Full Disclosure mailing list archives
Tetris heap spraying: spraying the heap on a budget
From: Berend-Jan Wever <berendj () nwever nl>
Date: Fri, 18 Nov 2016 11:32:28 +0100
L.S. Over the past decade, heap sprays have become almost synonymous with exploits in web-browsers. After having developed my first practical implementation of a heap spray about ten years ago, I found that the amount of memory needed in some cases was too much for a realistic attack scenario. I needed a new kind of heap spray that did not allocate as much RAM as traditional heap sprays do. So, I developed a heap spray that uses significantly less RAM than a traditional heap spray does. In practice it uses about 33% less in most cases, but theoretically it could be much, mush less in ideal situations. This technique requires only the ability to free some of the blocks of memory used to spray the heap during spraying and should otherwise be applicable to every existing implementation. I wrote an article on my blog that describes the technical details of this technique, you can find it here: http://blog.skylined.nl/20161118001.html I recently used this technique in a Proof-of-Concept for a vulnerability in Microsoft Edge. You can find details about that vulnerability and the PoC here: http://blog.skylined.nl/20161118002.html Cheers, SkyLined
Attachment:
0x2557C5AA.asc
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Tetris heap spraying: spraying the heap on a budget Berend-Jan Wever (Nov 18)