Tetris heap spraying: spraying the heap on a budget

[Berend-Jan Wever <berendj () nwever nl>]

L.S.

Over the past decade, heap sprays have become almost synonymous with
exploits in web-browsers. After having developed my first practical
implementation of a heap spray about ten years ago, I found that the
amount of memory needed in some cases was too much for a realistic
attack scenario. I needed a new kind of heap spray that did not allocate
as much RAM as traditional heap sprays do. So, I developed a heap spray
that uses significantly less RAM than a traditional heap spray does. In
practice it uses about 33% less in most cases, but theoretically it
could be much, mush less in ideal situations. This
technique requires only the ability to free some of the blocks of memory
used to spray the heap during spraying and should otherwise be
applicable to every existing implementation.

I wrote an article on my blog that describes the technical details of
this technique, you can find it here:

http://blog.skylined.nl/20161118001.html

I recently used this technique in a Proof-of-Concept for a vulnerability
in Microsoft Edge. You can find details about that vulnerability and the
PoC here:

http://blog.skylined.nl/20161118002.html

Cheers,

SkyLined

Attachment: 0x2557C5AA.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/