Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.

1. TurtleSec
@pati_gallardo 1
Turtle
Sec
@pati_gallardo

2. TurtleSec
@pati_gallardo 2
“Basically, an attacker can grab 64K of memory from a server.
The attack leaves no trace, and can be done multiple times
to grab a different random 64K of memory.
This means that anything in memory
-- SSL private keys, user keys, anything -- is vulnerable.
And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word.
On the scale of 1 to 10, this is an 11.”
https://www.schneier.com/blog/archives/2014/04/heartbleed.html

3. TurtleSec
@pati_gallardo 3
Heartbleed
@pati_gallardo 3
TurtleSec

4. TurtleSec
@pati_gallardo 4
What was the bug?
- Buffer over-read
- Attacker controlled buffer size

5. TurtleSec
@pati_gallardo 5
What made it bad?
- Remote attack
- High value memory
- Wide deploy

6. TurtleSec
@pati_gallardo 6
Introduction to
Memory Exploitation
Meeting C++ 2021
Patricia Aas
Turtle
Sec

7. TurtleSec
@pati_gallardo 7
“The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1
before 1.0.1g do not properly handle Heartbeat Extension
packets,
which allows remote attackers to obtain sensitive
information from process memory via crafted packets that
trigger a buffer over-read”
CVE-2014-0160 Description

8. TurtleSec
@pati_gallardo 8
Heartbleed is a prime example of an
Information Leak

9. TurtleSec
@pati_gallardo 9
Heartbleed is famous for how devastating it was
But it also became
the poster child for fuzzing

10. TurtleSec
@pati_gallardo 10
Patricia Aas - Trainer & Consultant
C++ Programmer, Application Security
Currently : TurtleSec
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science
Pronouns: she/they Turtle
Sec

11. TurtleSec
@pati_gallardo 11
Fuzzing
@pati_gallardo 11
TurtleSec

12. TurtleSec
@pati_gallardo 12
Corpus
Fuzzer
Instrumented
Target
Valid Inputs
Crash
Crashing Inputs
Coverage Feedback

13. TurtleSec
@pati_gallardo 13
Now that’s is all nice and good
But most memory errors don’t cause us to crash
At least not right away

14. TurtleSec
@pati_gallardo 14
Sanitizers
@pati_gallardo 14
TurtleSec

15. TurtleSec
@pati_gallardo 15
compiler instrumentation
run-time library
Address Sanitizer
terminal
$ clang++ -fsanitize=address overflow.cpp
$ ./a.out
ERROR: AddressSanitizer: stack-buffer-overflow
@pati_gallardo
Clang
GCC
VS

16. TurtleSec
@pati_gallardo 16
Address Sanitizer provokes crash-like behavior
for many memory bugs
Supercharges fuzzing
Makes it possible to find “hidden” bugs

17. TurtleSec
@pati_gallardo 17
Debugger
Fuzzer
Sanitizers
Make application
crashy
Provoke weird
behavior
Analyze

18. TurtleSec
@pati_gallardo 18
So you found a bug.
What now?
@pati_gallardo 18
TurtleSec

19. TurtleSec
@pati_gallardo 19
Exploitation
@pati_gallardo 19
TurtleSec

20. TurtleSec
@pati_gallardo 20
Secret:
Access
Granted
Operation
complete
Launching
missiles
Access
Denied
The Programmers Mental State Machine
“David”
“Joshua”
Weird
State
“globalthermonuclearwar” Terminate

21. TurtleSec
@pati_gallardo 21
The Target The Shellcode
@halvarflake
Weird
State
Weird
State
Programming the Weird Machine
Vulnerability
@sergeybratus

22. TurtleSec
@pati_gallardo 22
Shellcode
Piece of code, typically in machine code,
that is delivered and executed as a part of an exploit.
Called “shellcode” because a traditional use was
to start a shell, for example sh.
In real exploits it will deliver some kind of mechanism for
further (remote) compromise of the system.

