exploits & mitigations - memory corruption techniques
TRANSCRIPT
Topics to cover
• Stack bof, DEP• ROP attacks and Mitigations• Heap Spray• Abusing vptrs• Use After Free• Flash exploitations• Heap Memory Management• Mitigations
ROP Attack
• Defeat DEP• Shifting the stack location• Chain of small gadgets
Original
Stack
Attacker
Controlled
area
Stack Pivot
ROP Attack
CODE
0x02010000:pop eaxret...
0x02010020:pop ebxret...
0x02010030:add eax, ebxret...
ACTION
eax = 1
ebx = 2
eax = eax + ebx
ROP Mitigations
• ASLR• Stack limit check during API call (caller check)• API call using retn instruction• SimExecFlow
Use after Free
• Dangling pointer• Addref() to keep count of direct references• Vulnerability- Replace object with another
object
Heap Memory Management
• Front-End Allocators– LookAside Lists– Low Fragmentation Heap
• Back End Allocator– FreeLists
References
• Mechanism behind IE CVE-2014-1776• Heap Feng Shui in JavaScript• UBIQUITOUS FLASH, UBIQUITOUS EXPLOITS• kBouncer: Efficient and Transparent ROP
Mitigation• Bypassing EMET 4.1