Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does heap-spray attack work?

I've read two articles about heap-spraying: Wikiepdia and this blog post. I understand how the shell code is introduced in to the program's memory. But how the program is made to jump/call to the address memory located on heap?

What kind of crash makes a call to heap?

Does such attack needs to be conducted with a kind of buffer overflow attack?

Is there any golden rule like the one with buffer overflow ie use the n version of functions (strncpy instead strcpy)?

like image 978
Piotr Czapla Avatar asked Nov 05 '10 23:11

Piotr Czapla


People also ask

How does a heap spray work?

There is a variety of heap spraying techniques, but basically, an attacker writes to the heap in memory for a running program, then exploits a different vulnerability to cause the exploit to call the commands in the heap memory. This basically makes it easier to exploit a vulnerability.

How can memory overflow attacks use heap spraying to their benefit?

Heap spraying attacks fill large portions of the victim's heap memory with malicious code (e.g., NOP sleds), thus increasing the chance of hitting malicious code for hijacking the control flow [14, 15].

Which of the language is more vulnerable to heap spray attack?

Explanation. While these are all susceptible, C programming languages are of the worst offenders.

What is anti heap spraying enforcement?

Anti-HeapSpraying Enforcement: Reserves portions of memory to prevent abuse by heap spraying attack techniques. Dynamic Anti-HeapSpraying Enforcement: Analyzes the memory heap of a protected process to look for malicious shellcode.


1 Answers

If I understand correctly,

They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run. Execution flow can be redirected to the heap sprays via buffer overflow or heap overflow flaws.

They're talking about a situation like this:

char buffer[10];
FuncPtr p;

And when you read into buffer there's no overflow protection, and you can write directly into the memory location for p. Later on when your code tries to call p, it will jump to where the attacker wants it to jump, presumably where they injected executable code into your app.

Simple fix: Don't use static buffers (prefer the std:: collection classes) and always check for overflows.

like image 86
Blindy Avatar answered Sep 19 '22 11:09

Blindy