The exploitation of heap corruption vulnerabilities on the Windows platform has become increasingly more difficult since the introduction of XP SP2. Heap protection features such as safe unlinking and heap cookies have been successful in stopping most generic heap exploitation techniques. Methods for bypassing the heap protection exist, but they require a great degree of control over the allocation patterns of the vulnerable application.
We will focus on Internet Explorer exploitation, but the general techniques presented here are potentially applicable to any other browser or scripting environment.
- // Create a heapLib object for Internet Explorer
- var heap = new heapLib.ie();
- heap.gc(); // Run the garbage collector before doing any allocations
- // Allocate 512 bytes of memory and fill it with padding
- // Allocate a new block of memory for the string "AAAAA" and tag the block with "foo"
- heap.alloc("AAAAA", "foo");
- // Free all blocks tagged with "foo"
Posted by Dion Almaer at 9:47 am