ph-neutral header
welcome talks guest_info party history imprint darklab phenoelit twist4

Modern Heap Exploitation using the Low Fragmentation Heap


Exploit mitigation technologies have made reliable heap exploitation increasingly difficult since the inception of the 4-byte over write, over ten years ago. At the same time, applications needed to become more stable without using absurd amounts of memory (Who doesn't keep their web browser with multiple tabs open for days?). Heap memory management has matured over time, but with complex new code comes new opportunity for exploitation. This presentation will focus on understanding the Low Fragmentation heap on Windows 7 (32-bit). After a foundation of integral concepts is laid, new exploitation techniques will be thoroughly discussed. Finally, we will use this new found knowledge to leverage *supposed* non-exploitable vulnerabilities. Specifically we will cover a case study showing how to craft an exploit for the IIS FTP 7.5 *denial of service* ( unauthenticated-denial-of-service-vulnerability.aspx), resulting in full control of EIP.


Chris Valasek is the Senior Research Scientist for Accuvant LABS. His focus on original research in areas such as vulnerability discovery, exploitation techniques and reverse engineering has allowed him to contribute massive results to the community in these niche areas. While Chris is best known for his publications regarding the Microsoft Windows Heap, his research has broken new ground in areas such as vulnerability discovery, exploitation techniques, reverse engineering, source code and binary auditing, and protocol analysis. Chris' most recent major speaking engagements include "Understanding the Low Fragmentation Heap" (Black Hat USA 2010 / EkoParty 2010), "Defenseless in Depth" (BayThreat 2011) and "Exploitation in the Modern Era (aka. The Blueprint)" (Blackhat Europe 2011).