|
|
|
|
|
|
Modern Heap Exploitation using the Low Fragmentation Heap
Abstract
Exploit mitigation technologies have made reliable heap
exploitation increasingly difficult since the inception of the 4-byte over
write, over ten years ago. At the same time, applications needed to become
more stable without using absurd amounts of memory (Who doesn't keep their
web browser with multiple tabs open for days?). Heap memory management has
matured over time, but with complex new code comes new opportunity for
exploitation.
This presentation will focus on understanding the Low Fragmentation heap on
Windows 7 (32-bit). After a foundation of integral concepts is laid, new
exploitation techniques will be thoroughly discussed. Finally, we will use
this new found knowledge to leverage *supposed* non-exploitable
vulnerabilities. Specifically we will cover a case study showing how to
craft an exploit for the IIS FTP 7.5 *denial of service* (
http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-=
unauthenticated-denial-of-service-vulnerability.aspx),
resulting in full control of EIP.
Speaker
Chris Valasek is the Senior Research Scientist for Accuvant LABS. His focus
on original research in areas such as vulnerability discovery, exploitation
techniques and reverse engineering has allowed him to contribute massive
results to the community in these niche areas. While Chris is best known
for his publications regarding the Microsoft Windows Heap, his research has
broken new ground in areas such as vulnerability discovery, exploitation
techniques, reverse engineering, source code and binary auditing, and
protocol analysis. Chris' most recent major speaking engagements include
"Understanding the Low Fragmentation Heap" (Black Hat USA 2010 / EkoParty
2010), "Defenseless in Depth" (BayThreat 2011) and "Exploitation in the
Modern Era (aka. The Blueprint)" (Blackhat Europe 2011).
|
|
|
|
|