- 1、本文档共59页,可阅读全部内容。
- 2、有哪些信誉好的足球投注网站(book118)网站文档一经付费(服务费),不意味着购买了该文档的版权,仅供个人/单位学习、研究之用,不得用于商业用途,未经授权,严禁复制、发行、汇编、翻译或者网络传播等,侵权必究。
- 3、本站所有内容均由合作方或网友上传,本站不对文档的完整性、权威性及其观点立场正确性做任何保证或承诺!文档内容仅供研究参考,付费前请自行鉴别。如您付费,意味着您自己接受本站规则且自行承担风险,本站不退款、不进行额外附加服务;查看《如何避免下载的几个坑》。如果您已付费下载过本站文档,您可以点击 这里二次下载。
- 4、如文档侵犯商业秘密、侵犯著作权、侵犯人身权等,请点击“版权申诉”(推荐),也可以打举报电话:400-050-0827(电话支持时间:9:00-18:30)。
查看更多
Reliable Windows Heap Exploits.ppt
Reliable Windows Heap Exploits Matt Conover Oded Horovitz Agenda Introduction to heap exploits Windows heap internals Arbitrary memory overwrite explained Applications for arbitrary memory overwrite + exploitation demos Special notes for heap shellcodes XP SP2 Q A Introduction Heap vulnerabilities become mainstream DCOM, Messenger, MSMQ, Script Engine Need to be an expert to exploit them David Litchfield – “Windows Heap Overflows” LSD – “Microsoft windows RPC security vulnerabilities” Dave Aitel – “Exploiting the MSRPC heap overflow I,II” Halvar – “3rd Generation exploits” Introduction Even experts use some Voodoo magic as main ingredient of exploits Making 4 byte overwrite is a guess work Failures are not well understood Available exploits are service pack dependents Shellcode address is not known During exception handling, pointer to buffer can be found on the stack (in exception record) Address of instruction that access the stack is needed, which is SP dependent Windows Heap Internals What Is Covered Heap internals that can aid in exploitations Heap process relations The heap main data structures The algorithms for allocate free Not Covered Heap internals that will bore you to death Stuff that is not directly related to exploit reliability Algorithms for “slow” allocation or heap debugging Windows Heap Internals Many heaps can coexist in one process Windows Heap Internals Heap starts with one big segment Most segment memory is only reserved Heap management is allocated from the heap! Windows Heap Internals Important heap structures Windows Heap Internals Segment management Segment limits (in pages) List of uncommitted blocks Free/Reserved pages count Pointer to “Last entry” Windows Heap Internals Free List management 128 double linked list of free chunks Chunk size is table row index * 8 bytes Entry [0] is an exception, contains buffers of 1024 size “Virtual allocation threshold”, sorted from small to big Windows Heap Internals Free List Usa
您可能关注的文档
- C语言程序设计(第三版) 谭浩强 清华大学出版社 第6章 循环 ....ppt
- Data Movement and Rewriting in Flash Memories.ppt
- Dealing with Windows 7 Deployment Issues.ppt
- Deployable Disbursing System - Windows.ppt
- Depth Edge Detection with Multi-Flash Imaging.ppt
- DEV398 Porting Applications to Windows ®.ppt
- DEV_CH03经济增长与经济发展.ppt
- Dreamweaver-Flash-Fireworks网页制作培训教程第11课.ppt
- Dreamweaver-Flash-Fireworks网页制作培训教程第12课.ppt
- Dreamweaver-Flash-Fireworks网页制作培训教程第5课.ppt
文档评论(0)