For the purpose of this article, we\u2019ll be analyzing an integer overflow that I had identified in the GOM Media Player software developed by GOM Labs. This bug affects GOM Media Player 2.1.43 and was reported to the GOM Labs development team on November 19, 2012. A patch was released to mitigate this issue on December 12, 2012.<\/p>\n
As with our previous bug, I had identified this vulnerability by fuzzing the MP4\/QT file formats using the Peach Framework (v2.3.9). In order to reproduce this issue, I have provided a bare bones fuzzing template (Peach PIT) which specifically targets the vulnerable portion of the MP4\/QT file format. You can find a copy of that Peach PIT here. The vulnerable version of GOM player can be found here.<\/p>\n
<\/p>\n
<\/p>\n
<\/a>Analyzing the Crash Data<\/h3>\nLet\u2019s begin by taking a look at the file, LocalAgent_StackTrace.txt, which was generated by Peach at crash time. I\u2019ve included the relevant portions below:<\/p>\n
<\/p>\n
(cdc.5f8): Access violation - code c0000005 (first chance)\nr\neax=00000028 ebx=0000004c ecx=0655bf60 edx=00004f44 esi=06557fb4 edi=06555fb8\neip=063b4989 esp=0012bdb4 ebp=06557f00 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206\nGSFU!DllUnregisterServer+0x236a9:\n063b4989 891481 mov dword ptr [ecx+eax*4],edx ds:0023:0655c000=????????<\/span><\/strong>\n\nkb\nChildEBP RetAddr Args to Child \nWARNING: Stack unwind information not available. Following frames may be wrong.\n0012bdc0 063b65eb 064dcda8 06555fb8 0652afb8 GSFU!DllUnregisterServer+0x236a9\n0012bdd8 063b8605 064dcda8 06555fb8 0652afb8 GSFU!DllUnregisterServer+0x2530b\n0012be00 063b8a85 064dcda8 0652afb8 0652afb8 GSFU!DllUnregisterServer+0x27325\n0012be18 063b65eb 064dcda8 0652afb8 06510fb8 GSFU!DllUnregisterServer+0x277a5\n0012be30 063b8605 064dcda8 0652afb8 06510fb8 GSFU!DllUnregisterServer+0x2530b\n0012be58 063b8a85 064dcda8 06510fb8 06510fb8 GSFU!DllUnregisterServer+0x27325\n0012be70 063b65eb 064dcda8 06510fb8 06500fb8 GSFU!DllUnregisterServer+0x277a5\n<...truncated...>\n\nINSTRUCTION_ADDRESS:0x00000000063b4989\nINVOKING_STACK_FRAME:0\nDESCRIPTION:User Mode Write AV\nSHORT_DESCRIPTION:WriteAV\nCLASSIFICATION:EXPLOITABLE\nBUG_TITLE:Exploitable - User Mode Write AV starting at GSFU!DllUnregisterServer+0x00000000000236a9 (Hash=0x1f1d1443.0x00000000)<\/span><\/strong>\nEXPLANATION:User mode write access violations that are not near NULL are exploitable.<\/pre>\n(You can download the complete Peach crash data here)<\/p>\n
As we can see here, we\u2019ve triggered a write access violation by attempting to write the value of edx to the location pointed at by [ecx+eax*4]. This instruction fails of course because the location [ecx+eax*4] points to an inaccessible region of memory. (0655c000=????????)<\/p>\n
Since we do not have symbols for this application, the stack trace does not provide us with any immediately evident clues as to the cause of our exception.<\/p>\n
Furthermore, we can also see that !exploitable has made the assumption that this crash is exploitable due to the fact that the faulting instruction attempts to write data to an out of bounds location and that location is not near null. It makes this distinction because a location that is near null may be indicative of a null pointer dereference and these types of bugs are typically not exploitable (though not always<\/a>). Let\u2019s try and determine if !exploitable is in fact, correct in this assumption.<\/p>\n <\/p>\n
<\/p>\n
<\/a>Identifying the Cause of Exception<\/h3>\n<\/a>Page heap<\/h4>\nBefore we begin, there\u2019s something very important that we must discuss. Take a look at the bare bones Peach PIT I\u2019ve provided; particularly the Agent configuration beginning at line 55.<\/p>\n
<Agent name="LocalAgent">\n <Monitor class="debugger.WindowsDebugEngine">\n <Param name="CommandLine" value="C:\\Program Files\\GRETECH\\GomPlayer\\GOM.EXE "C:\\fuzzed.mov"" \/>\n <Param name="StartOnCall" value="GOM.EXE" \/>\n <\/Monitor>\n <Monitor class="process.PageHeap">\n <Param name="Executable" value="GOM.EXE"\/>\n <\/Monitor>\n<\/Agent><\/pre>\nUsing this configuration, I\u2019ve defined the primary monitor as the \u201cWindowsDebugEngine\u201d which uses PyDbgEng, a wrapper for the WinDbg engine dbgeng.dll, in order to monitor the process. This is typical of most Peach fuzzer configurations under windows. However, what\u2019s important to note here is the second monitor, \u201cprocess.PageHeap\u201d. This monitor enables full page heap verification by using the Microsoft Debugging tool, GFlags (Global Flags Editor). In short, GFlags is a utility that is packaged with the Windows SDK, and enables users to more easily troubleshoot potential memory corruption issues. There are a number of configuration options available with GFlags. For the purpose of this article, we\u2019ll only be discussing 2: standard and full page heap verification.<\/p>\n
When using page heap verification, a special page header prefixes each heap chunk. The image below displays the structure of a standard (allocated) heap chunk and the structure of an (allocated) heap chunk with page heap enabled.<\/p>\n
![\"RCA-Integer-Overflow-6\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/05\/RCAIntegerOverflow6_thumb.png\" "\\"RCA-Integer-Overflow-6\\"")
<\/a> <\/strong><\/p>\n\nThis information can also be extracted by using the following display types variables:<\/p>\n
<\/p>\n
# Displays the standard heap metadata. Replace 0xADDRESS with the heap chunk start address<\/p>\n
dt _HEAP_ENTRY 0xADDRESS<\/strong><\/p>\n <\/p>\n
# Displays the page heap metadata. Replace 0xADDRESS with the start stamp address.<\/p>\n
dt _DPH_BLOCK_INFORMATION 0xADDRESS<\/strong><\/p>\n<\/blockquote>\nOne of the most important additions to the page heap header is the "user stack traces" (+ust) field. This field contains a pointer to the stack trace of our allocated chunk. This means that we\u2019re now able to enumerate which functions eventually lead to the allocation or free of a heap chunk in question. This is incredibly useful when trying to track down the root cause of our exception.<\/p>\n
Both standard and full heap verification prefix each chunk with this header. The primary difference between standard and full page heap verification is that under standard heap verification, fill patterns are placed at the end of each heap chunk (0xa0a0a0a0). If for instance a buffer overflow were to occur and data was written beyond the boundary of the heap chunk, the fill pattern located at the end of the chunk would be overwritten and therefore, corrupted. When our now corrupt block is accessed by the heap manager, the heap manager will detect that the fill pattern has been modified\/corrupted and cause an access violation to occur.<\/p>\n
With full page heap verification enabled, rather than appending a fill pattern, each heap chunk is placed at the end of a (small) page. This page is followed by another (small) page that has the PAGE_NOACCESS access level set. Therefore, as soon as we attempt to write past the end of the heap chunk, an access violation will be triggered directly (in comparison with having to wait for a call to the heap manager). Of course, the use of full page heap will drastically change the heap layout, because a heap allocation will trigger the creation of a new page. In fact, the application may even run out of heap memory space if your application is performing a lot of allocations.<\/p>\n
For a full explanation of GFlags, please take a look at the MSDN documentation here<\/a>.<\/p>\nNow the reason I\u2019ve brought this up, is that in order to replicate the exact crash generated by Peach, we\u2019ll need to enable GFlags for the GOM.exe process. GFlags is part of the Windows Debugging Tools package which is now included in the Windows SDK. The Windows 7 SDK, which is recommended for both Windows XP and 7 can be found here<\/a>.<\/p>\nIn order to enable full page heap verification for the GOM.exe process, we\u2019ll need to execute the following command.<\/p>\n
C:\\Program Files\\Debugging Tools for Windows (x86)>gflags \/p \/enable GOM.exe \/full<\/pre>\n <\/p>\n
<\/a>Initial analysis<\/h4>\nWith that said, let\u2019s begin by comparing our original seed file and mutated file using the 010 Binary Editor.<\/p>\n
Please note that in the screenshot below, \u201cAddress A\u201d and \u201cAddress B\u201d correlate with OriginalSeed.mov and MutatedSeed.mov respectively.<\/p>\n
![\"RCA-Integer-Overflow-1\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/03\/RCAIntegerOverflow1_thumb.png\" "\\"RCA-Integer-Overflow-1\\"")
<\/a><\/p>\nHere we can see that our fuzzer applied 8 different mutations and removed 1 block element entirely (as identified by our change located at offset 0x12BE).<\/p>\n
As documented in the previous article, you should begin by reverting each change, 1 element at a time, from their mutated values to those found in the original seed file. After each change, save the updated sample and open it up in GOM Media Player while monitoring the application using WinDbg.<\/p>\n
windbg.exe "C:\\Program Files\\GRETECH\\GomPlayer\\GOM.EXE" "C:\\Path-To\\MutatedSeed.mov"<\/pre>\nThe purpose here is to identify the minimum number of mutated bytes required to trigger our exception. Rather than documenting each step of the process which we had already outlined in the previous article, we\u2019ll simply jump forward to the end result. Your minimized sample file should now look like the following:<\/p>\n
