Windows Heap Exploitation 101 presented at BSidesColumbus 2014

by Nathan Voss,

Summary : So you probably have a decent idea of how to exploit this code:
char buffer[50]; strcpy(buffer, user_data);
But what about this:
char* buffer = malloc(50); strcpy(buffer, user_data); free(buffer);
Heap-based buffer overflows are much more challenging to exploit than typical stack-based ones. Successful exploitation is possible in many cases, though, and the first step is to have a thorough knowledge of the basic heap structures and behavior. In this talk I’ll be covering the absolute basics of the heap, including its main components, how it manages memory at run-time, and several relatively simple exploitation methods. I’ll also be giving a demonstration of a Heap Sandbox test app that will let you play with the heap from a command prompt, allowing you to easily explore what happens when you allocate, free, and write to heap buffers.
The heap is a basic, core component of every modern operating system. Even if you don’t have any interest in the exploitation side of things, you’ll come away from this talk with a much better feel for how the heap works, and have a better understanding of how to use the heap effectively and safely in your own code.