1

Jonathan Afek, 1/8/07, BlackHat USA

Dangling PointerDangling Pointer

� What is a Dangling Pointer?

� Code Injection

� Object Overwriting

Demonstration

Table of Contents

2

� Demonstration

� Remediation

� Summary

� Q&A

Pointer3

What is a Dangling Pointer?

Invalid Pointer:

� Real Life Example

� Dangerous

Exploitable

Pointer1 Pointer2Dangling

Pointer

3

Deleted

ObjectNew DataObject

3

� Exploitable

� Common

ObjectObject

Pointer3 = new Object();…delete Pointer3;…Pointer3->func();

Application Code:

Overwritethe object

Pointer

What is a Dangling Pointer?

� Assembly

– Memory Layout

4

– Registers

– Assembly code

� What is a Dangling Pointer?

� Code Injection

� Object Overwriting

Demonstration

Where are We

5

� Demonstration

� Remediation

� Summary

� Q&A

Code Injection – The Layout of an Object

� Class_A:

class Class_A

{

int member_of_A;

vfunc_A1 CodeClass_A VFTableInstance_A memory

vfunc_A1 address

vfunc_A2 address

VFTABLE Pointer

member_of_AAssembly code

vfunc_A3 address

6

};

int member_of_A;

public:

virtual long vfunc_A1();

virtual long vfunc_A2();

virtual long vfunc_A3();

static void sfunc_A();

void funcA();

};

{

...

this.vfunc_A3();

...

}

……MOV EAX, [ECX]

CALL [EAX + 8]

……

vfunc_A2 Code

Assembly code

vfunc_A3 address

vfunc_A3 Code

Assembly code

Code Injection – The Double Reference Exploit

Exploit Overview:

– Free the Object

– Overwrite the Object

– Execute a Virtual Function

77

Shellcode

Finding a “VFTable”

Code Injection – The Double Reference Exploit

� Object Allocated

� Object De-allocated

� Overwriting Object

� VFunc3 Executed

Application Code:

8

Original ObjectFreed Space

delete a;a->v_func3();a = new A();

Pointer

“VFTABLE”

8

Memory Junk

Memory Junk

Pointer

Memory Junk

Memory Junk

“VFTABLE” Pointer

CALL/JMP ECX

ECX – Original Object

Application Code:

……MOV EAX, [ECX]

CALL [EAX + 8]

……

EAX – “VFTABLE”

SHELLCODE

� What is a Dangling Pointer?

� Code Injection

� Object Overwriting

Demonstration

Where are We

9

� Demonstration

� Remediation

� Summary

� Q&A

Object Overriding

� Allocation Implementation

– C-Runtime heap

– C-Runtime functions

• Malloc

• Free

1010

• Free

• New

• Delete

• Etc.

Object Overriding

� Allocation implementation details

– Lookaside List: Cache De-allcated Memory

• A list for each size (8-1024) (8)

• First Allocation Priority

11

Another De-Allocated

Buffer

NULL

40

Bytes

A De-Allocated Buffer

Next Buffer Pointer

40

Bytes

11

40 bytes

Lookaside list

base pointer

Object Overriding

� Exploit Review

� Overwriting

– Search for Allocations

• DisassemblyPointer3Dangling

Pointer

1212

• Same Size

• Controllable Content

Deleted

ObjectNew DataObject

Pointer3 = new Object();…delete Pointer3;…Pointer3->func();

Application Code:

Overwritethe object

Pointer

Object Overriding – The VFTABLE Exploit

� Empty the Lookaside List

� Allocate a Buffer

� Insert Content

……MOV EAX, [ECX]

� Free the Buffer

� Free the Object

� Execute a VFunc

13

Pointer

New Buffer

SHELLCODE

SHELLCODE

Rest of

SHELLCODE

Pointer

“VFTABLE”

“VFTABLE” Pointer

CALL/JMP EAX

Original Object

NULL

MOV EAX, [ECX]

CALL [EAX + 8]

……

ECX – Original Object EAX – “VFTABLE”

Object Overriding – The Lookaside Exploit

� Empty the Lookaside

� Allocate Two Buffers

� Insert Shellcode

� Free One Buffer

� Free the Other

� Free the Object

� Trigger the Bug

1414

The De-Allocated

Buffer

Pointer

A Function

Pointer

…

The De-Allocated

Object

Pointer

A VFTABLE

Pointer

…

The Shellcode

Buffer

NULL

ShellcodeGAME OVER!!!GAME OVER!!!

Object Overriding – The Lookaside Exploit

� Executing NULL – NO Problem

1515

Summary

� Double Reference Exploit

– Controllable First DWORD

– Static Address

� VFTABLE Exploit

– Controllable Allocations

16

– Controllable Allocations

– No First DWORD

– Static Address

� Lookaside Exploit

– Controllable Allocations

– No First DWORD

– No Static Address

– Destructor Execution

� What is a Dangling Pointer?

� Code Injection

� Object Overwriting

Demonstration

Where are We

17

� Demonstration

� Remediation

� Summary

� Q&A

Demonstration

� Putting it Together

– De-Allocate

– Inject

– Trigger

18

� What is a Dangling Pointer

� Code Injection

� Object Overwriting

Demonstration

Where are We

19

� Demonstration

� Remediation

� Summary

� Q&A

Remediation

� Known Protection Mechanisms

– NX Bit

– ASLR

� VFTABLE Sanitation

20

� Safe Programming

Summary

� Technical Background

– Memory Allocations

– Objects Implementation

� Exploits

21

– Double Reference Exploit

– VFTABLE Exploit

– Lookaside Exploit

� Demonstration

– Microsoft IIS 5.1

� Dangling Pointer

– Only Object Oriented Objects

More Information

� www.Watchfire.com

22

Questions

� Ask Away…

23