Back to All Events

Win32 Reliable Heap Exploitation

  • secwest.net Vancouver Canada (map)

Description


Simple stack overflows are mostly dead. Other low hanging fruit, such as straightforward heap overflows, are becoming increasingly less common too.

The game these days is to not only find the more obscure heap overflows, but to also reliably exploit them. There is a big difference between a run of the mill Full Disclosure PoC exploit and a reliable exploit that's fit for commercial use.

This three and a half hour course will take you on a tour of Win32 heap internals, how to play with them and how to work them to your advantage in real life exploit scenarios.

Topics covered:

  • Win32 heap basics

    • Internal structure: Chunks, FreeList, Lookaside, VAList

    • RtlAllocateHeap

    • RtlFreeHeap

  • Win32 heap exploiting basics

    • Unlinking

    • Write4

    • Coalescing

    • Write8

    • Blind Write4

  • Playing with the layout

    • Windbg basic

    • Tools to play with it

    • Memleaks & Infoleaks

    • Memleaks:

      • Hard memleaks

      • Soft memleaks

  • Shellcode

    • Fixing vs Injecting

  • A walk on the wild side

    • Exchange X-LINK2STATE overview

    • SPOOLER overview

    • Verde overview

  • Do we still have time?

    • What/Where hints

    • FreeList trick


Prerequisites

  • a small knowledge on i386 assembly

  • a basic idea of python language

Prerequisite material

  • a laptop with vmware (the native os could be linux or windows)

  • a vmware image of an out of the box windows 2000 server

  • IDA

  • windbg (or it we'll be installed on the class)

  • python

Instructor: Sinan "noir" Eren

Sinan Eren is a reverse engineer and a casual exploit developer. At Immunity Inc, he performs code/binary audits and exploit development for the CANVAS platform. Architectures and platforms of interest include x86/Win32, Unix on any cpu flavor and popular 3rd party applications (MTAs, HIPS, AV, VPN, Remote Desktop etc.). He recently gave auditing courses for the RPC layer of the Windows OS to several audiences around the USA.

Instructor: Nicolas Waisman

Nicolas Waisman is a Senior Security Researcher at Immunity, Inc. Nico is one of the driving forces behind the CANVAS exploit framework. The majority of his recent work has focused on win32 vulndev, specifically reliable heap exploitation. He also likes to sneak in the odd reverse engineering project from time to time. His most current passion is implementing MOSDEF for the PPC architecture.