23. TurtleSec
@pati_gallardo 23
Exploit
Write
Memory
Read Memory Execute Code
Information Leaks Running of Shellcode
Planting of Shellcode
The Anatomy of an Exploit

24. TurtleSec
@pati_gallardo 24
To run your shellcode you need the instruction pointer
to jump to your shellcode.
The instruction pointer jumps in many different scenarios
- goal here is to control where it jumps to, examples:
return from a function
virtual function call
function pointer
Code Execution

25. TurtleSec
@pati_gallardo 25
A vulnerability or a capability in the application
that can be used as a part of a wider exploit
is often referred to as a “primitive”- examples:
Arbitrary Read Primitive
Write-What-Where Primitive
Read-Where Primitive
“Primitives”

26. TurtleSec
@pati_gallardo 26
Mitigations
@pati_gallardo 26
TurtleSec

27. TurtleSec
@pati_gallardo 27
Exploit
Write
Memory
Read Memory Execute Code
ASLR
Limit interesting info?
Non executable memory
Stack Canaries
Address Space Layout
Randomization (ASLR)
Platform and Compiler Mitigations

28. TurtleSec
@pati_gallardo 28
Cleaning Memory?
@pati_gallardo 28
TurtleSec

29. TurtleSec
@pati_gallardo 29
The Case Of The Disappearing Memset
Dead Store Elimination
The compiler is allowed to optimize away
stores that cannot be detected
Meaning memset’ing of memory that is
never read can be removed
@pati_gallardo 29

30. TurtleSec
@pati_gallardo 30
The Heap
@pati_gallardo 30
TurtleSec

31. TurtleSec
@pati_gallardo 31
Allocators
@pati_gallardo 31
TurtleSec

32. TurtleSec
@pati_gallardo 32
Simple Pool Allocator

33. TurtleSec
@pati_gallardo 33
Empty Pool

34. TurtleSec
@pati_gallardo 34
Initial allocations

35. TurtleSec
@pati_gallardo 35
Free
An allocation is freed - what now?

36. TurtleSec
@pati_gallardo 36
Free
Another allocation is freed - what now?

37. TurtleSec
@pati_gallardo 37
Free
Another allocation is freed - what now?

38. TurtleSec
@pati_gallardo 38
Free
link?
coalesce?

39. TurtleSec
@pati_gallardo 39
So… how can we exploit this behavior?
We can allocate!

40. TurtleSec
@pati_gallardo 40
Heap Spraying
@pati_gallardo 40
TurtleSec

41. TurtleSec
@pati_gallardo 41
Fill memory with a certain byte sequence
possibly shellcode
so that a “random” jump might hit it
Heap Spraying

42. TurtleSec
@pati_gallardo 42
Typical Heap Spray Shellcode
No-ops Payload
Noop-sled
Shellcode string

43. TurtleSec
@pati_gallardo 43
Normal Allocation
Heap Spraying
Initial state

44. TurtleSec
@pati_gallardo 44
Normal Allocation
Shellcode
Heap Spraying
Fill memory with shellcode

45. TurtleSec
@pati_gallardo 45
This is a bit scattershot
Can we have more control?

46. TurtleSec
@pati_gallardo 46
(Heap Feng Shui)
Heap Grooming
@pati_gallardo 46
TurtleSec

47. TurtleSec
@pati_gallardo 47
Create predictable memory patterns
Trick the allocator to allocate a specific chunk
A chunk you can control
Let’s see it in action

48. TurtleSec
@pati_gallardo 48
Putting it all together
@pati_gallardo 48
TurtleSec

49. TurtleSec
@pati_gallardo 49
“The Shadow Brokers”
Hacking group behind a leak in 2016-17
The leaked exploits and tools are believed to be NSAs
The Shadow Brokers are suspected to be Russian
The leak was done in several batches
Most famous is the Eternal Blue exploit

