Thursday, April 05, 2007

Heap Feng Shui

With all of the hubbub over the ANI vulnerability over the last week, we neglected to mention a recent paper and preso that Alex gave at BlackHat Europe last week. There are three parts to any memory-based exploit:

1. the software vulnerability that allows memory to be overwritten
2. setting up the processes memory to contain information that you want it to contain.
3. the structure of the actual shellcode.

For recent browser-based vulnerabilities, it has been known how to use heap-spraying to put the shellcode into the process for awhile. However, it has become more difficult to actually overwrite a location that causes one to branch into that shellcode. Alex's paper describes how to use Javascript to force the heap into a particular configuration that the hacker desires to take advantage of a vulnerability. To get there, you have to take a reverse engineering trip through several layers of abstraction in the software. Very elegant!

Enjoy the read pointer.


Post a Comment

<< back