Exploits and Mitigations Memory Corruption Techniques Sameer Patil CysInfo
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Exploits and MitigationsMemory Corruption Techniques
Sameer PatilCysInfo
Topics to cover
• Stack bof, DEP• ROP attacks and Mitigations• Heap Spray• Abusing vptrs• Use After Free• Flash exploitations• Heap Memory Management• Mitigations
Virtual Memory Mapping
Stack BOF
• EIP overwrite• Mitigation-> DEP
ROP Attack
• Defeat DEP• Shifting the stack location• Chain of small gadgets
Original
Stack
Attacker
Controlled
area
Stack Pivot
ROP Attack
CODE
0x02010000:pop eaxret...
0x02010020:pop ebxret...
0x02010030:add eax, ebxret...
ACTION
eax = 1
ebx = 2
eax = eax + ebx
ROP Mitigations
• ASLR• Stack limit check during API call (caller check)• API call using retn instruction• SimExecFlow
Heap Spray
• Introduced by skylined• Overwrite EIP• Payload-> NOP + shellcode
Virtual Functions and vptrs
Abusing vptrs
Use after Free
• Dangling pointer• Addref() to keep count of direct references• Vulnerability- Replace object with another
object
Flash Exploitation (CVE-2014-1776)
ROP chain
Heap Memory Management
• Front-End Allocators– LookAside Lists– Low Fragmentation Heap
• Back End Allocator– FreeLists
Mitigations
• Isolated Heap• MemoryProtect• Vector and bytearray objects hardening• ROP mitigations
References
• Mechanism behind IE CVE-2014-1776• Heap Feng Shui in JavaScript• UBIQUITOUS FLASH, UBIQUITOUS EXPLOITS• kBouncer: Efficient and Transparent ROP
Mitigation• Bypassing EMET 4.1
Thank You!
Related Documents
![Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]](https://static.cupdf.com/doc/110x72/555c4312d8b42a0b038b4f96/fermin-j-serna-exploits-mitigations-emet-rootedcon-2010.jpg)
