Nytro Posted September 27, 2013 Report Share Posted September 27, 2013 Blackhat Eu 2013 - Advanced Heap Manipulation In Windows 8 Description: With the introduction of Windows 8, previously public known heap/kernel pool overflow exploitation techniques are dead because of exploit mitigation improvements. There are indications that compromising application speci?c data, which are facilitated by heap manipulation, are getting more popular for future exploitation.How to deterministically predict the heap state in great possible level?Tradition manipulation technique (both kernel pool and user heap) is to consistently defragment the heap which makes future allocations adjacent afterwards, and then make holes in these allocations to let the vulnerable buffer, which with similar size, fall into one of them.In the user heap a new LFH allocator was introduced, the randomized alloc/free and guard pages made this technique tough to work.Beyond that, the traditional technique has some limitations such as the size of the vulnerable buffer and the type of data structure that could be chosen as attacking target (especially in kernel pool), which together make it cannot be considered as a generic solution any more.This talk is aimed to provide an advanced method on precisely manipulating heap layout (kernel pool and user heap) by standing on the giant’s shoulder: “Heap Feng Shui”. Arbitrary sized vulnerable buffer could be covered with our more generic method which paves the way toward further interesting discoveries for security researchers. A reliable demo will be explained at the end of this section.By setting up the heap in a controlled state, some specific vulnerability scenarios could be exploited easily and reliably.In the following practical sections, this talk will then divided into two parts:1: Kernel pool:I will show how to plant a desired kernel object into a fixed known address, and then demo exploit against write-what-where vulnerability scenarios.Furthermore, some attacks which need the sufficient control of the kernel pool and precise size information (eg: “block size attack” brought by Tarjei in his BH USA 2012 talk) may utilize this research.I will also show how carefully crafted kernel pool layout combined with application data corruption could lead to reliable exploit in kernel pool overflow scenarios.2: User heap:I will discuss the possibility of heap determinism in Windows 8 user heap, and use demo to prove that: reliable heap exploitation is still achievable in some circumstance with proper heap layout crafting.Presented By:Zhenhua 'Eric' LiuFor More Information please visit : - Black Hat | Europe 2013 - Briefings Sursa: Blackhat Eu 2013 - Advanced Heap Manipulation In Windows 8 Quote Link to comment Share on other sites More sharing options...
