advanced heap manipulation in windows 8 · advanced heap manipulation in windows 8. who am i....
TRANSCRIPT
![Page 1: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/1.jpg)
ADVANCED HEAP MANIPULATION IN WINDOWS 8
![Page 2: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/2.jpg)
Who Am I
Zhenhua(Eric) LiuSenior Security Researcher
Fortinet, Inc.
Previous:Dissecting Adobe ReaderX’s Sandbox: Breeding Sandworms@BlackHat EU 2012
![Page 3: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/3.jpg)
Agenda
0x01:Why start this research
0x02:Quick View of The Idea
0x03:Implementations
( Kernel Poll / User heap )
![Page 4: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/4.jpg)
Intro
![Page 5: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/5.jpg)
Why start this research.(Motivation)
Exploiting Memory corruption vulnerability are more difficult today
Windows 8: Exploit mitigation improvements.
![Page 6: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/6.jpg)
Possible ways for Sandbox bypassing
• Kernel Vulnerability
• 3rd-party plug-ins Vulnerability
• Sandbox flaws
![Page 7: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/7.jpg)
Windows 8 Kernel -- The patched Win 7 Kernel
A: NULL Dereference protection
B: Kernel pool integrity checks
C: Non-paged pool NX
D: Enhanced ASLR
E: SMEP/PXN
![Page 8: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/8.jpg)
Windows 8 User Heap-- determinism is at a all time low
A: High entropy Randomized LFH allocator
B: Guard pages
![Page 9: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/9.jpg)
What’s left
Matt Millerhttp://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf
![Page 10: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/10.jpg)
Why Application Specific Data attacking?
Application Specific data attacking are the future.- Ben Hawkes
Compromising Application Specific data are facilitated by heap manipulation
![Page 11: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/11.jpg)
What is ..
Pool Header
Vulnerable bufferSpecific data structure
Overflow
Pool Header
Overflow the target application’s data stored on the heap. Adjacent is the key!
![Page 12: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/12.jpg)
风水 feng shui
吴成槐
![Page 13: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/13.jpg)
0x2000x200
0x200 0x200
0x200
0x200
Taken
Free
Noise
Vul bufferDefragment
0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
![Page 14: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/14.jpg)
0x2000x200
0x200 0x200
0x200
0x200
Taken
Free
Noise
Vul bufferMake Holes
0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
![Page 15: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/15.jpg)
0x2000x200
0x200 0x200
0x200
0x200
vulnerable buffer will fall into this place
Taken
Free
Noise
Vul bufferAllocate vulnerable buffer
0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200
![Page 16: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/16.jpg)
The limitations 1:
Arbitrary size of vulnerable buffer?
We can not always find kernel object which size is the same as the vulnerable buffer, and it also contains the data structure for exploitation.
![Page 17: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/17.jpg)
The limitations 2:
Randomized LFH makes it failDefragment will trigger Randomized LFH,
vulnerable buffer will not fall into the hole we made.
![Page 18: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/18.jpg)
Target of This Reasearch• let the arbitrary vulnerable buffer adjacent with arbitrary data structure.• without triggering the LFH in user heap.
Overflow
![Page 19: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/19.jpg)
0x01: Quick View of The Idea
![Page 20: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/20.jpg)
Windows Objects in Kernel Vulnerability Exploitation
• How to place a desired object just behind the vulnerable buffer?
• Can we place something else other than object?
![Page 21: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/21.jpg)
FreeLists
B: For fast allocation and freeA: Doubly linked lists
C:LIFO manner
![Page 22: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/22.jpg)
Drawbacks
B: 0 allocation entropy
A: Metadata attacking
FreeLists are still been used in both kernel pool and user heap as of Windows 8.
![Page 23: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/23.jpg)
Control the FreeLists
http://sushibandit.com/wp-content/uploads/2010/04/belt.jpg
![Page 24: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/24.jpg)
3 ways to write into the FreeLists
2: Split big chunk when allocating. (Calculated FreeLists)
1: Direct free. (Fixed FreeLists)
3: Coalescence when freeing. (Calculated FreeLists)
![Page 25: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/25.jpg)
Splitting Pool Chunks process
![Page 26: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/26.jpg)
The Mandatory Search Technique
--To control the Freelists dynamically when allocating
• Force the FreeLists searching process to take place.• Force the searching result greater than requested.
