[Dailydave] Usenix w00t (ddz)
Alexander Sotirov
alex at sotirov.net
Mon Oct 1 13:49:02 EDT 2007
On Mon, Oct 01, 2007 at 11:38:52AM -0400, Dave Aitel wrote:
> 2. "For example, the exploit may have corrupted the heap metadata and
> subsequent heap operations may cause the process to crash. In these
> cases, the Stage 2 payload have to repair the heap before attempting to
> execute more complex operations that require explicit or implicit heap
> allocation. Under Windows XP and later Windows operating systems, the
> default heap can be quickly switched to the low-fragmentation heap using
> HeapSetInformation(), thus abandoning the use of a potentially corrupted
> standard default heap."
The low fragmentation heap is a layer that sits on top of the standard heap. Small
chunks are allocated from larger LFH buckets, bypassing the standard allocator,
but the buckets themselves are allocated from the old heap. If it is corrupted,
switching to the LFH is not going to help.
If you let the program continue (or the program has multiple threads), you also
have to consider the case where the code has a pointer to a previousely
allocated chunk and tries to free it. The LFH allocator will see that this
chunk was not allocated from a LFH bucket and it will pass it to the standard
allocator.
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071001/5cf30611/attachment-0001.pgp
More information about the Dailydave
mailing list