![Page 1: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/1.jpg)
char fbsd_execve[]="\x99\x52\x68\x6e\x2f" "\x73\x68\x68\x2f\x2f""\x62\x69\x89\xe3\x51""\x52\x53\x53\x6a\x3b""\x58\xcd\x80";
Copyright (c) 2005 Arbro, Taiwan Explorer Club.2005-01-22
CH RoCH Ro.oT.oT
Heap and BSS Overflow Heap and BSS Overflow ⅠⅠ
Arbro on 2005Arbro on [email protected]@chroot.org
![Page 2: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/2.jpg)
CH RoCH Ro.oT.oT2005-01-22
AgendaAgenda
Popular overflow Popular overflow –– StackStack--based Overflowsbased OverflowsIntroduction of Heap and Data/BSSIntroduction of Heap and Data/BSSVerify exploitationVerify exploitationSensitive heap data of functionsSensitive heap data of functionsReferenceReference
![Page 3: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/3.jpg)
CH RoCH Ro.oT.oT2005-01-22
Popular overflowPopular overflowStackStack--based Overflowsbased Overflows
bb
aa
Return address (RET)Return address (RET)
Stack frame pointer (SFP)Stack frame pointer (SFP)
FlagFlag
BufferBuffer
...
Low addresses
High addresses
Frame pointer (EBP)
![Page 4: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/4.jpg)
CH RoCH Ro.oT.oT2005-01-22
Introduction of Heap and Data/BSSIntroduction of Heap and Data/BSS
Memory locationMemory locationHeap and BSSHeap and BSSIdea of evilIdea of evil
![Page 5: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/5.jpg)
CH RoCH Ro.oT.oT2005-01-22
Memory location of Heap and BSSMemory location of Heap and BSS
heap segmentheap segment
stack segmentstack segment
bssbss segmentsegmentdata segmentdata segment
text (code) segmenttext (code) segmentLow address
High address
The heap grows down toward higher memory addresses
The stack grows up toward lower memory addresses
![Page 6: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/6.jpg)
CH RoCH Ro.oT.oT2005-01-22
Heap and BSSHeap and BSSLess noticedLess noticedNot discrete but seriateNot discrete but seriateMost are system and architecture Most are system and architecture independent, including those with nonindependent, including those with non--executable heapsexecutable heaps"Memory that is dynamically allocated "Memory that is dynamically allocated by by the applicationthe application is known as the heap."is known as the heap.""heap"heap--based overflow" refers to both heap based overflow" refers to both heap and data/and data/bssbss sectionssections
![Page 7: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/7.jpg)
CH RoCH Ro.oT.oT2005-01-22
Heap and BSS (cont.)Heap and BSS (cont.)
HeapHeapDynamically allocated by the application.Dynamically allocated by the application.Initialized at compileInitialized at compile--time.time.
BSSBSSUninitialized dataUninitialized dataAllocated at runAllocated at run--time.time.Until it is written to, it remains zeroed (or at Until it is written to, it remains zeroed (or at least from the applicationleast from the application’’s points point--ofof--view).view).
![Page 8: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/8.jpg)
CH RoCH Ro.oT.oT2005-01-22
Idea of evilIdea of evil
File stealingFile stealingOverwrite a fileOverwrite a file
Password, user, Password, user, ……etcetc
Overwrite a configure fileOverwrite a configure fileFor SUID executable programFor SUID executable program
Function pointer stealingFunction pointer stealingExecute a Execute a shellcodeshellcodeExecute something else by personally Execute something else by personally creativities.creativities.
![Page 9: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/9.jpg)
CH RoCH Ro.oT.oT2005-01-22
Verify exploitationVerify exploitation
![Page 10: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/10.jpg)
CH RoCH Ro.oT.oT2005-01-22
Verify exploitation (cont.)Verify exploitation (cont.)
![Page 11: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/11.jpg)
CH RoCH Ro.oT.oT2005-01-22
Verify exploitation (cont.)Verify exploitation (cont.)
![Page 12: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/12.jpg)
CH RoCH Ro.oT.oT2005-01-22
Verify exploitation (cont.)Verify exploitation (cont.)
![Page 13: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/13.jpg)
CH RoCH Ro.oT.oT2005-01-22
Verify exploitation (cont.)Verify exploitation (cont.)int goodfunc(const char *str); /* funcptr start out as this */
int main(int argc, char **argv)
{
static char buf[BUFSIZE];
static int (*funcptr)(const char *str);
‧
‧
‧
}/* This is what funcptr would point to if we didn’t overflow it */
int goodfunc(const char *str)
{
blahblah;
}
![Page 14: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/14.jpg)
CH RoCH Ro.oT.oT2005-01-22
Sensitive heap data of functionsSensitive heap data of functionsⅠⅠ(from w00w00)(from w00w00)
FunctionsFunctions Examples includeExamples include
**gets()/*gets()/*printfprintf(), *(), *scanfscanf()() __iobiob (FILE) structure in heap(FILE) structure in heap
popenpopen()() __iobiob (FILE) structure in heap(FILE) structure in heap
**dir() (dir() (readdirreaddir, , seekdirseekdir,,……)) DIR entries (dir/heap buffers)DIR entries (dir/heap buffers)
atexitatexit()() static/global function pointersstatic/global function pointers
strdupstrdup()() Allocates dynamic data in the heapAllocates dynamic data in the heap
getenvgetenv()() Stored data on heapStored data on heap
![Page 15: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/15.jpg)
CH RoCH Ro.oT.oT2005-01-22
Sensitive heap data of functionsSensitive heap data of functionsⅡⅡ(from w00w00)(from w00w00)
FunctionsFunctions Examples includeExamples include
tmpnamtmpnam()() Stored data on heapStored data on heap
MallocMalloc()() Chain pointersChain pointers
rpcrpc callback functioncallback function Function pointersFunction pointers
windows callback windows callback functionsfunctions FuncFunc pointers kept on heappointers kept on heap
signal handler pointer in signal handler pointer in cygnuscygnus ((gccgcc for win)for win)
Functions pointers (note: Functions pointers (note: unixunixtracks theses in the kernel, not in tracks theses in the kernel, not in the heap)the heap)
![Page 16: Heap and BSS overflow - chrO.ot · Heap and BSS zLess noticed zNot discrete but seriate zMost are system and architecture independent, including those with non-executable heaps z"Memory](https://reader036.vdocuments.site/reader036/viewer/2022062402/5f038e4a7e708231d409a247/html5/thumbnails/16.jpg)
CH RoCH Ro.oT.oT2005-01-22
ReferenceReferencehttp://www.w00w00.org/files/heaptut/http://www.w00w00.org/files/heaptut/
Chinese versionChinese versionEnglish versionEnglish version
Hacking Hacking –– The Art of ExploitationThe Art of ExploitationBy Jon EricksonBy Jon EricksonISBN 1ISBN 1--5932759327--007007--00