![Page 27: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/27.jpg)
The Mandatory Search Technique
Evaluation
LookasideSearching
FreeListSearching
expand the pool usingMiAllocatePoolPages
and split
Success?
Success?
Return
ExallocatePoolWithTag Size?
Medium Pool
Large Pool
Y
Y Y
N
N
Small Pool
![Page 28: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/28.jpg)
The Mandatory Search Technique
Evaluation
LookasideSearching
FreeListSearchingSuccess?
Success?
Return
ExallocatePoolWithTag Size?
Medium Pool
Large Pool
Y
Y
N
Small Pool
RtlpFindEntry();RtlpHeapRemoveListEntry();// FreeListEntry is controlled
if (CommitSize < FreeListEntry ->Size){// Force the CommitSize smaller than// the FreeListEntry ‐>Size
RtlpCreateSplitBlock(); }return Chunk
![Page 29: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/29.jpg)
Taken
Free
Noise
Vul bufferThe target
The size 0x200 vulnerable buffer Directory Object (size 0xC0)
C00x200
![Page 30: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/30.jpg)
Taken
Free
Noise 0x01: Initial status
0x1000
0x1000
0x1000
0x1000
0x1000
![Page 31: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/31.jpg)
Taken
Free
Noise
0x808 0x7F8
0x808 0x7F8
0x02: Alloc 0x808 block
0x808 0x7F8
0x808 0x7F8
0x808 0x7F8
![Page 32: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/32.jpg)
Taken
Free
Noise
0x808
0x808
0x808
0x808
0x808
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
The same size as of vulnerable buffer
0x200
0x200
0x03: Alloc 0x5F8 block and make 0x200 hole
![Page 33: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/33.jpg)
Taken
Free
Noise
0x808
0x808
0x808
0x808
0x808
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
0x200
0x200
0x04: Alloc 0x200 block
![Page 34: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/34.jpg)
Taken
Free
Noise
0x808
0x808
0x808
0x808
0x808
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
0x200 0x5F8
0x200
0x200
0x05: Free 0x5F8 block
![Page 35: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/35.jpg)
Taken
Free
Noise
0x808
0x808
0x808
0x808
0x808
0x200
0x200
0x200
0x200
0x200
0xC0 0x538
0xC0 0x538
0xC0 0x538
0xC0 0x538
0xC0 0x538
0x200
0x200
0x06: Alloc 0x538 block and make 0xC0 hole
![Page 36: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/36.jpg)
Taken
Free
Noise
0x808
0x808
0x808
0x808
0x808
0x200
0x200
0x200
0x200
0x200
0xC0 0x538
0xC0 0x538
0xC0 0x538
0xC0 0x538
0xC0 0x538
Data structure we want corruption to
0x200
0x200
0x07: Alloc 0xC0 block
![Page 37: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/37.jpg)
Taken
Free
0x808 0x200 0xC0 0x538
0x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x538
0x200
Noise
Vul buffer0x08: Make 0x200 Holes
0x200
![Page 38: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/38.jpg)
Taken
Free
0x808 0x200 0xC0 0x538
0x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x5380x808 0x200 0xC0 0x538
0x200
Noise
Vul buffer
0x200
Trigger the vulnerability: vulnerable buffer will fall into one of the holes eventually
![Page 39: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/39.jpg)
Demo of this section
![Page 40: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/40.jpg)
0x02: Implementation in Kernel Pool
![Page 41: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/41.jpg)
Allocation Algorithm pre‐view
Evaluation
LookasideSearching
FreeListSearching
expand the pool usingMiAllocatePoolPages
and split
Success?
Success?
Return
ExallocatePoolWithTag Size?