50. TurtleSec
@pati_gallardo 50
Very Light Background: Windows SMBv1
Request
Response
Client Server
SMB messages
Aside: This is the diagram of all things computer

51. TurtleSec
@pati_gallardo 51
EternalBlue
Eternal Exploits
@pati_gallardo 51
TurtleSec

52. TurtleSec
@pati_gallardo 52
DoublePulsar
EternalBlue
EternalRomance
EternalChampion
EternalSynergy

53. TurtleSec
@pati_gallardo 53
EternalBlue
Write-What-Where Primitive and Remote Code Execution
Linear Buffer Overrun, Heap Spray / Heap Grooming

54. TurtleSec
@pati_gallardo 54
“When updating the length of the list,
the size is written to as if it were a 16-bit ushort,
when it is actually a 32-bit ulong.
This means that the upper 16-bits are not updated
when the list gets truncated.”
Microsoft Defender Security Research Team
Main bug

55. TurtleSec
@pati_gallardo 55
55
@pati_gallardo
Main bug and the fix
ULONG FEALIST.cbList;
#define SmbPutUshort(DestAddress, Value)
{
((PUCHAR)(DestAddress))[0] = BYTE_0(Value);
((PUCHAR)(DestAddress))[1] = BYTE_1(Value);
}
SmbPutUshort(&FeaList->cbList,
PTR_DIFF_SHORT(fea, FeaList));
ULONG FEALIST.cbList;
#define SmbPutUlong(DestAddress, Value)
{
((PUCHAR)(DestAddress))[0] = BYTE_0(Value);
((PUCHAR)(DestAddress))[1] = BYTE_1(Value);
((PUCHAR)(DestAddress))[2] = BYTE_2(Value);
((PUCHAR)(DestAddress))[3] = BYTE_3(Value);
}
SmbPutUlong(&FeaList->cbList,
PTR_DIFF_LONG(fea, FeaList));
Before After
[0] [1] [2] [3]
[0] [1] [2] [3]
LODWORD HIDWORD

56. TurtleSec
@pati_gallardo 56
- Primes the heap
- Fills with blocks ready for shellcode
- Makes room for buffer that will overrun
- Overrun will prepare code execution
- Hopes to overrun into one of the prepared blocks
Heap Grooming and Spray

57. TurtleSec
@pati_gallardo 57
Heap Grooming
Initial state

58. TurtleSec
@pati_gallardo 58
Heap Grooming
Grooming Packet
Filling gaps to make allocations predictable

59. TurtleSec
@pati_gallardo 59
Heap Grooming
Grooming Packet Grooming Packet
Prefill before making pattern

60. TurtleSec
@pati_gallardo 60
Make room for your objects
Heap Grooming
Free up holes
Grooming Packet Grooming Packet

61. TurtleSec
@pati_gallardo 61
Heap Grooming
Overflow Packet
Grooming Packet Grooming Packet

62. TurtleSec
@pati_gallardo 62
Heap Grooming
Grooming Packet Ready for Execution
Grooming Packet
Overflow Packet

63. TurtleSec
@pati_gallardo 63
Heap Grooming
Grooming Packet Grooming Packet
shellcode
Ready for Execution

64. TurtleSec
@pati_gallardo 64
When connection is closed
the shellcode is executed
in the block(s) that have been overrun
Installs the DoublePulsar backdoor implant
Code Execution

65. TurtleSec
@pati_gallardo 65
How does that affect me?
@pati_gallardo 65
TurtleSec

66. TurtleSec
@pati_gallardo 66
There is no magic here
These are bugs you can find
The tools they use are tools you can use
Basically:
Fix Bugs

67. TurtleSec
@pati_gallardo 67
Turtle
Sec
@pati_gallardo

68. TurtleSec
@pati_gallardo 68
Questions?
Photos from pixabay.com
Patricia Aas, TurtleSec
Turtle
Sec