SlideShare a Scribd company logo

CNIT 127 Ch 5: Introduction to heap overflows

Sam Bowne, profile picture
Sam Bowne

This document discusses heap overflows and exploit development. It explains that the heap is an area of memory used to dynamically allocate data at runtime using functions like malloc() and free(). While the stack stores return addresses that can be controlled in a buffer overflow, the heap does not directly store EIP. However, it contains pointers that are written to when freeing memory chunks, which can be exploited if a chunk overflow is used to control those writes and modify arbitrary memory locations. Potential targets include return addresses on the stack, the global offset table, destructors table, and function pointers.

Education
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
CNIT 127: Exploit Development 
 
 Ch 5: Introduction to Heap Overflows Updated 3-14-21
What is a Heap?
Memory Map • In gdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
Heap and Stack
Heap Structure Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
A Simple Example (Proj ED 205)
A Simple Example
Viewing the Heap in gdb
Exploit and Crash
Crash in gdb
Targeted Exploit
The Problem With the Heap
EIP is Hard to Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
Target RAM Options • Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
CNIT 127 Ch 5: Introduction to heap overflows

More Related Content

PDF
Ch 5: Introduction to heap overflows
Sam Bowne
 
PPTX
06 how to write a map reduce version of k-means clustering
Subhas Kumar Ghosh
 
PDF
Building blocks for aggregate programming of self-organising applications
FoCAS Initiative
 
ODP
Deep Learning meetup
Ivan Goloskokovic
 
ODP
Hubba Deep Learning
Ivan Goloskokovic
 
PPTX
Ronalao termpresent
Elma Belitz
 
PDF
Q4 2016 GeoTrellis Presentation
Rob Emanuele
 
PPTX
Leveraging Intra-Node Parallelization in HPCC Systems
HPCC Systems
 
Ch 5: Introduction to heap overflows
Sam Bowne
 
06 how to write a map reduce version of k-means clustering
Subhas Kumar Ghosh
 
Building blocks for aggregate programming of self-organising applications
FoCAS Initiative
 
Deep Learning meetup
Ivan Goloskokovic
 
Hubba Deep Learning
Ivan Goloskokovic
 
Ronalao termpresent
Elma Belitz
 
Q4 2016 GeoTrellis Presentation
Rob Emanuele
 
Leveraging Intra-Node Parallelization in HPCC Systems
HPCC Systems
 

What's hot (20)

PDF
Hadoop combiner and partitioner
Subhas Kumar Ghosh
 
PPTX
First Flink Bay Area meetup
Kostas Tzoumas
 
PDF
Apache Storm Tutorial
Farzad Nozarian
 
PDF
Pain points with M3, some things to address them and how replication works
Rob Skillington
 
PPT
Heap
Himadri Sen Gupta
 
DOCX
14 lab-planing
Inyoung Cho
 
PPTX
WMTS Performance Tests
Roope Tervo
 
PPTX
Improved Reliable Streaming Processing: Apache Storm as example
DataWorks Summit/Hadoop Summit
 
PDF
Apache Flink internals
Kostas Tzoumas
 
PPTX
Build 2017 - B8037 - Explore the next generation of innovative UI in the Visu...
Windows Developer
 
PPTX
An introduction to G1 collector for busy developers
Sanjoy Kumar Roy
 
PDF
Accumulo Summit 2016: Introducing Accumulo Collections: A Practical Accumulo ...
Accumulo Summit
 
PPT
Improving Efficiency of Machine Learning Algorithms using HPCC Systems
HPCC Systems
 
PPTX
Debunking Common Myths in Stream Processing
Kostas Tzoumas
 
PPT
pMatlab on BlueGene
vsachde
 
PPTX
IEEE CLOUD \'11
David Ribeiro Alves
 
PDF
KDB+/R Integration
Rory Winston
 
PDF
running Tensorflow in Production
Matthias Feys
 
PDF
Finding OOMS in Legacy Systems with the Syslog Telegraf Plugin
InfluxData
 
PDF
FTM tree
Charles Gueunet
 
Hadoop combiner and partitioner
Subhas Kumar Ghosh
 
First Flink Bay Area meetup
Kostas Tzoumas
 
Apache Storm Tutorial
Farzad Nozarian
 
Pain points with M3, some things to address them and how replication works
Rob Skillington
 
Heap
Himadri Sen Gupta
 
14 lab-planing
Inyoung Cho
 
WMTS Performance Tests
Roope Tervo
 
Improved Reliable Streaming Processing: Apache Storm as example
DataWorks Summit/Hadoop Summit
 
Apache Flink internals
Kostas Tzoumas
 
Build 2017 - B8037 - Explore the next generation of innovative UI in the Visu...
Windows Developer
 