Medium Pool
Large Pool
Y
Y Y
N
N
Small Pool
![Page 42: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/42.jpg)
Prerequisites
• Allocate Buffer of Arbitrary Size
• Free Buffer of Arbitrary Size
• Control Allocations and Frees using user code.
![Page 43: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/43.jpg)
Example Alloc ProxyAlloc (paged)
HANDLE UserAlloc(int size){HANDLE LinkHandle;std::wstring s((size - 2) / 2, 'a');UNICODE_STRING TargetName;MyRtlInitUnicodeString (&TargetName, s.c_str());OBJECT_ATTRIBUTES Test1;InitializeObjectAttributes(&Test1, NULL,0, NULL, NULL);
int Status = MyCreateSymbolicLinkObject(&LinkHandle,1,&Test1,&TargetName);
return LinkHandle;
}
![Page 44: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/44.jpg)
Example Free Proxy
Free
void UserFree(HANDLE Handle){if (Handle){
CloseHandle(Handle);}
}
![Page 45: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/45.jpg)
Massage the Kernel Pool
ExAllocatePoolWithTag()When FreeList search failed, allocation will come from a new page.
82928443 bf00100000 mov edi,1000h82928448 57 push edi82928449 ff742424 push dword ptr [esp+24h]8292844d e8b3ebffff call nt!MiAllocatePoolPages (82927005)
As 1000h is hard coded which leads to allocation aligned by 0x1000(Paged , NonPaged, NonPagedNX,)
![Page 46: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/46.jpg)
nt!MiAllocatePoolPages-- RtlFindClearBitsAndSet-- MiObtainSystemVa
• kd> dt ntkrpamp!_RTL_BITMAP 827a1194+0x000 SizeOfBitMap : 0x7fc00+0x004 Buffer : 0x80731000 -> 0xffffffff
Kernel Virtual Address Space Allocation
![Page 47: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/47.jpg)
Kernel Pool Layout and Bitmap0
1
1
1
Current Index
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1
1 1
1 1 1 1
1 1 1 1
1 1
1
1 1
10 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0
0
0 0
0
0 0 0 0 00
: Free
: Used
0
0 0
![Page 48: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/48.jpg)
Request For 1 block0
1
1
1
Current Index
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1
1 1
1 1 1 1
1 1 1 1
1 1
1
1 1
10 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0
0
0 0
0
1 0 0 0 00
: Free
: Used
nt!RtlFindClearBitsAndSet
0
0 0
![Page 49: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/49.jpg)
Request For 2 blocks0
1
1
1
Current Index
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1
1 1
1 1 1 1
1 1 1 1
1 1
1
1 1
10 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0
1
0 0
0
1
nt!RtlFindClearBitsAndSet
0 0 0 01
: Free
: Used
0
0 0
![Page 50: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/50.jpg)
Request For 3 blocks0
1
1
1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1
1 1
1 1 1 1
1 1 1 1
1 1
1
1 1
10 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0
1
0 0
0
1 1 1 1 01
nt!RtlFindClearBitsAndSet
Current Index
: Free
: Used
0
0 0
![Page 51: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/51.jpg)
If all searches failed0
1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
: Free
: Used
![Page 52: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/52.jpg)
Kernel VA dynamic allocate will taken (32bit)
0
1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
MiObtainSystemVa is used to dynamically allocate VA range
: Free
: Used
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
![Page 53: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/53.jpg)
Interesting picking sequence
An empty page:
0x1000
![Page 54: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/54.jpg)
Interesting picking sequence
1st allocation picked from front:
0x1000
0x808 0x7F8
![Page 55: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/55.jpg)
Interesting picking sequence2nd allocation picked from end:
0x1000
0x808 0x7F8
0x808 0x200 0x5F8
![Page 56: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/56.jpg)
Our controlled way (small)
Evaluation
LookasideSearching
FreeListSearching
expand the pool usingMiAllocatePoolPages
and split
Success?
Success?
Return
ExallocatePoolWithTag Size?
