Understanding and Exploiting Windows Vista Heap Overflows
Simple stack overflows are mostly dead. Other low hanging fruit, such as straightforward heap overflows are becoming increasingly less common too.
The game these days is to not only find the more obscure heap overflows, but to also reliably exploit them. There is a big difference between a run of the mill Full Disclosure PoC exploit and a reliable exploit fit for commercial use.
This is a 2 to 4 day class of intensive theory and hands on training on understanding and exploiting heap overflows on the windows platform. Basic knowledge of asm and stack overflow exploitation is needed prior to taking this class.
Course Outline:
Day 1 - The Classic Windows Heap
Theory:
Win32 Heap Basics* Internal structure
* RtlAllocateHeap & RtlFreeeHeap
Win32 Heap Exploitation Basics
* Unlinking
* Write4
* Coalescing
* Write8
Playing with the Heap Layout
* Immunity Debugger Basics
* Memleaks & Infoleaks
Memleaks
* Hard memleaks
* Soft memleaks
Excercise:
* Controlled server
Day 2
Theory:
Shellcode* Types of Shellcode
* Heap Fixing vs Injecting
Crashes
* Where?
* What?
* Why?
* Analysing
Exploitation
* Lookaside trick
* Multiple Write4
Excercise:
* MS Spooler
Day 3: The Vista Heap
Theory:
Introduction* Introduction to Vista Heap
* Layout prediction as a methodology
Basics
* The New FreeList
* Low Fragmentation Heap
* Other Structures
* A renewed review of RtlAllocateHeap and RtlFreeHeap
Excercise:
* Controlled Server
Day 4
Theory:
* Vista hands-on workImmunity Debugger
* Advanced Usage
* Scripting the heap: Improving your Debugging experience
Excercise:
* Controlled Server
Prerequisite Knowledge
* stack overflow exploitation
* i386 assembly
* python language familiarity
Prerequisite Materials
* a laptop with vmware (the native os could be linux or windows)
* a vmware image of an out of the box windows 2000 server
* IDA
* python