![\"RCA-Integer-Overflow-8\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/06\/RCAIntegerOverflow8_thumb.png\" "\\"RCA-Integer-Overflow-8\\"")
<\/a><\/p>\nHere we can see that a single, 4 byte change located at file offset 0x131F was responsible for triggering our crash. In order to identify the purpose of these bytes, we must identify what atom or container they belong to.<\/p>\n
Just prior to our mutated bytes, we can see the ASCII string \u201cstsz\u201d. This is known as a FourCC<\/a>. The QuickTime and MPEG-4 file formats rely on these FourCC strings in order to identify various atoms or containers used within the file format. Knowing that, we can lookup the structure of the \u201cstsz\u201d atom in the QuickTime File Format Specification found here<\/a>.<\/p>\nSize: 0x00000100 \nType: 0x7374737A (ASCII stsz) \nVersion: 0x00 \nFlags: 0x000000 \nSample Size: 0x00000000\nNumber of Entries: 0x8000000027<\/span><\/strong>\nSample Size Table(1): 0x000094B5\nSample Size Table(2): 0x000052D4<\/pre>\nLooking at the layout of the \u201cstsz\u201d atom, we can see that the value for the \u201cNumber of Entries\u201d element has been replaced with a significantly larger value (0x80000027 compared with the original value of 0x3B). Now that we\u2019ve identified the minimum change required to trigger our exception, let\u2019s take a look at the faulting block (GSFU!DllUnregisterServer+0x236a9) in IDA Pro.<\/p>\n
<\/p>\n
<\/p>\n
<\/a>Reversing the Faulty Function<\/h3>\n![\"RCA-Integer-Overflow-3\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/03\/RCAIntegerOverflow3_thumb.png\" "\\"RCA-Integer-Overflow-3\\"")
<\/a><\/p>\nWithout any state information, such as register values or memory locations used during run time, we can only make minor assumptions based on the instructions contained within this block. However, armed with only this information, let\u2019s see what we can come up with.<\/p>\n
\n- Let\u2019s assume that eax and edx are set to 0x00000000 and that esi points to 0xAABBCCDD<\/li>\n
- A single byte is moved from the location pointed at by esi to edx resulting in edx == 0x000000AA<\/li>\n
- A single byte is moved from the location pointed at by [esi+1] to ecx<\/li>\n
- edx is shifted left by 8 bytes resulting in 0x0000AA00<\/li>\n
- ecx is added to @edx resulting in 0x0000AABB<\/li>\n
- A single byte is moved from the location pointed at by [esi+2] to ecx<\/li>\n
- edx is again shifted left by 8 bytes resulting in 0x00AABB00<\/li>\n
- ecx is again added to edx resulting in 0x00AABBCC<\/li>\n
- A single byte is moved from the location pointed at by [esi+3] to ecx<\/li>\n
- edx is again shifted left by 8 bytes resulting in 0xAABBCC00<\/li>\n
- And finally, ecx is added to edx resulting in 0xAABBCCDD<\/li>\n<\/ul>\n
So what does this all mean? Well, our first 10 instructions appear to be an overly complex version of the following instruction:<\/p>\n
movzx edx, dword ptr [esi]<\/pre>\nHowever, upon closer inspection what we actually see is that due to the way bytes are stored in memory, this function is actually responsible for reversing the byte order of the input string. So our initial read value of 0x41424344 (ABCD) will be written as 0x44434241 (DCBA).<\/p>\n
With that said, let\u2019s reduce our block down to:<\/p>\n
loc_3B04960:\ncmp ebx, 4\njl short loc_3B0499D\t; Jump outside of our block\n\nmovzx edx, dword ptr [esi]\t; Writes reverse byte order ([::-1])\nmov ecx, [edi+28h]\nmov ecx, [ecx+10h]\nmov [ecx+eax*4], edx \t; Exception occurs here.\n\t\t\t\t; Write @edx to [ecx+eax*4]\nmov edx, [edi+28h]\nmov ecx, [edx+0Ch]\nadd esi, 4\nsub ebx, 4\ninc eax\ncmp eax, ecx\njb short loc_3B04960<\/pre>\nNow before we actually observe our block in the debugger, there are still a few more characteristics we can enumerate.<\/p>\n
\n- The value pointed to by esi is moved to edx<\/li>\n
- edx is then written to [ecx+eax*4]<\/li>\n
- The value of esi is increased by 4<\/li>\n
- The value of ebx is decreased by 4<\/li>\n
- eax is incremented by 1<\/li>\n
- The value of eax is compared against ecx. If eax is equal to ecx, exit the block. Otherwise, jump to our first instruction.<\/li>\n
- Once at the beginning of our block, ebx is then compared against 0x4. If ebx is less than 4, exit the block. Otherwise, perform our loop again.<\/li>\n<\/ul>\n
To summarize, our first instruction attempts to determine if ebx is less than or equal to 4. If it is not, we begin our loop by moving a 32 bit value at memory location \u201cA\u201d and write it to memory location \u201cB\u201d. Then we check to make sure eax is not equal to ecx. If it isn\u2019t, then we return to the beginning of our loop. This process will continue, performing a block move of our data until one of our 2 conditions are met.<\/p>\n
With a rough understanding of the instruction set, let\u2019s observe its behavior in our debugger. We\u2019ll set the following breakpoints which will halt execution if either of our conditions cause our block iteration to exit and inform us of what data is being written and to where.<\/p>\n
r @$t0 = 1\nbp GSFU!DllUnregisterServer+0x23680 ".printf \\"Block iteration #%p\\\\n\\", @$t0; r @$t0 = @$t0 + 1; .if (@ebx <= 0x4) {.printf \\"1st condition is true. Exiting block iteration\\\\n\\"; } .else {.printf \\"1st condition is false (@ebx == 0x%p). Performing iteration\\\\n\\", @ebx; gc}"\nbp GSFU!DllUnregisterServer+0x236a9 ".printf \\"The value, 0x%p, is taken from 0x%p and written to 0x%p\\\\n\\", @edx, @esi, (@ecx+@eax*4); gc"\nbp GSFU!DllUnregisterServer+0x236b9 ".if (@eax == @ecx) {.printf \\"2nd is false. Exiting block iteration.\\\\n\\\\n\\"; } .else {.printf \\"2nd condition is true. ((@eax == 0x%p) <= (@ecx == 0x%p)). Performing iteration\\\\n\\\\n\\", @eax, @ecx; gc}"<\/pre>\nWith our breakpoints set, you should see something similar to the following:<\/p>\n
Block iteration #00000001\n1st condition is false (@ebx == 0x000000ec). Performing iteration\nThe value, 0x000094b5, is taken from 0x07009f14 and written to 0x0700df60\n2nd condition is true. ((@eax == 0x00000001) <= (@ecx == 0x80000027)). Performing iteration\n\nBlock iteration #00000002\n1st condition is false (@ebx == 0x000000e8). Performing iteration\nThe value, 0x000052d4, is taken from 0x07009f18 and written to 0x0700df64\n2nd condition is true. ((@eax == 0x00000002) <= (@ecx == 0x80000027)). Performing iteration\n\n...truncated...\n\nBlock iteration #00000028\n1st condition is false (@ebx == 0x00000050). Performing iteration\nThe value, 0x00004fac, is taken from 0x07009fb0 and written to 0x0700dffc\n2nd condition is true. ((@eax == 0x00000028) <= (@ecx == 0x80000027)). Performing iteration\n\nBlock iteration #00000029\n1st condition is false (@ebx == 0x0000004c). Performing iteration\nThe value, 0x00004f44, is taken from 0x07009fb4 and written to 0x0700e000\n(1974.1908): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=00000028 ebx=0000004c ecx=0700df60 edx=00004f44 esi=07009fb4 edi=07007fb8\neip=06e64989 esp=0012bdb4 ebp=07009f00 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206\nGSFU!DllUnregisterServer+0x236a9:\n06e64989 891481 mov dword ptr [ecx+eax*4],edx ds:0023:0700e000=????????<\/pre>\nHere we can see that neither of our conditions caused our block iteration to exit. Our instruction block performed 0x29 writes until a memory boundary was reached (likely caused by our full page heap verification) which triggers an access violation. Using the \u2018db\u2019 command, we let\u2019s take a look at the data we've written.<\/p>\n
0:000> db 0x0700df60\n0700df60 b5 94 00 00 d4 52 00 00-a8 52 00 00 2c 52 00 00 .....R...R..,R..\n0700df70 7c 52 00 00 80 52 00 00-a4 52 00 00 28 53 00 00 |R...R...R..(S..\n0700df80 18 53 00 00 94 52 00 00-20 53 00 00 ac 52 00 00 .S...R.. S...R..\n0700df90 28 53 00 00 e0 51 00 00-d0 52 00 00 88 52 00 00 (S...Q...R...R..\n0700dfa0 e0 52 00 00 94 52 00 00-18 53 00 00 14 52 00 00 .R...R...S...R..\n0700dfb0 14 52 00 00 5c 52 00 00-34 52 00 00 08 52 00 00 .R..\\R..4R...R..\n0700dfc0 d4 51 00 00 84 51 00 00-d8 51 00 00 d8 50 00 00 .Q...Q...Q...P..\n0700dfd0 3c 51 00 00 04 52 00 00-a4 51 00 00 bc 50 00 00 <q...r...q...p..<\/pre>\nNow let\u2019s break down the information returned by our breakpoints:<\/p>\n
\n- First, taking a look at our write instructions we can see that the data being written appears to be the contents of our \u201cSample Size Table\u201d. Our vulnerable block is responsible for reading 32 bits during each iteration from a region of memory beginning at 0x07009F14 and writing it to a region beginning at 0x0700DF60 (these addresses may be different for you and will likely change after each execution). This is good a good sign as it means that we can control what data is being written<\/span>.<\/li>\n
- Furthermore, we can see that during our second condition, eax is being compared against the same value being provided as the \u201cNumber of Entries\u201d element within our \u201cstsz\u201d atom. This means that we can control at least 1 of the 2 conditions<\/span> which will determine how many times our write instruction occurs. This is good. As with our previous example (KMPlayer), we demonstrated that if we can write beyond the intended boundary of our function, we may be able to overwrite sensitive data.<\/li>\n
