Class 20

CSC 495/583 Topics of Software Security

Heap Exploitation (1)
Dr. Si Chen ([email protected])
Virtual Memory

Memory Management Unit(MMU)

Page  2
The Heap

Runtime Memory 0x00000000

Libraries (libc)

ELF Executable

.text segment

.data segment

Heap It’s just another segment

Stack
in runtime memory
0xFFFFFFFF

Page  3
Basics of Dynamic Memory

int main()
{
char * buffer = NULL;

/* allocate a 0x100 byte buffer */

buffer = malloc(0x100);

/* read input and print it */

fgets(stdin, buffer, 0x100);
printf(“Hello %s!\n”, buffer);

/* destroy our dynamically allocated buffer */

free(buffer);
return 0;
}

Page  4
Heap vs Stack

Heap Stack
• Dynamic memory • Fixed memory allocations
allocations at runtime known at compile time

• Objects, big buffers, structs, • Local variables, return

persistence, larger things addresses, function args

• Slower, Manual • Fast, Automatic

– Done by the programmer – Done by the compiler
– malloc/calloc/recalloc/free – Abstracts away any concept
– new/delete of allocating/de-allocating

Page  5
Heap in Linux (GNU C Library – glibc)

ptmalloc2

System call:
brk() mmap()

Page  6
The Heap

Page  7
Design your own Heap management system

 Linked List

Page  8
Design your own Heap management system

H: header --> 11
 bitmap B: Body --> 10
F: Free  00

Bitmap representation:
(HIGH) 11 00 00 10 10 10 11 00 00 00 00 00 00 00 10 11 (LOW)

128 byte per chunk

Page  9
1MB / 128 = 8k
glibc source code https://code.woboq.org/userspace/glibc/malloc/malloc.c.html

Page  10
Arena

 Arena: the top level memory management entity.

 There are two types of arenas.
– Main arena covers the traditional heap area: the space between start_brk and
brk for a process from kernel point of view, only one main arena exists for a
process.
– Non-main arena manages the memory fetched from kernel via mmap() system
call, there could be 0 to 2*(number of cpu cores) such arenas based on
process threads usage.

Page  11
Arena

Page  12
Bins and Chunks

 A bin is a list (doubly or singly linked list) of free (non-allocated) chunks.

Bins are differentiated based on the size of chunks they contain:
– Fast bin
– Unsorted bin
– Small bin
– Large bin

Page  13
Doug Lea‘s malloc Heap Chunks

• Heap chunks exist in two states

– in use (malloc’d)
– free’d

Page  14
malloc chunk

Page  15
Heap Chunks – Freed

unsigned int * buffer = NULL;

buffer = malloc(0x100);

free(buffer);
• Forward Pointer
– A pointer to the next freed chunk
• Backwards Pointer
– A pointer to the previous freed chunk

Heap Chunk (freed)

Previous Chunk Size Chunk Size FD BK
Flags

(4 bytes) (4 bytes) (4 bytes) (4 bytes)

*(buffer-2) *(buffer-1) *buffer *(buffer+1)

Page  16
Heap Chunks

unsigned int * buffer = NULL;

buffer = malloc(0x100);

//Out comes a heap chunk

Heap Chunk
Previous Chunk Size Chunk Size Data
Flags

(4 bytes) (4 bytes) (8 + (n / 8)*8 bytes)

*(buffer-2) *(buffer-1) *buffer

Page  17
Pseudo Memory Map

0x00000000 – Start of memory

Runtime Memory
Libraries (libc)

ELF Executable
0x08048000 – Start of .text Segment
.text segment

.data segment

0xb7ff0000 – Top of heap

Heap

0xbfff0000 – Top of stack

Stack

0xFFFFFFFF – End of memory

MBE -
Page  18 Heap Exploitation 1
8
04/07/201
Heap Allocations

0x00000000
Runtime Memory Heap Segment

--------------------------------->
Libraries (libc) Previous Chunk Size

Grows towards higher memory

Chunk Size
ELF Executable
Data
.text segment

.data segment

Heap

Stack
0xFFFFFFFF
Page  19
Heap Allocations

0x00000000
Runtime Memory Heap Segment

--------------------------------->
Libraries (libc) Previous Chunk Size

Grows towards higher memory

Chunk Size
ELF Executable
Data
.text segment
Previous Chunk Size
.data segment Chunk Size

Data

Heap

Stack
0xFFFFFFFF
Page  20
Heap Allocations

0x00000000
Runtime Memory Heap Segment

--------------------------------->
Libraries (libc) Previous Chunk Size

Grows towards higher memory

Chunk Size
ELF Executable
Data
.text segment
Previous Chunk Size
.data segment Chunk Size

Data

Heap Previous Chunk Size

Chunk Size
Stack Data
0xFFFFFFFF
Page  21
Heap Overflows

0x00000000
Runtime Memory Heap Segment

--------------------------------->
Libraries (libc) Previous Chunk Size

Grows towards higher memory

Chunk Size
ELF Executable
Data
.text segment
Previous Chunk Size
.data segment Chunk Size

Data

Heap Previous Chunk Size

Chunk Size
Stack Data
0xFFFFFFFF
Page  22
Heap Overflows
Buffer overflows are basically the same on
the heap as they are on the stack

0x00000000
Runtime Memory Heap Segment

--------------------------------->
Libraries (libc) Previous Chunk Size

Grows towards higher memory

Chunk Size
ELF Executable AAAAAAAAAAAAAA
.text segment AAAAAAAAAAAAAA
Previous Chunk Size
.data segment AAAAAAAAAAAAAA
Chunk Size
AAAAAAAAAAAAAA
Data

Heap AAAAAAAAAAAAAA
…
heap overflow
Stack
Previous Chunk Size
0xFFFFFFFF
Chunk Size
Page  23
Data
  heap0.c

Page  24
 First object on heap; name[64]

Second object on heap; fp  contains a pointer

Winner() – We want to execute this function

Page  25
 Second object on heap; fp  contains a pointer

Winner() – We want to execute this function

malloc() allocates storage on the heap

fp points to nowinner()

argv[1] copied into 64-byte arry on the heap,

Page  26
without checking its length... oops
Page  27
Page  28
Page  29
Page  30
Shellcode and Attack

Page  31
Heap Overflows

• In the real world, lots of cool and complex

things like objects/structs end up on the heap
– Anything that handles the data you just corrupted
is now viable attack surface in the application

• It’s common to put function pointers in structs

which generally are malloc’d on the heap
– Overwrite a function pointer on the heap, and
force a codepath to call that object’s
function!
Page  32
Educational Heap Exploitation

https://github.com/shellphish/how2heap

Page  33
 Q&A

Page  39