lunes, 8 de diciembre de 2008

Things to do in Japan, if you want to exploit the heap

Dear diary,
Sorry I have been sucking at blogging, but the true is I didn't do anything interesting these days, technically, at least. Unless, of course, you are part of some extinguished cult that worship django.

Anyway, since last friday I started updating my slides for the training I'm giving with the people of cyberdefense about heap exploitation in Tokyo, (which I must said that if you are interesting you should rush to reserve your ticket since it's getting full quite quick).
I update the information about windows 2003/XP SP2 exploitation, including theory and a bunch of exercise (Students will end up exploiting Brett Moore's Citrix Metaframe bug).
I'm also updating the Vista part, which was always the critical part of the class, since i gave it the last day and people were really tired by them ( And it was a lot of information of all the changes in the new implementation and ideas about how to exploit it).
And by doing some research i step into Ben Hawkes "Attacking the Vista Heap" for the RUXCON Conference.
When I think about heap exploitation, or even, generic exploitation at all, I can't stop thinking in a remote level, its probably my weakness but also my strengths. And is obviously a consequence of background education on linux explotation when I was a kid.
Did I ever told you, dear diary, that i did linux exploitation like all good boy scouts? Same as Bas, same as Sinan... and i spent 8 good months doing that for CANVAS until dave said "Windows time", and we all have to switch :>.
So when I heard about Ben Hawkes technique about writing the global heap structure (PHEAP from now on), I though it was good idea (i even though about it before reading it) but I didn't see a real usage on an remote, possible but not that simple to implement. (On remote heap exploitation, you should always follow sinan's law: If the technique have more steps than the strawberry pudding's receipt, its doesn't worth it).
But BANG! I read Ben Hawkes slides. And that was a jaw breaker!
Why? Because he follow the clicke phrase of Einstein "Everything should be made as simple as possible, but not simpler.".
Basically he ask himself: What would you do if you can write a pointer to a heap chunk with whatever you want? And he answer it quite simple, I point it to a different busy chunk.
And the math is simple, if you point the chunk's pointer to a a different busy chunk, when the chunk get's free, it will be available on the system. And so next allocation of the same size, it will return the chunk that it wasn't supposed to be free. And you will be able overwrite the data of that busy chunk.
Don't rush your rants, his obviously not pointing his chunk's pointer into a random busy chunk on the heap, that would be almost impossible to exploit reliable. Ben's magic goes much more further.
And this is nice trick: He basically makes the pointer land to the PHEAP, and since, the pheap is actually a chunk, the first of his own heap, he made the PHEAP chunk available for use to someone else. And if you combine that with a strdup [alloc/memcpy(yourstring)], you get realistic Vista Heap exploitation, without really relying on any -real- implementation trick.
And you don't need to know the address of the PHEAP, you probably just need to zero out the last numbers on the pointed chunk address ( 0x00452880 into 0x00452000, it depends obviously).
So the steps you have to do are quite simple:
1) Play with the heap in order to get a chunk's pointer next to your overwriting chunk
2) Overwrite the last numbers of that pointer to make it point to the pheap
3) Find a strdup, send a string, and overwrite the pheap including the heap cookie and the RtlCommitRutine.
4) Trigger some allocation extension and welcome your connectback!

Or you can do it in one big step, which is visiting me at Tokyo in February :>

Anyways, cheers to Ben for this great technique! I wishing to exchange some beers/wine some day!

2 comentarios:

Carina dijo...

Espectacular, pero no entiendo nada!!

antoheri dijo...
Este comentario ha sido eliminado por el autor.