- As for our first condition, it\u2019s not yet apparent where the value stored in ebx is derived. More on this in a bit.<\/li>\n<\/ul>\n
At this point, things are looking pretty good. So far we\u2019ve determined that we can control the data we write and at least one of our conditions. However, we still haven\u2019t figured out yet why we\u2019re writing beyond our boundary and into the guard page. In order to determine this, we\u2019ll need to enumerate some information regarding the region where our data is being written, such as the size and type (whether it be stack, heap, or virtually allocated memory). To do so, we can use corelan0cd3r\u2019s mona extension for WinDbg. Before we do however, we\u2019ll need to modify Gflags to only enable standard page heap verification. The reason for this is that when using full page heap verification, Gflags will modify our memory layout in such a way that will not accurately reflect our memory state when run without GFlags. To enable standard page heap verification, we\u2019ll execute the following command:<\/p>\n
gflags.exe \/p \/enable gom.exe<\/pre>\nNext, let's go ahead and start our process under WinDbg. This time, we'll only apply 1 breakpoint in order to halt execution upon execution of our first write instruction.<\/p>\n
0:000> bp GSFU!DllUnregisterServer+0x236a9 ".printf \\"The value, 0x%p, is taken from 0x%p and written to 0x%p\\\\n\\", @edx, @esi, (@ecx+@eax*4)"<\/span>\n<\/strong>Bp expression 'GSFU!DllUnregisterServer+0x236a9' could not be resolved, adding deferred bp\n0:000> g<\/span><\/strong>\n\nThe value, 0x000094b5, is taken from 0x06209c4c and written to 0x06209dc0<\/span><\/strong>\neax=00000000 ebx=000000ec ecx=06209dc0 edx=000094b5 esi=06209c4c edi=06209bb8\neip=06034989 esp=0012bdb4 ebp=06209c38 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202\nGSFU!DllUnregisterServer+0x236a9:\n06034989 891481 mov dword ptr [ecx+eax*4],edx ds:0023:06209dc0=00000000\n0:000> !py mona info -a 0x06209dc0<\/span><\/strong>\nHold on...\n[+] Generating module info table, hang on...\n - Processing modules\n - Done. Let's rock 'n roll.\n[+] NtGlobalFlag: 0x02000000\n 0x02000000 : +hpa - Enable Page Heap\n\n[+] Information about address 0x06209dc0\n {PAGE_READWRITE}\n Address is part of page 0x06200000 - 0x0620a000\n This address resides in the heap\n\nAddress 0x06209dc0 found in \n _HEAP @ 06200000, Segment @ 06200680\n ( bytes ) (bytes)\n HEAP_ENTRY Size PrevSize Unused Flags UserPtr UserSize Remaining - state\n 06209d98 000000d8 00000050 00000014 [03] 06209dc0 000000a4 0000000c Extra present,Busy (hex)\n 00000216 00000080 00000020 00000164 00000012 Extra present,Busy (dec)\n\n Chunk header size: 0x8 (8)\n Extra header due to GFlags: 0x20 (32) bytes\n DPH_BLOCK_INFORMATION Header size: 0x20 (32)\n StartStamp : 0xabcdaaaa\n Heap : 0x86101000\n RequestedSize : 0x0000009c<\/span><\/strong>\n ActualSize : 0x000000c4\n TraceIndex : 0x0000193e\n StackTrace : 0x04e32364<\/span><\/strong>\n EndStamp : 0xdcbaaaaa\n Size initial allocation request: 0xa4 (164)\n Total space for data: 0xb0 (176)\n Delta between initial size and total space for data: 0xc (12)\n Data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...\n\n[+] Disassembly:\n Instruction at 06209dc0 : ADD BYTE PTR [EAX],AL\n\nOutput of !address 0x06209dc0:\n\nUsage: <unclassified>\nAllocation Base: 06200000\nBase Address: 06200000\nEnd Address: 0620a000\nRegion Size: 0000a000\nType: 00020000.MEM_PRIVATE\nState: 00001000.MEM_COMMIT\nProtect: 00000004.PAGE_READWRITE<\/pre>\nGood. So here we can see that we\u2019re writing to an allocated heap chunk. The requested size of our block is 0x9C. Based on our access violation, we can already determine that the current state of our mutated file will attempt to write more than 0x9C bytes of data. After 0x9C bytes, our boundary is reached and an access violation is triggered. Considering the structure in which we\u2019re writing our data, it appears as if we\u2019ve identified a very simple example of a heap overflow. If we are able to control the length of the data being written and another heap chunk sits in a location following our written data, we may be able to write beyond the bounds of our chunk and corrupt the metadata (chunk header) of the following chunk, or application data stored in that adjacent chunk (that is of course with GFlags disabled). More on this later.<\/p>\n
However, before we attempt to do so, we still have not determined the actual cause of our exception. Why is it that we are allocating a region that is only 0x9C bytes, yet attempting to write significantly more? Our next step in the process will be to determine where our allocated size of 0x9C comes from. Is this some value specified in the file?<\/p>\n
There are in in fact several methods we could use to determine this. We could set a breakpoint on all heap allocations of size 0x9C. Once we\u2019ve identified the appropriate allocation, we can then look into the calling function in order to determine where the size is derived.<\/p>\n
Fortunately for us, with GFlags enabled, that is unnecessary. As I mentioned earlier, when page heap verification is enabled, a field within the page heap header contains a pointer to the stack trace of our allocated block. A pointer to this stack trace is listed in !mona\u2019s output under DPH_BLOCK_INFORMATION*** table (highlighted above). This allows us to see which functions were called just prior to our allocation.<\/p>\n
\nThis information can also be obtained without !mona by using the !heap command while supplying an address within the heap chunk:<\/p>\n
!heap \u2013p \u2013a 0x06209dc0<\/strong><\/p>\n <\/p>\n
You can also retrieve this information using the \u2018dt\u2019 command and the address of the chunk\u2019s \u201cStartStamp\u201d.<\/p>\n
dt _DPH_BLOCK_INFORMATION 0x06209da0.<\/strong><\/p>\n<\/blockquote>\nWith that said, let\u2019s use the \u2018dds\u2019 command to display the stack trace of the allocated chunk.<\/p>\n
0:000> dds 0x04e32364\n\n04e32364 abcdaaaa\n04e32368 00000001\n04e3236c 00000004\n04e32370 00000001\n04e32374 0000009c\n04e32378 06101000\n04e3237c 04fbeef8\n04e32380 04e32384\n04e32384 7c94b244 ntdll!RtlAllocateHeapSlowly+0x44\n04e32388 7c919c0c ntdll!RtlAllocateHeap+0xe64\n04e3238c 0609c2af GSFU!DllGetClassObject+0x29f8f\n04e32390 06034941 GSFU!DllUnregisterServer+0x23661<\/span><\/strong><\/pre>\nHere we can see two GOM functions (GSFU!DLLUnregisterServer and GSFU!DLLGetClassObject) are called prior to the allocation. First, let\u2019s take a quick glance at the function just prior to our call to ntdll!RtlAllocateHeap using IDA Pro.<\/p>\n
![\"RCA-Integer-Overflow-4\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/03\/RCAIntegerOverflow4_thumb.png\" "\\"RCA-Integer-Overflow-4\\"")
<\/a><\/p>\nSo as we would expect, here we can see a call to HeapAlloc. The value being provided as dwBytes would be 0x9C (our requested size).<\/p>\n
It\u2019s important to note here that IDA Pro, unlike WinDbg, has the ability to enumerate functions such as this. When it identifies a call to a known function, it will automatically apply comments in order to identify known variables supplied to that function. In the case of HeapAlloc (ntdll!RtlAllocateHeap), it will accept 3 arguments; dwBytes (size of the allocation), dwFlags, and hHeap (a pointer to the owning heap). More information on this function can be found at the MSDN page here<\/a>.<\/p>\nNow in order to identify where the value of dwBytes is introduced, let\u2019s go ahead and take a quick look at the previous function (GSFU!DllUnregisterServer+0x23661) in our stack trace.![\"RCA-Integer-Overflow-5\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/03\/RCAIntegerOverflow5_thumb.png\" "\\"RCA-Integer-Overflow-5\\"")
<\/a><\/p>\nInteresting. Here we can see that a call to the Calloc function is made, which in turn calls HeapAlloc. Before we continue, we need to have a short discussion about Calloc.<\/p>\n
Calloc<\/a> is a function used to allocate a contiguous block of memory when parsing an array. It accepts two arguments:<\/p>\nsize_t num ; Number of Objects\nsize_t size ; Size of Objects<\/pre>\nIt will allocate a region of memory using a size derived by multiplying both arguments (Number of Objects * Size of Objects). Then, by calling memset<\/a> it will zero initialize the array (not really important for the purpose of this article). What is important to note however, is that rather than using the CRT version of Calloc (msvcrt!calloc), an internal implementation is used. We can see this by following the call (the code is included in the GSFU module rather than making an external call to msvcrt)***. The importance of this will become clear very soon.<\/p>\n\nYou can easily follow any call in IDA Pro by simply clicking on the called function. In this case, clicking on \u201c_calloc\u201d will bring us to our inlined function. We can determine that the function has been inlined as GSFU.ax is our only loaded module. A jump to the msvcrt!calloc function would be displayed by an \u201cextrn\u201d, or external, data reference (DREF).<\/p>\n<\/blockquote>\n
