|
Dailydave
mailing list archives
Re: Usenix w00t (ddz)
From: Alexander Sotirov <alex () sotirov net>
Date: Mon, 1 Oct 2007 10:49:02 -0700
On Mon, Oct 01, 2007 at 11:38:52AM -0400, Dave Aitel wrote:
2. "For example, the exploit may have corrupted the heap metadata and
subsequent heap operations may cause the process to crash. In these
cases, the Stage 2 payload have to repair the heap before attempting to
execute more complex operations that require explicit or implicit heap
allocation. Under Windows XP and later Windows operating systems, the
default heap can be quickly switched to the low-fragmentation heap using
HeapSetInformation(), thus abandoning the use of a potentially corrupted
standard default heap."
The low fragmentation heap is a layer that sits on top of the standard heap. Small
chunks are allocated from larger LFH buckets, bypassing the standard allocator,
but the buckets themselves are allocated from the old heap. If it is corrupted,
switching to the LFH is not going to help.
If you let the program continue (or the program has multiple threads), you also
have to consider the case where the code has a pointer to a previousely
allocated chunk and tries to free it. The LFH allocator will see that this
chunk was not allocated from a LFH bucket and it will pass it to the standard
allocator.
Alex
Attachment:
_bin
Description:
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
 By Date 
By Thread
Current thread:
- Usenix w00t (ddz) Dave Aitel (Oct 01)
- Re: Usenix w00t (ddz) Alexander Sotirov (Oct 01)
| 
Intro
