Third Generation Exploits On Nt/Win2K Platforms presented at Blackhat Europe 2001

by Thomas ( Halvar Flake ) Dullien (zynamics ),

Tags: Security Exploitation Development Testing

Summary : Due to the fact that standard stack-smashing overflows are getting a bit rare in well-audited code new ways of executing arbitrary code on attacked machines are badly needed. With the appearance of format string bugs and malloc()/free()-manipulations the attacking side has two powerful techniques of writing more or less arbitrary data to more or less arbitrary locations.
Assuming we classify the different overrun exploitation techniques into generations it could look like this:
Generation 1: Standard return address overwrites
Generation 2: Frame pointer overwrites, off-by-ones etc.
Generation 3: malloc()/free() overwrites, format bugs etc.
While third generation exploits have been documented on *NIX platforms, documentation concerning their exploitation under NT/Win2k is rare. But of this class of vulnerabilities is especially interesting from the reverse engineer's perspective on closed-source platforms, as traditional means of vulnerability research (e.g. stress testing with tools like Retina(tm) or Hailstorm(tm)) fail to detect these problems.
This speech will consist of two halves: The first half will cover format string vulnerabilities, covering all aspects ranging from detection (both in source and binary) to reliable exploitation in multithreaded environments without killing the exploited service. The second half of the speech will focus on malloc()/free() overwrites, explaining their general principle, documenting the different implementations of heap management under NT/Win2k (Borland C++, Visual C++, native operating system support in various versions etc.) and explaining how to exploit them in various situations.
Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.