Now, with a quick look at our two calling functions, let\u2019s go ahead and set a one time breakpoint on the first value being supplied to Calloc so that once it is hit, another breakpoint is applied to ntdll!RtlAllocateHeap. Then, we\u2019ll trace until ntdll!RtlAllocateHeap is hit.<\/p>\n
Let\u2019s go ahead and apply the following breakpoint, and then tell the process to continue running (g)<\/p>\n
0:000> bp GSFU!DllUnregisterServer+0x23653 \/1 "bp ntdll!RtlAllocateHeap; ta"<\/span><\/strong>\nBp expression 'GSFU!DllUnregisterServer+0x23653 \/1' could not be resolved, adding deferred bp\n0:000> g<\/span><\/strong>\n\neax=050d9d70 ebx=000000f8 ecx=050d9d70 edx=80000027<\/span><\/strong> esi=050d9c48 edi=050d9bb8\neip=06034934 esp=0012bdb0 ebp=050d9c38 iopl=0 nv up ei ng nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286\nGSFU!DllUnregisterServer+0x23653\n06034933 52 push edx ; Number of Elements<\/span><\/strong>\neax=050d9d70 ebx=000000f8 ecx=050d9d70 edx=80000027 esi=050d9c48 edi=050d9bb8\neip=06034934 esp=0012bdb0 ebp=050d9c38 iopl=0 nv up ei ng nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286\nGSFU!DllUnregisterServer+0x23654:\n06034934 6a04 push 4 ; Size of Elements<\/span><\/strong>\neax=050d9d70 ebx=000000f8 ecx=050d9d70 edx=80000027 esi=050d9c48 edi=050d9bb8\neip=06034936 esp=0012bdac ebp=050d9c38 iopl=0 nv up ei ng nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286\nGSFU!DllUnregisterServer+0x23656:\n06034936 83c604 add esi,4\neax=050d9d70 ebx=000000f8 ecx=050d9d70 edx=80000027 esi=050d9c4c edi=050d9bb8\neip=06034939 esp=0012bdac ebp=050d9c38 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202\nGSFU!DllUnregisterServer+0x23659:\n06034939 83eb0c sub ebx,0Ch\neax=050d9d70 ebx=000000ec ecx=050d9d70 edx=80000027 esi=050d9c4c edi=050d9bb8\neip=0603493c esp=0012bdac ebp=050d9c38 iopl=0 nv up ei pl nz ac po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212\nGSFU!DllUnregisterServer+0x2365c:\n0603493c e8e6780600 call GSFU!DllGetClassObject+0x29f07 (0609c227) ; Calloc<\/span><\/strong>\n\n...truncated...\n\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=00000004<\/span><\/strong> edi=050d9bb8\neip=05d5c236 esp=0012bd78 ebp=0012bda4 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206\nGSFU!DllGetClassObject+0x29f16:\n05d5c236 0faf750c imul esi,dword ptr [ebp+0Ch] ss:0023:0012bdb0=80000027<\/span><\/strong>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c<\/span><\/strong> edi=050d9bb8\neip=05d5c23a esp=0012bd78 ebp=0012bda4 iopl=0 ov up ei pl nz na pe cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200a07\nGSFU!DllGetClassObject+0x29f1a:\n05d5c23a 8975e0 mov dword ptr [ebp-20h],esi ss:0023:0012bd84=0012d690\n\n...truncated...\n\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c<\/span><\/strong> edi=00000000\neip=05d5c2a0 esp=0012bd78 ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nGSFU!DllGetClassObject+0x29f80:\n05d5c2a0 56 push esi ; Allocation Size<\/span><\/strong>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c edi=00000000\neip=05d5c2a1 esp=0012bd74 ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nGSFU!DllGetClassObject+0x29f81:\n05d5c2a1 6a08 push 8 ; Flags<\/span><\/strong>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c edi=00000000\neip=05d5c2a3 esp=0012bd70 ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nGSFU!DllGetClassObject+0x29f83:\n05d5c2a3 ff35a0cada05 push dword ptr [GSFU!DllGetClassObject+0x7a780 (05dacaa0)] ds:0023:05dacaa0=05dc0000 ; HeapHandle<\/span><\/strong>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c edi=00000000\neip=05d5c2a9 esp=0012bd6c ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nGSFU!DllGetClassObject+0x29f89:\n05d5c2a9 ff15ece0d605 call dword ptr [GSFU!DllGetClassObject+0x3bdcc (05d6e0ec)] ds:0023:05d6e0ec={ntdll!RtlAllocateHeap (7c9100c4)}<\/span><\/strong>\nBreakpoint 1 hit\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c edi=00000000\neip=7c9100c4 esp=0012bd68 ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nntdll!RtlAllocateHeap:\n7c9100c4 6804020000 push 204h<\/pre>\nWhen analyzing operations like this, I typically find it best to start from the bottom up. Since we already know that our requested allocation size is 0x9C, we can begin at the point where the value 0x9C is provided as the dwBytes argument for ntdll!RtlAllocateHeap (GSFU!DllGetClassObject+0x29f80).<\/p>\n
The next thing we need to do is look for the instruction, prior to our push instruction, that either introduces the value 0x9C to esi or modifies it. Looking back a few lines, we see this instruction:<\/p>\n
eax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=00000004<\/span><\/strong> edi=050d9bb8\neip=05d5c236 esp=0012bd78 ebp=0012bda4 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206\nGSFU!DllGetClassObject+0x29f16:\n05d5c236 0faf750c imul esi,dword ptr [ebp+0Ch] ss:0023:0012bdb0=80000027<\/span><\/strong><\/pre>\nInteresting. It appears that we\u2019re performing signed multiplication of the value contained in esi (0x4) and our \u201cNumber of Entries\u201d element within the \u201cstsz\u201d atom (as pointed to by our stack entry located at 0x0012bdb0). This makes sense since Calloc, as we had previously discussed, will perform an allocation of data with a size of (Number of Elements * Size of Elements). However, there seems to be a problem with our math. When multiplying 0x80000027 * 0x4, our result should be 0x20000009C rather than 0x0000009C. The reason for this is that we\u2019re attempting to store a value larger than what our 32 bit register can hold. When doing so, an integer overflow occurs and our result is \u201cwrapped,\u201d causing only the 32 least significant bits to be stored in our register.<\/p>\n
With this, we can control the size of our allocations by manipulating the value contained within our \u201cNumber of Entries\u201d element. By allocating a chunk smaller than the data we intend to write, we can trigger a heap overflow.<\/p>\n
However, the root cause of our issue is not exactly as clear as it may seem. When we looked at our function in IDA Pro earlier, we determined that rather than using the CRT version of calloc (msvcrt!calloc), GOM used a wrapped version instead. Had the actual Calloc function been used, this vulnerability would not exist. To explain this, let\u2019s take a look at the code snippet below:<\/p>\n
<\/p>\n
#include <stdio.h>\n#include <malloc.h>\n\nint main( void )\n{\n\n int size = 0x4; \/\/ Size of Element\n int num = 0x80000027;\t\/\/ Number of Elements\n int *buffer;\n printf( "Attempting to allocate a buffer with size: 0x20000009C" );\n buffer = (int *)calloc( size, num ); \/\/ Size of Element * Number of Elements\n if( buffer != NULL )\n printf( "Allocated buffer with size (0x%X)\\n", _msize(buffer) );\n else\n printf( "Failed to allocate buffer.\\n" );\n free( buffer );\n}<\/pre>\nThe example above demonstrates a valid (albeit it, not the best) use of the Calloc. Here we\u2019re trying to allocate an array with a size of 0x200000009C (0x4 * 0x80000027). Let\u2019s see what would happen if we were to compile and run this code:<\/p>\n
Attempting to allocate a buffer with size: 0x200000009C\nFailed to allocate buffer.<\/pre>\nInteresting. Calloc will fail to allocate a buffer due to checks intended in detect wrapped values. Under Windows XP SP3, this functionality can be seen in the following 2 instructions.<\/p>\n
eax=ffffffe0 ebx=00000000 ecx=00000004 edx=00000000 esi=016ef79c edi=016ef6ee\neip=77c2c0dd esp=0022ff1c ebp=0022ff48 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\nmsvcrt!calloc+0x1a:\n77c2c0dd f7f1 div eax,ecx\neax=3ffffff8 ebx=00000000 ecx=00000004 edx=00000000 esi=016ef79c edi=016ef6ee\neip=77c2c0df esp=0022ff1c ebp=0022ff48 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\nmsvcrt!calloc+0x1c:\n77c2c0df 3b450c cmp eax,dword ptr [ebp+0Ch] ss:0023:0022ff54=80000027<\/pre>\nHere we can see that the (near) maximum value for a 32 bit register (0xFFFFFFE0) is divided by our first argument supplied to Calloc. The result is then compared against the second value supplied to calloc. If the second value is larger, Calloc is able to determine that an integer overflow will occur and exit.<\/p>\n
However, the _Calloc function found in the GSFU module, unlike msvcrt!calloc, does not contain this check. Take a look at the following example:<\/p>\n
#include <stdio.h>\n#include <malloc.h>\n\nint _calloc( size_t num, size_t size )\n{\n size_t total = num * size; \/\/ Integer overflow occurs here\n return (total);\n}\n\nint main( void )\n{\n int size = 4; \/\/ Size of Element\n int num = 0x80000017; \/\/ Number of Elements\n int *buffer;\n int chunk_size = _calloc( size, num );\n printf ("Attempting to allocate a buffer with size: 0x%X\\n", chunk_size);\n buffer = (int *)malloc(chunk_size);\n if( buffer != NULL )\n printf( "Allocated buffer with size (0x%X)\\n", _msize(buffer) );\n else\n printf( "Failed to allocate buffer.\\n" );\n free( buffer );\n}<\/pre>\nHere we can see that instead of using the actual calloc function, we\u2019re multiplying our two values (\u201cElement Size\u201d and \u201cNumber of Elements\u201d) and storing the result in a variable called \u201cchunk_size\u201d. That value is then supplied as the size argument to malloc.<\/p>\n
Using the values from our mutated seed, let\u2019s take a look at our sample program\u2019s output:<\/p>\n