Small Pool
Medium Pool
Large Pool
Y
Y Y
N
N
![Page 57: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/57.jpg)
Our controlled way (small)
Evaluation
LookasideSearching
FreeListSearching
expand the pool usingMiAllocatePoolPages
and split
Success?
Success?
Return
ExallocatePoolWithTag Size?
Medium Pool
Large Pool
Y
Y Y
N
N
Small Pool
![Page 58: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/58.jpg)
Our controlled way (small)
Evaluation
LookasideSearching
FreeListSearching
expand the pool usingMiAllocatePoolPages
and split
Success?
Success?
Return
ExallocatePoolWithTag Size?
Medium Pool
Large Pool
Y
Y Y
N
N
Small Pool
![Page 59: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/59.jpg)
Our controlled way (small)
Evaluation
LookasideSearching
FreeListSearchingSuccess?
Success?
Return
ExallocatePoolWithTag Size?
Medium Pool
Large Pool
Y
Y
N
Small Pool
RtlpFindEntry();RtlpHeapRemoveListEntry();// FreeListEntry is controlled
if (CommitSize < FreeListEntry ->Size){// Force the CommitSize smaller than// the FreeListEntry ‐>Size
RtlpCreateSplitBlock(); }return Chunk
![Page 60: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/60.jpg)
Our controlled way (small)
Evaluation
LookasideSearching
FreeListSearching
expand the pool usingMiAllocatePoolPages
and split
Success?
Success?
Return
ExallocatePoolWithTag Size?
Medium Pool
Large Pool
Y
Y Y
N
N
Small Pool
Split Chunks
![Page 61: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/61.jpg)
Or this way (Medium)
Evaluation
LookasideSearching
FreeListSearching
expand the pool usingMiAllocatePoolPages
and split
Success?
Success?
Return
ExallocatePoolWithTag Size?
Small Pool
Medium Pool
Large Pool
Y
Y Y
N
N
Split Chunks
![Page 62: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/62.jpg)
A: if ( size_t < 0x400 )B: if (( size_t >= 0x400 ) & ( size_t < 0x800 ))C: if (( size_t >= 0x800 ) & ( size_t < 0xFF0 ))D: if ( size_t >= 0xFF0)
What about size > 0xFF0?Daniel: Yes it will. There's always a way out...
-Quotes from Stargate SG-1 "Abyss"
![Page 63: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/63.jpg)
0x808 0x200 0xC0 0x538
A: if ( size_t < 0x400 )Make holes on size 0x1000 chopping board
0x1000
![Page 64: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/64.jpg)
B: if (( size_t < 0x400 ) & ( size_t < 0x800 ))Make holes on size 0x2000 chopping board
0x1000
0x1010
0x1000
0x9F8 0xC0 0x538
![Page 65: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/65.jpg)
C: if (( size_t > 0x800 ) & ( size_t < 0xFF0 ))Make holes on size 0x3000 chopping board
0x1000
0x1020
0x1000
0x1000
0xFE0
X0xC0 0xC0 0xC0 0xC0 0xC0 0xC0 0xC0 0xC0
![Page 66: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/66.jpg)
D: if ( size_t > 0xFF0)Vulnerable buf will be allocated by MiAllocatePoolPages directly
0x1000
0x1010
0x1000
0xC0 0xF30
![Page 67: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/67.jpg)
Demo of this section
![Page 68: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/68.jpg)
2.01:Windows Objects in
Kernel Vulnerability Exploitation
![Page 69: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/69.jpg)
• kd> dt nt!_OBJECT_HEADER+0x000 PointerCount : Int4B+0x004 HandleCount : Int4B+0x004 NextToFree : Ptr32 Void+0x008 Lock : _EX_PUSH_LOCK+0x00c TypeIndex : Uchar // used to be a Ptr in XP+0x00d TraceFlags : UChar+0x00e InfoMask : UChar+0x00f Flags : UChar+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION+0x010 QuotaBlockCharged : Ptr32 Void+0x014 SecurityDescriptor : Ptr32 Void+0x018 Body : _QUAD
Exploitation in Windows 7(Bonus)
![Page 70: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/70.jpg)
0x01: InitTrampoline:Mapping VA 0x0 through NtAllocateVirtualMemory
Then..
