H  0޽h ? ^WNff3___PPT10i.pB+D=' = @B + 0 ` (  X  C $`     S L$ B   " H  0!i@ ? ̙3380___PPT10. 곢 0 p (  X  C $`   D  S 4D$ B  D " H  0!i@ ? ̙3380___PPT10.y0r0-  0 P B "623t\߳pFZ#p3ėܙF!/0VV]_`bdjgitlLDъ91Oh+'0 px ( H T ` lxBez tytułu slajdurobert\C:\Program Files\Microsoft Office\Szablony\Projekty prezentacji\Współczesny prosty.pot schaudhari147Microsoft PowerPoint@aR@P@p` ݫ@8f  Gx g  c  y--$yy----$xx--'@Arial-.  2 u19."System;-@Arial-.  2 u-G.-@Arial-.  2 u2G.-@Arial-.  2 u1G.-@Arial-. 2 uOctober.-@Arial-.  2 u2006.-___--$xx---- $xx--'@Times New Roman-. ^WN72  Smashing Heap by Free Simulation.-@Times New Roman-. ^WN2 0+Sandip.-@Times New Roman-. ^WN2 0? Chaudhari.-@Times New Roman-. ^WN-2 8sandipchaudhari@gmail.comu.-@Times New Roman-. ^WN2 `2Acknowledgements.-@Times New Roman-. ^WNc2 e =Thanks to everyone in my Security Team for their support and .-@Times New Roman-. ^WNX2 j 6encouragement, especially to Jonathan Leonard, Jeremy .-@Times New Roman-. ^WN2 joJethro.-@Times New Roman-. ^WN2 p and Nick g.-@Times New Roman-. ^WN2 p Seidenmang.-@Times New Roman-. ^WN 2 p/.G.-՜.+,D՜.+,\    On-screen Show &\ +Times New RomanArialTahoma WingdingsWspółczesny prostySlide 1 Abstract Introduction Core IdeasLogical Constructs%What exactly is the Free Simulation?/What exactly is the Free Simulation? (contd.)/What exactly is the Free Simulation? (contd.)/What exactly is the Free Simulation? (contd.)Conditional TriggersFree Simulation on Aix!Free Simulation on Aix (contd.)!Free Simulation on Aix (contd.)-Free Simulation conditional trigger for Aix>Free Simulation on Solaris – I [size < 40 bytes] ?Free Simulation on Solaris – I [size < 40 bytes] (contd.)>Free Simulation on Solaris – I [size < 40 bytes] (contd.)>Free Simulation on Solaris – I [size < 40 bytes] (contd.)5Free Simulation conditional trigger for Solaris - I6Free Simulation on Solaris – II [size >= 40 bytes]@Free simulation on Solaris – II [size >= 40 bytes] (contd.)@Free simulation on Solaris – II [size >= 40 bytes] (contd.)@Free simulation on Solaris – II [size >= 40 bytes] (contd.)6Free Simulation conditional trigger for Solaris - II!Free Simulation - Windows XP SP2;Windows Heap Overflow Exploit Research (Time Progression)#Free Simulation – Windows XP SP29Free Simulation – Windows XP SP2 Reaching Freelist[0]:Free Simulation – Windows XP SP2 Library function calls:Free Simulation – Windows XP SP2 Library function calls#Free Simulation – Windows XP SP28Free Simulation – Windows XP SP2 Conditional Trigger)Free Simulation – Windows XP SP2 Demo!"Advantages of the Free Simulation Limitations of Free Simulation Preventive Measures References Questions  Fonts UsedDesign Template Slide Titles&/ 8@ _PID_HLINKSA/0http://cvs.opensolaris.org/source/s?defs=size_tShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h_t_Shttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hWORDShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hWORDShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hWORDShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hWORDShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hWORDShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hWORDShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.ht_sShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hw_iShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hBITS01.http://cvs.opensolaris.org/source/s?path=set/2http://cvs.opensolaris.org/source/s?path=set/testShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hLEFTShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hTREEShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hLEFTShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hTREEShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hTREEShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.hRSIZEShttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/watchmalloc/common/mallint.h WORDSIZE,http://cvs.opensolaris.org/source/s?defs=np.http://cvs.opensolaris.org/source/s?defs=NEXT,http://cvs.opensolaris.org/source/s?defs=tp0http://cvs.opensolaris.org/source/s?defs=ISBIT0.http://cvs.opensolaris.org/source/s?defs=SIZE,http://cvs.opensolaris.org/source/s?defs=np,http://cvs.opensolaris.org/source/s?defs=npMhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/libc/port/gen/malloc.cBottomMhttp://cvs.opensolaris.org/source/xref/on/usr/src/lib/libc/port/gen/malloc.c t_delete,http://cvs.opensolaris.org/source/s?defs=np.http://cvs.opensolaris.org/source/s?defs=SIZE,http://cvs.opensolaris.org/source/s?defs=tp.http://cvs.opensolaris.org/source/s?defs=SIZE,http://cvs.opensolaris.org/source/s?defs=np2http://cvs.opensolaris.org/source/s?defs=WORDSIZE2http://cvs.opensolaris.org/source/s?defs=ISNOTREE,http://cvs.opensolaris.org/source/s?defs=op,http://cvs.opensolaris.org/source/s?defs=tp1http://cvs.opensolaris.org/source/s?defs=LINKBAK,http://cvs.opensolaris.org/source/s?defs=op,http://cvs.opensolaris.org/source/s?defs=sp1http://cvs.opensolaris.org/source/s?defs=LINKFOR,http://cvs.opensolaris.org/source/s?defs=op.http://cvs.opensolaris.org/source/s?defs=NULL1http://cvs.opensolaris.org/source/s?defs=LINKBAK,http://cvs.opensolaris.org/source/s?defs=sp,http://cvs.opensolaris.org/source/s?defs=tp1http://cvs.opensolaris.org/source/s?defs=LINKFOR,http://cvs.opensolaris.org/source/s?defs=tp,http://cvs.opensolaris.org/source/s?defs=sp\http://md.hudora.de/presentations/summerschool/2005-09-21/vansprundel-ctt-heapoverflows.pdfJhttp://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt9http://www.openwall.com/advisories/OW-002-netscape-jpeg/jhttps://www.usenix.org/publications/library/proceedings/lisa03/tech/full_papers/robertson/robertson_html/>http://doc.bughunter.net/buffer-overflow/heap-corruption.html1http://www.w00w00.org/files/articles/heaptut.txt4http://cansecwest.com/csw04/csw04-Oded+Connover.ppt)http://www.phrack.org/phrack/57/p57-0x09#http://cvs.opensolaris.org/source/Jhttp://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt_http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt4http://cansecwest.com/csw04/csw04-Oded+Connover.ppt=http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf*http://www.securityfocus.com/infocus/1846:http://www.securiteam.com/securityreviews/5MP020UHFI.html_http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt=http://www.maxpatrol.com/defeating-xpsp2-heap-protection.pdf*http://www.securityfocus.com/infocus/1846:http://www.securiteam.com/securityreviews/5MP020UHFI.html"_Ĝ 0schaudharischaudhari  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ Root EntrydO)PicturesCurrent UserSummaryInformation(PowerPoint Document(DocumentSummaryInformation88