Attempting to allocate a buffer with size: 0x9C\nAllocated buffer with size (0x9C)<\/pre>\nAs we expected, the application readily accepts our wrapped value (0x9C) and provides this as the size argument being supplied to malloc. This in turn will cause our buffer to be undersized allowing our heap overflow to occur.<\/p>\n
<\/p>\n
<\/p>\n
<\/a>Determining Exploitability<\/h3>\nExcellent. So with that, we\u2019ve successfully identified the root cause of our exception. Let\u2019s summarize what we\u2019ve already discovered:<\/p>\n
\n- We\u2019ve determined that by manipulating the \u201cNumber of Elements\u201d entry within the \u201cstsz\u201d atom, we can trigger an integer overflow.<\/li>\n
- The result of this integer overflow (wrapped value) is then supplied to ntdll!RtlAllocateHeap causing an undersized buffer to be created.<\/li>\n
- The contents of our \u201cSample Size Table\u201d is then written to our buffer. However, since the \u201cSample Size Table\u201d is larger, we\u2019re able to write beyond the boundary of our chunk (heap overflow).<\/li>\n<\/ul>\n
As with our previous vulnerability (KMPlayer), this level of control actually provides us with a number of ways to exploit this issue.<\/p>\n
<\/p>\n
<\/a>Challenges<\/h4>\nBefore we continue I\u2019d like to outline some of the challenges we will face when attempting to exploit this issue (if for no other reason than to garner some sympathy for my likely \u201cunreliable\u201d techniques).<\/p>\n
\n- First, when dealing with heap issues, it is incredibly helpful to have some level of control over the heap layout. Allocations from the heap are dynamic and as such, the locations of these allocations will likely not be predictable. This is one reason why exploit writers will often leverage heap spraying in order to massage the heap into a deterministic state, allowing them to create predictable or semi-predictable locations in memory. Historically, this has been accomplished by calling the vulnerable application via it\u2019s web browser plug-in (ActiveX) when available, and then leveraging a scripting language (typically JavaScript) in order to perform a series of allocations of user controlled data. Recently, our very own corelanc0d3r developed DEPS<\/a>, which is a new method for performing a precise heap spray, allowing the exploit writer to point to an exact, reliable location in memory in order to access user supplied data. Unfortunately, GOM Media Player does not ship with a working version of it\u2019s ActiveX control allowing us to call it via a web browser (an ActiveX object is included in the release, however it appears to have been built for a significantly older version and is functionally broken for this release). With that said, we either need to find another way to create a deterministic heap state or be incredibly lucky.<\/li>\n
- Next, most of the modules included with GOM Media Player are rebased. This means that we cannot reference any data from these modules directly as the addresses will likely change. The importance of this will be demonstrated in a bit.<\/li>\n
- And finally, anyone who has attempted to develop exploits based on the QuickTime (MPEG) file format can tell you that the working with the file format is not pleasant. Allocations are typically done on a per atom (and sub-atom) basis. Attempts to manipulate allocations and frees in order to control the heap layout are either incredibly difficult, or at times, impossible.<\/li>\n<\/ul>\n
<\/span><\/p>\n<\/a>Prerequisites<\/h4>\nIn this article we will cover a number of basic concepts of the Windows XP SP3 heap manager. Rather than attempting to poorly reiterate the incredible work done by actual researchers<\/span> in the past, I highly recommend that you read the following two documents as prerequisites prior to beginning this section.<\/p>\n\n- Practical Windows XP\/2003 Heap Exploitation by Chris Valasek and John McDonald<\/a><\/li>\n
- Exploiting Freelist[0] on XPSP2 by Brett Moore<\/li>\n<\/ul>\n
I cannot stress enough the importance of the documents listed above. The intention of this article is to apply heap exploitation techniques discovered in the past to our GOM specific vulnerability. In order to do so, I must first reiterate a great deal of information that has already been explained (with greater depth and clarity) in the 2 documents listed above. This document is not intended to be a definitive guide and should not be used as one.<\/p>\n
<\/p>\n
<\/a>Heap Basics<\/h4>\nEach application by default is provided with a singular heap, known as the default or process heap, to perform memory management functions. As application complexity increases and more requests are handled by the heap manager, an application can greatly improve performance by creating additional, private heaps. This is done by calling the HeapCreate<\/a> function. Under WinDbg, you can enumerate a list of all active heaps by using the !heap extension.<\/p>\n0:000> !heap\nIndex Address Name Debugging options enabled\n 1: 00250000 \n 2: 00360000 \n 3: 00370000<\/pre>\nEach heap contains a very important structure known as the heap base. This structure maintains information about the heap and it\u2019s capabilities, as well as data regarding additional, referenced structures. Under WinDbg, you can enumerate the heap base structure by using the _HEAP variable name.<\/p>\n
0:000> dt _HEAP 00250000 \nntdll!_HEAP\n +0x000 Entry : _HEAP_ENTRY\n +0x008 Signature : 0xeeffeeff\n +0x00c Flags : 2\n +0x010 ForceFlags : 0\n +0x014 VirtualMemoryThreshold : 0xfe00\n +0x018 SegmentReserve : 0x100000\n +0x01c SegmentCommit : 0x2000\n +0x020 DeCommitFreeBlockThreshold : 0x200\n +0x024 DeCommitTotalFreeThreshold : 0x2000\n +0x028 TotalFreeSize : 0x86\n +0x02c MaximumAllocationSize : 0x7ffdefff\n +0x030 ProcessHeapsListIndex : 1\n +0x032 HeaderValidateLength : 0x608\n +0x034 HeaderValidateCopy : (null) \n +0x038 NextAvailableTagIndex : 0\n +0x03a MaximumTagIndex : 0\n +0x03c TagEntries : (null) \n +0x040 UCRSegments : (null) \n +0x044 UnusedUnCommittedRanges : 0x00250598 _HEAP_UNCOMMMTTED_RANGE\n +0x048 AlignRound : 0xf\n +0x04c AlignMask : 0xfffffff8\n +0x050 VirtualAllocdBlocks : _LIST_ENTRY [ 0x250050 - 0x250050 ]\n +0x058 Segments : [64] 0x00250640 _HEAP_SEGMENT\n +0x158 u : __unnamed\n +0x168 u2 : __unnamed\n +0x16a AllocatorBackTraceIndex : 0\n +0x16c NonDedicatedListLength : 1\n +0x170 LargeBlocksIndex : (null) \n +0x174 PseudoTagEntries : (null) \n +0x178 FreeLists : [128] _LIST_ENTRY [ 0x259bd8 - 0x259bd8 ]\n +0x578 LockVariable : 0x00250608 _HEAP_LOCK\n +0x57c CommitRoutine : (null) \n +0x580 FrontEndHeap : 0x00250688 Void\n +0x584 FrontHeapLockCount : 0\n +0x586 FrontEndHeapType : 0x1 ''\n +0x587 LastSegmentIndex : 0 ''<\/pre>\nUsing either the default heap or private heaps, an application can then request (allocate) a region of memory to be used by the application. This can be performed by using several commands including but not limited to HeapAlloc<\/a>, malloc<\/a>, and new<\/a>. Although the syntax of each command differs, the result is generally the same with a call being made to the ntdll!RtlAllocateHeap<\/a> function in order to directly reserve our requested region of memory.<\/p>\nNow as the heap manager receives these requests, it will need to identify a suitable block to return back to the user. In order to identify which block to return, the heap manager will first check the front-end heap manager. If the front end heap manager can not service this request, the back end heap manager will be checked. In most cases, the back-end heap manager will be able to service the request*.<\/p>\n
\nIn rare cases where both the front-end and back-end managers are unable to service application requests, the heap will reserve the memory directly from an associated UCR segment. More information can be found on this structure in Practical Windows XP\/2003 Exploitation by McDonald and Valasek.<\/p>\n<\/blockquote>\n
Now in it\u2019s most basic form, the front-end and back-end heap managers can simply be thought of as structures which maintain a list of pointers to free blocks (free blocks are simply regions of memory assigned to a particular heap that are ready for allocation). Under Windows XP, the front-end heap manager can exist (or not exist) in 3 forms: none, Lookaside Lists (LAL), or under rare cases the Low Fragmentation Heap (LFH)*. For the purpose of this article, we will only be discussing the Lookaside Lists (LAL).<\/p>\n
\nBeginning with Windows Vista and beyond, the Low Fragmentation Heap (LFH) is the default front-end heap manager.<\/p>\n<\/blockquote>\n
<\/p>\n
Lookaside Lists<\/h5>\n
Now as I mentioned, when an allocation request is issued, the heap manager will first check the front-end heap manager. Under Windows XP, this will (in nearly all cases) be the structure known as the Lookaside List (LAL). The LAL is used to service memory requests of 1016 bytes or less (plus 8 bytes for the heap entry header). Requests for memory regions larger than 1016 bytes will be forwarded to the back-end heap manager.<\/p>\n
A pointer to this structure is located at offset +0x580 from the _HEAP base.<\/p>\n
+0x580 FrontEndHeap : 0x00250688 Void<\/pre>\nNow the top level hierarchy of the LAL structure contains 127 lists. Each list is associated with a LAL entry for that particular size. This creates a logical layout similar to the following:<\/p>\n