0x02: Modify TypeIndex
Exploitation in Windows 7(Bonus)
![Page 71: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/71.jpg)
0x03:Jump into shellcode when CloseHandle()
mov ebx, _ObTypeIndexTable[ecx*4]// ecx is TypeIndex
…call dword ptr [ebx+74h]
![Page 72: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/72.jpg)
• kd> dt nt!_KTIMER 84247538+0x000 Header : _DISPATCHER_HEADER+0x010 DueTime : _ULARGE_INTEGER 0x4`9b8e6360+0x018 TimerListEntry : _LIST_ENTRY [ 0x85360160 - 0x82765ce4 ]+0x020 Dpc : 0x84247590 _KDPC+0x024 Period : 0x7d0
Exploitation in Windows 8(Mateusz ‘j00ru’ Jurczyk way)
![Page 73: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/73.jpg)
• kd> dt nt!_KDPC+0x000 Type : UChar+0x001 Importance : UChar+0x002 Number : Uint2B+0x004 DpcListEntry : _LIST_ENTRY+0x00c DeferredRoutine : Ptr32 void +0x010 DeferredContext : Ptr32 Void+0x014 SystemArgument1 : Ptr32 Void+0x018 SystemArgument2 : Ptr32 Void+0x01c DpcData : Ptr32 Void
Exploitation in Windows 8(Mateusz ‘j00ru’ Jurczyk way)
![Page 74: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/74.jpg)
2.02:Practical exploiting
kernel pool Overflow / Corruption
![Page 75: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/75.jpg)
Exploiting Kernel Pool Overflow / Corruption
As we know the sizes of current trunk and previous trunk, we could build a fake header without modify origin one.
Vulnerable bufferImportant data structure
Overflow into App-Specific data ^ ^
Pool Header
![Page 76: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/76.jpg)
2.03:Practical Exploiting
write-what-where vulnerability
![Page 77: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/77.jpg)
Place object at a predictable address
0x9e51e000(a relative high address, supposed be reached only through heap spray)
0x1000
![Page 78: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/78.jpg)
Place object at a predictable address
0x900 0x700
0x9e51e000
0x9e51e900
0x1000
![Page 79: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/79.jpg)
Place object at a predictable address
0x900 0x700
0x9e51e000
0x1000
0x900 0x48 0x6B8
0x9e51e900 + 0x1c: TypeIndex
![Page 80: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/80.jpg)
Demo
![Page 81: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/81.jpg)
0x03:Implementation in User Heap
![Page 82: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/82.jpg)
Allocation Algorithm pre‐view
Evaluation
FrontEnd(LFH)
Backend
VirtualAlloc
Activated?
Success?
Return
HeapAlloc( x, x, size) Size?
0x4000 – 0x7FFFF
size > 0x7FFFF
Y
Y Y
N
N
size < 0x4000
![Page 83: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/83.jpg)
3.01:Practical Attacking
_HEAP_USERDATA_HEADER
![Page 84: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/84.jpg)
_HEAP_USERDATA_HEADER
• Idea brought by Chris Valasek
• Chunk = UserBlocks + RandIndex * BlockStride + FirstAllocationOffset
![Page 85: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/85.jpg)
Two Challenges
• 18 times of allocations will trigger LFH
• 400 times of allocations will trigger guard pages.
![Page 86: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/86.jpg)
LFH & Guard PagesGP LFH
_HEAP_USERDATA_HEADER _HEAP_ENTRY _HEAP_ENTRY Vul buf _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY
Vul buffer
GP – PAGE_NOACCESS
_HEAP_USERDATA_HEADER _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY
GP – PAGE_NOACCESS
_HEAP_USERDATA_HEADER _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY
![Page 87: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/87.jpg)
The target
UserBlocks for _HEAP_BUCKET[eg: 0x200]
Vulnerable buffer eg: 0x300
_HEAP_USERDATA_HEADER
Overflow direction
to position the vulnerable buffer just BEFORE an important structure.
Like: _HEAP_USERDATA_HEADER structure
![Page 88: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/88.jpg)
Mandatory Search in Action
• Defragment using chunk 0x4000 - 0x7FFFF.
• Freeing (0x70100) --> Allocating (0x70000)Could make 0x100 hole.Hey, get out of my way -- LFH
• The size of UserBlocks (total size) is fixed.
![Page 89: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/89.jpg)
0x8000
0x8000
0x8000
Taken
Free
Noise 0x01: Defragment
0x8000
0x8000
![Page 90: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/90.jpg)
0x8000
0x8000
0x8000
Taken
Free
Noise 0x02: Freeing
0x8000
0x8000
![Page 91: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/91.jpg)
0x8000
0x8000
Taken
Free
Noise 0x03: Alloc 0x6000 block and make 0x2000 hole
0x8000
0x6000 0x2000
0x8000
![Page 92: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/92.jpg)
0x8000
0x8000
Taken
Free
Noise
0x8000
0x04: Trigger LFH (0x200)
0x20000x6000
UserBlocks for _HEAP_BUCKET[0x200]
0x8000
![Page 93: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/93.jpg)
0x6000
_HEAP_USERDATA_HEADER _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY
_HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY_HEAP_ENTRY _HEAP_ENTRY
_HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY_HEAP_ENTRY _HEAP_ENTRY
Take a closer look atTaken
Free
LFH
UserBlocks for _HEAP_BUCKET[0x200]
![Page 94: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/94.jpg)
0x6000
_HEAP_USERDATA_HEADER _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY
_HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY_HEAP_ENTRY _HEAP_ENTRY
_HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY_HEAP_ENTRY _HEAP_ENTRY
Free 0x6000 blockTaken
Free
LFH
![Page 95: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/95.jpg)
0x6000 – 0x300
_HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY_HEAP_ENTRY _HEAP_ENTRY
_HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY_HEAP_ENTRY _HEAP_ENTRY
Alloc 0x5D00 block and make 0x300 hole
0x300
Taken
Free
_HEAP_USERDATA_HEADER _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY
![Page 96: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/96.jpg)
0x6000 – 0x300
_HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY_HEAP_ENTRY _HEAP_ENTRY
_HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY_HEAP_ENTRY _HEAP_ENTRY
Alloc vulnerable buffer
0x300
Vul bufferTaken
Free
_HEAP_USERDATA_HEADER _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY _HEAP_ENTRY
![Page 97: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/97.jpg)
Future allocation will get controlled after overflow
0x8000
Future allocation s will fall into this controlled area.
Vul buffer
Controlled
0x8000
0x8000
UserBlocks
0x8000
![Page 98: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/98.jpg)
Applicable circumstance(Prerequisites)
- The LFH of the certain bin size has not been activated by the time of allocation.( no 16 consecutive allocations of the vulnerable buffer’s size)
- Allocate Buffer of Arbitrary Size w/ Arbitrary Content
- Free Buffer of Arbitrary Size
- Programmatic Control of Allocations and Frees
![Page 99: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/99.jpg)
The exploitation process:
Step 0: Figure out the vulnerabilityStep 1: Heap Feng Shui.Step 2: Trigger the overflow, modify "FirstAllocationOffset”Step 3: Allocate new objects with proper size.Step 4: Modify new object’s content.Step 5: Control the EIP.
![Page 100: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/100.jpg)
3.02:Practical Heap Determining in IE 10
![Page 101: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/101.jpg)
Conclusion
![Page 102: ADVANCED HEAP MANIPULATION IN WINDOWS 8 · ADVANCED HEAP MANIPULATION IN WINDOWS 8. Who Am I. Zhenhua(Eric) Liu Senior Security Researcher. Fortinet, Inc. Previous: Dissecting Adobe](https://reader035.vdocuments.net/reader035/viewer/2022071213/6028833b28c8163ccb1d4a31/html5/thumbnails/102.jpg)
Questions?