Windows Heap Protection: Bypassing requires understanding presented at DeepSec 2007

by Dave Aitel,

Summary : Introduction "Heap exploits are dead. Heap exploits remain dead. And we have killed them." Sending a crafted string and getting reliable shellcode execution back in one easy step is now history (in fact it always was). The future of heap exploitation lays not in hoping some magical technique will get us the unlink trick back, but in understanding the heap allocation algorithm itself, crafting a suitable heap layout during the different phases of exploitation, and taking advantage of structures supplied by the server itself. There is no generic way to do this, but tools will be presented to relieve the pain of manual analysis and help exploit developers understand and exploit the wildness of the heap. Abstract The presentation discusses heap overflow protection mechanisms on the Windows operating system, and the weakness of existing techniques that try to bypass these protections. A methodology for understanding and manipulating heap layouts during different phases of exploitation will be shown, supported by a series of tools written specifically for this task. The presentation will explore the various techniques and tools available to the researcher, including heap fuzzing, fingerprinting, data recognition and memory leaks, enabling the researcher to craft a reliable heap layout and overflow his way to shellcode execution.