Lookaside[0] # Unused \nLookaside[1] # Unused \nLookaside[2] # Size: 16 (0x10) \u2013 0x8 (Header) Usable Size: 8 (0x8)\nLookaside[3] # Size: 24 (0x18) - 0x8 (Header) Usable Size: 16 (0x10)\n<\u2026truncated\u2026>\nLookaside[127] # Size: 1016 (0x3F8) - 0x8 (Header) Usable Size: 1008 (0x3F0)<\/pre>\nEach list head is 0x30 bytes in length and has the following structure:<\/p>\n
Flink: Ptr32\nDepth: Uint2B\nSequence: Uint2B\nDepth2: Uint2B\nMaximumDepth: Uint2B\nTotalAllocates: Uint4B\nAllocateMisses\/AllocateHits: Uint4B\nTotalFrees: Uint4B\nFreeMisses\/FreeHits: Uint4B\nType: Uint4B\nTag: Uint4B\nSize: Uint4B\nAllocate: Uint4B\nFree: Uint4B<\/pre>\nPlease note, that the Flink, or forward link pointer, points to the first chunk in the list. If this value is NULL, this means that this list head is empty and does not reference any LAL chunks. A chunk on the LAL will have the following structure:<\/p>\n
Self Size: Uint2B - Size of current chunk\nPrevious Size: Uint2B - Size of previous Chunk\nChunk Cookie: Uint1B - Security Cookie\nChunk Flag: Uint1B\nUnused: Uint1B\nSegment Index: Uint1B\nFlink: Ptr32 - Pointer to next chunk in current list<\/pre>\nPlease note that the Flink in this case will point to the next chunk in the list. If this value is NULL, this means this is the last chunk in our list.<\/p>\n
This all may seem quite confusing at first. However, let\u2019s see if we can put it all together by analyzing the following scenario. Consider for a moment, that we have an active Lookaside list associated with our default heap (0x00160000), with multiple entries on LAL nodes 2 and 3 (sizes 16 and 24 bytes respectively). This would create a logical structure similar to the following:<\/p>\n
\nPlease note: This information was generated using the \u201c!py mona heap -h 0x00160000 \u2013t fea\u201d command. Please see mona\u2019s help output for further information.<\/p>\n<\/blockquote>\n
LAL [2] @0x0016006e8, Expected Chunksize 0x10 (16), Flink : 0x00163730\n 3 chunks:\n ChunkPtr: 0x00163728, UserPtr: 0x00163730, Flink: 0x00164498, ChunkSize: 0x10, UserSize: 0x4, Userspace: 0x8 (Busy) \n ChunkPtr: 0x00164490, UserPtr: 0x00164498, Flink: 0x00164228, ChunkSize: 0x10, UserSize: 0x8, Userspace: 0x8 (Busy) \n ChunkPtr: 0x00164220, UserPtr: 0x00164228, Flink: 0x00000000, ChunkSize: 0x10, UserSize: 0x8, Userspace: 0x8 (Busy) \n\nLAL [3] @0x00160718, Expected Chunksize 0x18 (24), Flink : 0x00164238\n 2 chunks:\n ChunkPtr: 0x00164230, UserPtr: 0x00164238, Flink: 0x00164210, ChunkSize: 0x18, UserSize: 0xc, Userspace: 0x10 (Busy) \n ChunkPtr: 0x00164208, UserPtr: 0x00164210, Flink: 0x00000000, ChunkSize: 0x18, UserSize: 0x10, Userspace: 0x10 (Busy)<\/pre>\nNow let\u2019s break it down. Here we can see that there are 3 entries associated with LAL [2]. The chunk size for these entries are 0x10 bytes with 0x8 bytes of usable space (as 0x8 bytes are reserved for the chunk header). The Flink of our list head points to the first chunk in this LAL at address 0x00163730. Looking at our list, we can see our chunk as designated by the ChunkPtr with an address of 0x00163728. This chunk has a Flink of 0x00164498 which points to the next chunk in or list. Continuing along the chain, we see that our final chunk has a Flink of 0x00000000. This means that this is the final chunk in the list.<\/p>\n
This method of pointing to, or identifying the next chunk in the list, creates what is known as a "singly-linked" list. Meaning that we have 1 variable which will always point to the next chunk in the list until we\u2019ve reached the end.<\/p>\n
Looking at our second list head (LAL [3]), we see much of the same. There are 2 chunks associated with this list. The Flink on the list head points to a chunk at 0x00164230 and this chunk has a Flink pointing to the final chunk on the list with an address of 0x00164210. These entries are of course 0x18 bytes in size with 0x10 bytes of usable space.<\/p>\n
Now if the application were to request 0x10 bytes of space, the heap manager would begin looking at the Lookaside List. It would traverse the list until it landed upon LAL [3]. You may be wondering however, why the heap manager wouldn\u2019t select LAL[2] to service this allocation? Well, remember that although the list size is 0x10 bytes, 0x8 bytes are reserved for the chunk header. So instead, LAL [3] would be chosen as it would be able to provide the 0x10 bytes of usable space needed by the application. Now when attempting to allocate data from the LAL, chunks are handled in a last in, first out (LIFO) order. Since freed chunks are placed at the beginning of the list, the first chunk in the list will be the one that is returned to the application when an allocation request of the same size is received.<\/p>\n
So back to our list. If an allocation request is received for 0x10 bytes, the application would identify LAL [3], follow the Flink of the list head which points to 0x00164498 and return this chunk. This process is called \u201cunlinking\u201d as the free chunk is unlinked from the Lookaside List and returned. This would leave the list looking like this:<\/p>\n
LAL [3] @0x00160718, Expected Chunksize 0x18 (24), Flink : 0x00164210\n 1 chunk:\n ChunkPtr: 0x00164208, UserPtr: 0x00164210, Flink: 0x00000000, ChunkSize: 0x18, UserSize: 0x10, Userspace: 0x10 (Busy)<\/pre>\nSo here we can see that our chunk has been removed and that the Flink of the list head has been updated to point to the next Chunk in the list. This means that the next request with a size of 0x10 bytes will be return 0x00164210 (assuming no new chunks have been freed, or \u201clinked\u201d to LAL[3]).<\/p>\n
Excellent. Now that we\u2019ve covered that, we can move on to the back end allocator also known as the Freelists. However, as many of these principals will also apply to the Freelists, it is very important that you understand the LAL structure before moving on.<\/p>\n
<\/p>\n
<\/a>Freelists<\/h5>\nAs I mentioned earlier, if a request cannot be serviced by the front end allocator, in this case the Lookaside Lists, it is then forwarded on to the backend allocator. Under Windows XP (and later versions), this is known as the Freelists. It\u2019s important to understand that allocation requests may be forwarded to the Freelists for one of two reasons. First, if the allocation request is for a size greater than 1016 bytes (the maximum size handled by the LAL), the request will be forwarded on to the Freelists. Also, if an allocation request is issued for a size not present on the LAL, meaning that no chunks are available for that size, it\u2019ll be forwarded on to the Freelists.<\/p>\n
As with the LAL, a pointer to the Freelists structure can be found at offset +0x178 from the heap base. Furthermore, like the LAL, each list head entry on the Freelists is organized based upon size. This size equates to the list head position * 0x8 (just like the LAL). The only exception to this rule is Freelist[0], which is responsible for managing all requests greater than 1024 bytes. Consider the following layout.<\/p>\n
Freelist[0] # Manages all sizes > 1024 \nFreelist[1] # Unused \nFreelist[2] # Size: 16 (0x10)\nFreelist[3] # Size: 24 (0x18)\n<\u2026truncated\u2026>\nFreelist[127] # Size: 1016<\/pre>\nEach Freelist list head has the following structure:<\/p>\n
ntdll!_LIST_ENTRY\n +0x000 Flink : Ptr32 _LIST_ENTRY\n +0x004 Blink : Ptr32 _LIST_ENTRY<\/pre>\nThe Flink, or forward link pointer in the list head will point to the first free chunk in the list entry. The Blink, or backward link pointer, will point to the UserPtr of the last chunk in the list. If however, the list is empty, both the Flink and Blink will point to themselves.<\/p>\n
Using the _LIST_ENTRY variable, we can enumerate a bit about the Freelist structure. In this example, we\u2019ll be looking at Freelist[0] belonging to the heap at 0x00160000.<\/p>\n
\nPlease note, the addresses of the list heads will always have a static offset from the heap base. For instance, Freelist[0] will always exist at offset +0x178 from the heap base.<\/p>\n<\/blockquote>\n
0:012> dt _LIST_ENTRY 00160178\nntdll!_LIST_ENTRY\n [ 0x51b4468 - 0x51b6010 ]\n +0x000 Flink : 0x051b4468 _LIST_ENTRY [ 0x51b6010 - 0x160178 ]\n +0x004 Blink : 0x051b6010 _LIST_ENTRY [ 0x160178 - 0x51b4468 ]<\/pre>\nHere we can see that Freelist[0] is not in fact, empty. If it were, both the Flink and Blink would have pointers to 0x00160178. On the contrary however, following the Flink we can see that the UserPtr of the first chunk in the list is located at 0x051B4468. We can also see that the UserPtr of the last chunk in the list is located at 0x051B6010. This however, leaves quite a bit unanswered as we don\u2019t currently know how many chunks belong to Freelist[0]. Before we determine that, we first must discuss the structure of the chunks belonging to the Freelists.<\/p>\n
Self Size: Uint2B - Size of current chunk\nPrevious Size: Uint2B - Size of previous Chunk\nChunk Cookie: Uint1B - Security Cookie\nChunk Flag: Uint1B\nUnused: Uint1B\nSegment Index: Uint1B\nFlink: Ptr32 - Pointer to next chunk in current list\nBlink: Ptr32 - Pointer to previous chunk in current list<\/pre>\nAs with the Freelist list head, we can see that the Freelists chunks themselves also contain Flink and Blink pointers. In this case, the Flink in Blink pointers are used to point to the chunk prior to and after the current chunk, depending on the location in the list. In the case of the first chunk in the list, the Blink would point back to the list head. In the case of the last chunk in the list, the Flink would also point back to the list head. This creates what is known as a doubly-linked list as every element in the structure contains a pointer to identify the elements which precede and follow the current element.<\/p>\n
Once again, let\u2019s evaluate the following Freelist in order to better understand its structure. Again, using the example of our default heap (0x00160000):<\/p>\n
\nThis information can be derived using the following !mona command:<\/p>\n
!py mona heap -h 0x00160000 -t bea<\/strong><\/p>\n<\/blockquote>\n <\/p>\n
[+] FreeList[00] at 0x00160178, Expected size: >1016 (>0x3f8)\n ChunkPtr: 0x0018f8c8, Header: 0x8 bytes, UserPtr: 0x0018f8d0, Flink: 0x00191e40, Blink: 0x00160178, ChunkSize: 0x1da8 (7592), Usersize: 0x1d9e (7582) \n ChunkPtr: 0x00191e38, Header: 0x8 bytes, UserPtr: 0x00191e40, Flink: 0x00181218, Blink: 0x0018f8d0, ChunkSize: 0x21c8 (8648), Usersize: 0x21c0 (8640) \n ChunkPtr: 0x00181210, Header: 0x8 bytes, UserPtr: 0x00181218, Flink: 0x00160178, Blink: 0x00191e40, ChunkSize: 0x9600 (38400), Usersize: 0x95f8 (38392) \n[+] FreeList[02] at 0x00160188, Expected size: 0x10 (16)\n ChunkPtr: 0x0017cdc0, Header: 0x8 bytes, UserPtr: 0x0017cdc8, Flink: 0x00169280, Blink: 0x00160188, ChunkSize: 0x10 (16), Usersize: 0x8 (8) \n ChunkPtr: 0x00169278, Header: 0x8 bytes, UserPtr: 0x00169280, Flink: 0x00160188, Blink: 0x0017cdc8, ChunkSize: 0x10 (16), Usersize: 0x8 (8) \n[+] FreeList[03] at 0x00160190, Expected size: 0x18 (24)\n ChunkPtr: 0x0018dac0, Header: 0x8 bytes, UserPtr: 0x0018dac8, Flink: 0x00160190, Blink: 0x00160190, ChunkSize: 0x18 (24), Usersize: 0x10 (16)<\/pre>\nLooking at Freelist[0], we can see that there are 3 chunks, each of which is greater than 1024 bytes. Looking at the first chunk, we can see that the Flink points to the UserPtr of the next chunk. The Blink however in this case, points back to the list head. The second chunk in the list again has a Flink pointing to the next chunk and a Blink pointing back to the first chunk. This behavior continues with the remaining chunks in the list with the exception of our final chunk. In order to complete our doubly-linked list, we can see that the final chunk contains a Flink which points back to the list head.<\/p>\n
With Freelist[2], we again see much of the same. Here we have 2 chunks, our first of which contains a Flink to the next chunk and a Blink pointing back to the list head. Our second chunk contains a Blink pointing back to the first chunk and a Flink pointing to the list head.<\/p>\n
Freelist[3] however, we can see that as there is only a single chunk in the list, both the Flink and Blink point back to the list head.<\/p>\n
Now consider the following scenario. If the application were to issue an allocation request for 8000 (0x1F40) bytes, the heap manager would first evaluate the size and determine that it is too large to be serviced by the LAL. With this, the request would then be forwarded on to the Freelists. As the requested size is greater than 1024 bytes, the heap manager would then begin traversing Freelist[0] as this is the only list which tracks chunks greater than 1024 bytes. Moving along the list, the heap manager would select the 2nd chunk in Freelist[0] as it is the first chunk in the list larger than 8000 bytes. However, we run into a slight issue as the chunk we\u2019ve selected is actually larger than the chunk size requested (8648 > 8000). What ends up happening is that the heap manager will \u201cunlink\u201d the 8000 bytes requested by the application. Then, a new chunk will be created using the 648 bytes remaining (640 bytes actually as we must account for 8 bytes for the heap header). As this chunk is no longer greater than 1024 bytes, it will be moved to a Freelist[80]*** (which manages chunks 640 (0x280) bytes in length). The chunks in Freelist[0] will then have their Flink and Blink pointers updated to account for the now missing chunk.<\/p>\n
\n***Please note: When a chunk is resized, a new independent chunk is not always created. If the remaining space is adjacent to other free heap chunks, this space may then be coalesced, or combined, with the adjacent heap chunks to create a singular, larger heap chunk. Again, a significantly better and more thorough explanation can be found in Practical Windows XP\/2003 Exploitation<\/a> by McDonald and Valasek.<\/p>\n<\/blockquote>\n <\/p>\n
The result of this allocation request would then modify our Freelist structure as follows:<\/p>\n
[+] FreeList[00] at 0x00160178, Expected size: >1016 (>0x3f8)\n ChunkPtr: 0x0018f8c8, Header: 0x8 bytes, UserPtr: 0x0018f8d0, Flink: 0x00181218, Blink: 0x00160178, ChunkSize: 0x1da8 (7592), Usersize: 0x1d9e (7582) \n ChunkPtr: 0x00181210, Header: 0x8 bytes, UserPtr: 0x00181218, Flink: 0x00160178, Blink: 0x0018f8d0, ChunkSize: 0x9600 (38400), Usersize: 0x95f8 (38392) \n[+] FreeList[02] at 0x00160188, Expected size: 0x10 (16)\n ChunkPtr: 0x0017cdc0, Header: 0x8 bytes, UserPtr: 0x0017cdc8, Flink: 0x00169280, Blink: 0x00160188, ChunkSize: 0x10 (16), Usersize: 0x8 (8) \n ChunkPtr: 0x00169278, Header: 0x8 bytes, UserPtr: 0x00169280, Flink: 0x00160188, Blink: 0x0017cdc8, ChunkSize: 0x10 (16), Usersize: 0x8 (8) \n[+] FreeList[03] at 0x00160190, Expected size: 0x18 (24)\n ChunkPtr: 0x0018dac0, Header: 0x8 bytes, UserPtr: 0x0018dac8, Flink: 0x00160190, Blink: 0x00160190, ChunkSize: 0x18 (24), Usersize: 0x10 (16) \n[+] FreeList[80] at 0x001603f8, Expected size: 0x280 (640)\n ChunkPtr: 0x00193d80, Header: 0x8 bytes, UserPtr: 0x00193d88, Flink: 0x001603f8, Blink: 0x001603f8, ChunkSize: 0x280 (640), Usersize: 0x280 (640)<\/pre>\nHere we can see that Freelist[0] now contains only 2 chunks. Boh of which have had their Flink and Blink pointers updated so that they point at each other. Furthermore, we can see the addition of our chunk at Freelist[80].<\/p>\n
<\/p>\n
Preventative Security Measures<\/h4>\nSafe-Unlinking<\/h5>\n
Now before we attempt to exploit this bug there\u2019s a few minor details that we must cover. Prior to Windows XP SP2, gaining an 4 byte arbitrary write was a fairly straightforward process. Although at the time, not many people were exploiting heap based bugs as the amount of documentation regarding the subject was very limited. One method available targeted the unlink process of chunks belonging to a doubly-linked list.<\/p>\n
\n
(You can download the complete Peach crash data here)<\/p>\n
As we can see here, we\u2019ve triggered a write access violation by attempting to write the value of edx to the location pointed at by [ecx+eax*4]. This instruction fails of course because the location [ecx+eax*4] points to an inaccessible region of memory. (0655c000=????????)<\/p>\n
Since we do not have symbols for this application, the stack trace does not provide us with any immediately evident clues as to the cause of our exception.<\/p>\n
Furthermore, we can also see that !exploitable has made the assumption that this crash is exploitable due to the fact that the faulting instruction attempts to write data to an out of bounds location and that location is not near null. It makes this distinction because a location that is near null may be indicative of a null pointer dereference and these types of bugs are typically not exploitable (though not always<\/a>). Let\u2019s try and determine if !exploitable is in fact, correct in this assumption.<\/p>\n <\/p>\n <\/p>\n Before we begin, there\u2019s something very important that we must discuss. Take a look at the bare bones Peach PIT I\u2019ve provided; particularly the Agent configuration beginning at line 55.<\/p>\n Using this configuration, I\u2019ve defined the primary monitor as the \u201cWindowsDebugEngine\u201d which uses PyDbgEng, a wrapper for the WinDbg engine dbgeng.dll, in order to monitor the process. This is typical of most Peach fuzzer configurations under windows. However, what\u2019s important to note here is the second monitor, \u201cprocess.PageHeap\u201d. This monitor enables full page heap verification by using the Microsoft Debugging tool, GFlags (Global Flags Editor). In short, GFlags is a utility that is packaged with the Windows SDK, and enables users to more easily troubleshoot potential memory corruption issues. There are a number of configuration options available with GFlags. For the purpose of this article, we\u2019ll only be discussing 2: standard and full page heap verification.<\/p>\n When using page heap verification, a special page header prefixes each heap chunk. The image below displays the structure of a standard (allocated) heap chunk and the structure of an (allocated) heap chunk with page heap enabled.<\/p>\n This information can also be extracted by using the following display types variables:<\/p>\n <\/p>\n # Displays the standard heap metadata. Replace 0xADDRESS with the heap chunk start address<\/p>\n dt _HEAP_ENTRY 0xADDRESS<\/strong><\/p>\n <\/p>\n # Displays the page heap metadata. Replace 0xADDRESS with the start stamp address.