An introduction to G1 collector for busy developers
Sanjoy Kumar Roy
 
Accumulo Summit 2016: Introducing Accumulo Collections: A Practical Accumulo ...
Accumulo Summit
 
Improving Efficiency of Machine Learning Algorithms using HPCC Systems
HPCC Systems
 
Debunking Common Myths in Stream Processing
Kostas Tzoumas
 
pMatlab on BlueGene
vsachde
 
IEEE CLOUD \'11
David Ribeiro Alves
 
KDB+/R Integration
Rory Winston
 
running Tensorflow in Production
Matthias Feys
 
Finding OOMS in Legacy Systems with the Syslog Telegraf Plugin
InfluxData
 
FTM tree
Charles Gueunet
 
Ad

Similar to CNIT 127 Ch 5: Introduction to heap overflows (20)

PDF
CNIT 127 Ch 5: Introduction to heap overflows
Sam Bowne
 
PDF
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
PDF
CNIT 127: Ch 2: Stack overflows on Linux
Sam Bowne
 
PDF
(Berkeley CS186 guest lecture) Big Data Analytics Systems: What Goes Around C...
Reynold Xin
 
PDF
Move from C to Go
Yu-Shuan Hsieh
 
PDF
CNIT 127 Ch 2: Stack overflows on Linux
Sam Bowne
 
PDF
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
PDF
CNIT 127 Ch 2: Stack overflows on Linux
Sam Bowne
 
PPTX
This gives a brief detail about big data
chinky1118
 
PDF
sysprog2 Part2
Ahmed Mekkawy
 
PDF
CNIT 127: Ch 2: Stack Overflows in Linux
Sam Bowne
 
PDF
PraveenBOUT++
Praveen Narayanan
 
PPTX
introduction to Complete Map and Reduce Framework
harikumar288574
 
PPTX
COMPLETE MAP AND REDUCE FRAMEWORK INTRODUCTION
harikumar288574
 
PDF
Accelerate Reed-Solomon coding for Fault-Tolerance in RAID-like system
Shuai Yuan
 
PDF
Partitioning SKA Dataflows for Optimal Graph Execution
Chen Wu
 
PPTX
Hadoop performance optimization tips
Subhas Kumar Ghosh
 
PDF
Perl at SkyCon'12
Tim Bunce
 
PPTX
Lecture2-MapReduce - An introductory lecture to Map Reduce
ssuserb91a20
 
PPTX
19-7960-07-notes.pptx
MuhammadFahmiPamungk
 
CNIT 127 Ch 5: Introduction to heap overflows
Sam Bowne
 
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
Sam Bowne
 
(Berkeley CS186 guest lecture) Big Data Analytics Systems: What Goes Around C...
Reynold Xin
 
Move from C to Go
Yu-Shuan Hsieh
 
CNIT 127 Ch 2: Stack overflows on Linux
Sam Bowne
 
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127 Ch 2: Stack overflows on Linux
Sam Bowne
 
This gives a brief detail about big data
chinky1118
 
sysprog2 Part2
Ahmed Mekkawy
 
CNIT 127: Ch 2: Stack Overflows in Linux
Sam Bowne
 
PraveenBOUT++
Praveen Narayanan
 
introduction to Complete Map and Reduce Framework
harikumar288574
 
COMPLETE MAP AND REDUCE FRAMEWORK INTRODUCTION
harikumar288574
 
Accelerate Reed-Solomon coding for Fault-Tolerance in RAID-like system
Shuai Yuan
 
Partitioning SKA Dataflows for Optimal Graph Execution
Chen Wu
 
Hadoop performance optimization tips
Subhas Kumar Ghosh
 
Perl at SkyCon'12
Tim Bunce
 
Lecture2-MapReduce - An introductory lecture to Map Reduce
ssuserb91a20
 
19-7960-07-notes.pptx
MuhammadFahmiPamungk
 
Ad

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
8. Software Development Security
Sam Bowne
 
PDF
4 Mapping the Application
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
9. Hard Problems
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 

Recently uploaded (20)

PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Pre independence Education in Inndia.pdf
goofy5603
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 

CNIT 127 Ch 5: Introduction to heap overflows

  • 1. CNIT 127: Exploit Development 
 
 Ch 5: Introduction to Heap Overflows Updated 3-14-21
  • 2. What is a Heap?
  • 3. Memory Map • In gdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
  • 5. Heap Structure Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
  • 6. A Simple Example (Proj ED 205)
  • 12. The Problem With the Heap
  • 13. EIP is Hard to Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
  • 14. Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
  • 15. Target RAM Options • Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
  • 16. Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit