Please consider donating:


HITB2012AMS Day 2 – Ghost in the Allocator

Ghost in the Allocator – Abusing the Windows 7 / 8 Low Fragmentation Heap

Rps20120525 160340 957

After introducing himself, Steven Seeley, Senior Penetration Tester and Security Researcher at Stratsec starts his presentation by sharing the talk agenda:

  • Why target the heap manager
  • Heap terms
  • Some Windows 7 theory
  • WIndows 7 exploitation
  • Changes introduced in Windows 8 Heap
  • Windows 8 possible exploitation technique
Steven explains that he wanted to do a talk on the heap manager because it’s often used in mature apps, and knowledge is not widespread (yet). People like Halvar, Ben, Nico, Brett, Chris (and many others) made it cool :)
There’s a couple of heap exploits available (CVE 2012-0003, 2010-3972, 2008-0356, 2005-1009). What they all have in common is that they are quite complex.   It’s a challenge to write heap exploits.  You’ll have to deal with safe unlinking, base randomization, removal of static pointers, and many more protection systems part of the heap manager today.
Rps20120525 161123 764
The Windows 7 front end allocator (Low Fragmentation Heap) utilizes bins that contains all chunks of a specific size.  A “NextOffset” is used to determine the next chunk to be allocated.  Each _heap_subsegment_ has its own mgmt structure for that particular bin size.  There’s an 8 byte structure for the heap chunk (4 bytes are encoded).  It gets activated on 18 consecutive allocations for a particular bin size.
The back end allocator is different:
Rps20120525 161225
Steven explains that the LFH heap data structure looks like a heap within a heap, and contains of a chain of arrays and structures, segments, subsegments, and so on.

Windows 7 Heap exploits

Ben Hawkes came up with a good idea to trigger an arbitrary free.  Chris Valasek came up with the idea that you can cause an arbitrary allocation on top of an object of structure.   Steve added a technique to cause consecutive static allocations.   Before going into the details, he explains that the Windows 7 Heap is still deterministic to a certain extent.   You still need a variety of primitives to help with exploitation (soft/hard leak of a controlled size), arbitrary writes, the ability to trigger a free of a particular size (to create a hole in the heap), to ability to trigger the heap cache, and so on.

To write an exploit, you’ll have to reverse parts of the application to understand how allocations & frees occur and how you can potentially trigger your own allocations/frees.  It requires the detection of object creation and what triggers the creation of these objects.   Doing all of that work, Steven says, is by far the hardest work of the exploit writing process.

Steven continues by explaining how the technique discovered by Ben Hawkes works

Rps20120525 162308 956

The next exploiting technique demonstrated is the FreeEntryOffset (Chris Valasek).

Rps20120525 162803 500

Rps20120525 162859 509

Finally, he shares details about a technique he discovered himself, while playing with a double free condition, and trying to get the heap manager to return the same address for consecutive allocations.  The advantage of his technique is that you don’t need to set up a hole in the heap or perform large seeding operations.  It’s used when you can only allocate objects after a chunk has been overflown.  You still need to have the ability to trigger arbitrary allocations of an object/struct and multiple chunks, and you need to find a virtual function call that will gets called later on (to gain control over EIP).

Changes in Windows 8

A first big change is that the UserBlocks datastructure changed, and a bunch of objects were added (including GuardPagePresent etc).  LFH still gets triggered on 0x12 consecutive allocations (or 0x11if allocated and freed).  The techniques discovered by Chris and Ben no longer work.  He continues by explaining some routines related with the busyBitmap and the bitmap index, and highlights some important routines related with allocations and frees.  (All details can be found in his slides, don’t worry… )

Possible exploitation under Windows 8

Steven was playing with the concept of 3 null dword writes targeting the UserBlocks header to form an arbitrary allocation, when Chris Valasek mentioned that you potentially can overwrite the entire UserBlocks header.   If an application allows to trigger 17 or 18 allocations, you can probably do more allocations.  This might help making things more predictable again. We have to avoid to damage certain parts (_lfh_block_zone), but you can overwrite starting from certain UserBlocks.

Chunks may not be deterministic, but subSegments and UserBlocks are.  Only after the 2nd UserBlocks, we can overwrite the UserBlocks header. Then you need to be able to trigger arbitrary allocations. To do that, you could target UserBlocks.FirstAllocationOffset,  UserBlocks.BlockStride, UserBlocks.BusyBitmap (overwriting the BusyBitmap.Buffer ptr & set it to any ptr that points to a NULL/low value (static & writable).)  To reliably reach the UserBlocks header, you need to know the offset/distance, which makes it difficult to achieve at this point (but maybe not impossible).  An advantage, if you can pull this off, is that you may not need an info leak.

Rps20120525 165215 161


Rps20120525 165639 415


Great work Steven, keep things coming !



this was the last talk I attended at Hack In The Box Amsterdam 2012.  I would like to take the opportunity to thank the HITB Crew for having me, everyone I met for being so kind, and YOU, for visiting and reading this page.


© 2012, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!


Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?

Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories