Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does heap-spray attack work?

Tags:

c++

c

security

exploit

I've read two articles about heap-spraying: Wikiepdia and this blog post. I understand how the shell code is introduced in to the program's memory. But how the program is made to jump/call to the address memory located on heap?

What kind of crash makes a call to heap?

Does such attack needs to be conducted with a kind of buffer overflow attack?

Is there any golden rule like the one with buffer overflow ie use the n version of functions (strncpy instead strcpy)?

like image 978
Piotr Czapla Avatar asked Nov 05 '10 23:11

Piotr Czapla

People also ask

How does a heap spray work?

There is a variety of heap spraying techniques, but basically, an attacker writes to the heap in memory for a running program, then exploits a different vulnerability to cause the exploit to call the commands in the heap memory. This basically makes it easier to exploit a vulnerability.

How can memory overflow attacks use heap spraying to their benefit?

Heap spraying attacks fill large portions of the victim's heap memory with malicious code (e.g., NOP sleds), thus increasing the chance of hitting malicious code for hijacking the control flow [14, 15].

Which of the language is more vulnerable to heap spray attack?

Explanation. While these are all susceptible, C programming languages are of the worst offenders.

What is anti heap spraying enforcement?

Anti-HeapSpraying Enforcement: Reserves portions of memory to prevent abuse by heap spraying attack techniques. Dynamic Anti-HeapSpraying Enforcement: Analyzes the memory heap of a protected process to look for malicious shellcode.

1 Answers

If I understand correctly,

They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run. Execution flow can be redirected to the heap sprays via buffer overflow or heap overflow flaws.

They're talking about a situation like this:

char buffer[10];
FuncPtr p;

And when you read into buffer there's no overflow protection, and you can write directly into the memory location for p. Later on when your code tries to call p, it will jump to where the attacker wants it to jump, presumably where they injected executable code into your app.

Simple fix: Don't use static buffers (prefer the std:: collection classes) and always check for overflows.

like image 86
Blindy Avatar answered Sep 19 '22 11:09

Blindy
Sign in to Comment

Related questions

OpenCV's clustering function cvKMeans2() - what is a type of cluster center in array?
Sparse voxel representation of point cloud data
Correct way to distribute VC++ runtime files
Policy-based template design: How to access certain policies of the class?
"Reading" a POD preincrement result does not yield undefined behavior. Why exactly?
How can I declare constant strings for use in both an unmanaged C++ dll and in a C# application?
How to extract 48*48 icon image from resource of an executable file?
templated method on T inside a templated class on TT : Is that possible/correct
HeapCreate, HeapAlloc in Linux, private allocator for Linux
Porting a project to OpenGL3
Invoking C++ code from Java (GCJ)
Is there a program to convert assembly to C++? [duplicate]
Recommended practices for re-entrant code in C, C++
Blink LED using Visual C++
Using C++ lambda functions during variable initialisation
What are the c++ compiler optimization techniques in Visual studio [closed]
how to use Savitzky-Golay smooth coefficient to calculate derivatives
template parameters, #define and code duplication
Register Game Object Components in Game Subsystems? (Component-based Game Object design)
A std::map like container that maps types to values

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!