Re: Usenix w00t (ddz)

[Alexander Sotirov <alex () sotirov net>]

On Mon, Oct 01, 2007 at 11:38:52AM -0400, Dave Aitel wrote:
> 2. "For example, the exploit may have corrupted the heap metadata and
> subsequent heap operations may cause the process to crash. In these
> cases, the Stage 2 payload have to repair the heap before attempting to
> execute more complex operations that require explicit or implicit heap
> allocation. Under Windows XP and later Windows operating systems, the
> default heap can be quickly switched to the low-fragmentation heap using
> HeapSetInformation(), thus abandoning the use of a potentially corrupted
> standard default heap."

The low fragmentation heap is a layer that sits on top of the standard heap. Small
chunks are allocated from larger LFH buckets, bypassing the standard allocator,
but the buckets themselves are allocated from the old heap. If it is corrupted,
switching to the LFH is not going to help.

If you let the program continue (or the program has multiple threads), you also
have to consider the case where the code has a pointer to a previousely
allocated chunk and tries to free it. The LFH allocator will see that this
chunk was not allocated from a LFH bucket and it will pass it to the standard
allocator.

Alex

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave