Dailydave mailing list archives
Re: Usenix w00t (ddz)
From: Alexander Sotirov <alex () sotirov net>
Date: Mon, 1 Oct 2007 10:49:02 -0700
On Mon, Oct 01, 2007 at 11:38:52AM -0400, Dave Aitel wrote:
2. "For example, the exploit may have corrupted the heap metadata and subsequent heap operations may cause the process to crash. In these cases, the Stage 2 payload have to repair the heap before attempting to execute more complex operations that require explicit or implicit heap allocation. Under Windows XP and later Windows operating systems, the default heap can be quickly switched to the low-fragmentation heap using HeapSetInformation(), thus abandoning the use of a potentially corrupted standard default heap."
The low fragmentation heap is a layer that sits on top of the standard heap. Small chunks are allocated from larger LFH buckets, bypassing the standard allocator, but the buckets themselves are allocated from the old heap. If it is corrupted, switching to the LFH is not going to help. If you let the program continue (or the program has multiple threads), you also have to consider the case where the code has a pointer to a previousely allocated chunk and tries to free it. The LFH allocator will see that this chunk was not allocated from a LFH bucket and it will pass it to the standard allocator. Alex
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Usenix w00t (ddz) Dave Aitel (Oct 01)
- Re: Usenix w00t (ddz) Alexander Sotirov (Oct 01)
- <Possible follow-ups>
- Re: Usenix w00t (ddz) John Dohrr (Oct 03)