<\/p>\n dt _DPH_BLOCK_INFORMATION 0xADDRESS<\/strong><\/p>\n<\/blockquote>\n One of the most important additions to the page heap header is the "user stack traces" (+ust) field. This field contains a pointer to the stack trace of our allocated chunk. This means that we\u2019re now able to enumerate which functions eventually lead to the allocation or free of a heap chunk in question. This is incredibly useful when trying to track down the root cause of our exception.<\/p>\n Both standard and full heap verification prefix each chunk with this header. The primary difference between standard and full page heap verification is that under standard heap verification, fill patterns are placed at the end of each heap chunk (0xa0a0a0a0). If for instance a buffer overflow were to occur and data was written beyond the boundary of the heap chunk, the fill pattern located at the end of the chunk would be overwritten and therefore, corrupted. When our now corrupt block is accessed by the heap manager, the heap manager will detect that the fill pattern has been modified\/corrupted and cause an access violation to occur.<\/p>\n With full page heap verification enabled, rather than appending a fill pattern, each heap chunk is placed at the end of a (small) page. This page is followed by another (small) page that has the PAGE_NOACCESS access level set. Therefore, as soon as we attempt to write past the end of the heap chunk, an access violation will be triggered directly (in comparison with having to wait for a call to the heap manager). Of course, the use of full page heap will drastically change the heap layout, because a heap allocation will trigger the creation of a new page. In fact, the application may even run out of heap memory space if your application is performing a lot of allocations.<\/p>\n For a full explanation of GFlags, please take a look at the MSDN documentation here<\/a>.<\/p>\n Now the reason I\u2019ve brought this up, is that in order to replicate the exact crash generated by Peach, we\u2019ll need to enable GFlags for the GOM.exe process. GFlags is part of the Windows Debugging Tools package which is now included in the Windows SDK. The Windows 7 SDK, which is recommended for both Windows XP and 7 can be found here<\/a>.<\/p>\n In order to enable full page heap verification for the GOM.exe process, we\u2019ll need to execute the following command.<\/p>\n <\/p>\n With that said, let\u2019s begin by comparing our original seed file and mutated file using the 010 Binary Editor.<\/p>\n Please note that in the screenshot below, \u201cAddress A\u201d and \u201cAddress B\u201d correlate with OriginalSeed.mov and MutatedSeed.mov respectively.<\/p>\n Here we can see that our fuzzer applied 8 different mutations and removed 1 block element entirely (as identified by our change located at offset 0x12BE).<\/p>\n As documented in the previous article, you should begin by reverting each change, 1 element at a time, from their mutated values to those found in the original seed file. After each change, save the updated sample and open it up in GOM Media Player while monitoring the application using WinDbg.<\/p>\n The purpose here is to identify the minimum number of mutated bytes required to trigger our exception. Rather than documenting each step of the process which we had already outlined in the previous article, we\u2019ll simply jump forward to the end result. Your minimized sample file should now look like the following:<\/p>\n Here we can see that a single, 4 byte change located at file offset 0x131F was responsible for triggering our crash. In order to identify the purpose of these bytes, we must identify what atom or container they belong to.<\/p>\n Just prior to our mutated bytes, we can see the ASCII string \u201cstsz\u201d. This is known as a FourCC<\/a>. The QuickTime and MPEG-4 file formats rely on these FourCC strings in order to identify various atoms or containers used within the file format. Knowing that, we can lookup the structure of the \u201cstsz\u201d atom in the QuickTime File Format Specification found here<\/a>.<\/p>\n Looking at the layout of the \u201cstsz\u201d atom, we can see that the value for the \u201cNumber of Entries\u201d element has been replaced with a significantly larger value (0x80000027 compared with the original value of 0x3B). Now that we\u2019ve identified the minimum change required to trigger our exception, let\u2019s take a look at the faulting block (GSFU!DllUnregisterServer+0x236a9) in IDA Pro.<\/p>\n <\/p>\n <\/p>\n Without any state information, such as register values or memory locations used during run time, we can only make minor assumptions based on the instructions contained within this block. However, armed with only this information, let\u2019s see what we can come up with.<\/p>\n So what does this all mean? Well, our first 10 instructions appear to be an overly complex version of the following instruction:<\/p>\n However, upon closer inspection what we actually see is that due to the way bytes are stored in memory, this function is actually responsible for reversing the byte order of the input string. So our initial read value of 0x41424344 (ABCD) will be written as 0x44434241 (DCBA).<\/p>\n With that said, let\u2019s reduce our block down to:<\/p>\n Now before we actually observe our block in the debugger, there are still a few more characteristics we can enumerate.<\/p>\n To summarize, our first instruction attempts to determine if ebx is less than or equal to 4. If it is not, we begin our loop by moving a 32 bit value at memory location \u201cA\u201d and write it to memory location \u201cB\u201d. Then we check to make sure eax is not equal to ecx. If it isn\u2019t, then we return to the beginning of our loop. This process will continue, performing a block move of our data until one of our 2 conditions are met.<\/p>\n With a rough understanding of the instruction set, let\u2019s observe its behavior in our debugger. We\u2019ll set the following breakpoints which will halt execution if either of our conditions cause our block iteration to exit and inform us of what data is being written and to where.<\/p>\n With our breakpoints set, you should see something similar to the following:<\/p>\n Here we can see that neither of our conditions caused our block iteration to exit. Our instruction block performed 0x29 writes until a memory boundary was reached (likely caused by our full page heap verification) which triggers an access violation. Using the \u2018db\u2019 command, we let\u2019s take a look at the data we've written.<\/p>\n Now let\u2019s break down the information returned by our breakpoints:<\/p>\n At this point, things are looking pretty good. So far we\u2019ve determined that we can control the data we write and at least one of our conditions. However, we still haven\u2019t figured out yet why we\u2019re writing beyond our boundary and into the guard page. In order to determine this, we\u2019ll need to enumerate some information regarding the region where our data is being written, such as the size and type (whether it be stack, heap, or virtually allocated memory). To do so, we can use corelan0cd3r\u2019s mona extension for WinDbg. Before we do however, we\u2019ll need to modify Gflags to only enable standard page heap verification. The reason for this is that when using full page heap verification, Gflags will modify our memory layout in such a way that will not accurately reflect our memory state when run without GFlags. To enable standard page heap verification, we\u2019ll execute the following command:<\/p>\n Next, let's go ahead and start our process under WinDbg. This time, we'll only apply 1 breakpoint in order to halt execution upon execution of our first write instruction.<\/p>\n Good. So here we can see that we\u2019re writing to an allocated heap chunk. The requested size of our block is 0x9C. Based on our access violation, we can already determine that the current state of our mutated file will attempt to write more than 0x9C bytes of data. After 0x9C bytes, our boundary is reached and an access violation is triggered. Considering the structure in which we\u2019re writing our data, it appears as if we\u2019ve identified a very simple example of a heap overflow. If we are able to control the length of the data being written and another heap chunk sits in a location following our written data, we may be able to write beyond the bounds of our chunk and corrupt the metadata (chunk header) of the following chunk, or application data stored in that adjacent chunk (that is of course with GFlags disabled). More on this later.<\/p>\n However, before we attempt to do so, we still have not determined the actual cause of our exception. Why is it that we are allocating a region that is only 0x9C bytes, yet attempting to write significantly more? Our next step in the process will be to determine where our allocated size of 0x9C comes from. Is this some value specified in the file?<\/p>\n There are in in fact several methods we could use to determine this. We could set a breakpoint on all heap allocations of size 0x9C. Once we\u2019ve identified the appropriate allocation, we can then look into the calling function in order to determine where the size is derived.<\/p>\n Fortunately for us, with GFlags enabled, that is unnecessary. As I mentioned earlier, when page heap verification is enabled, a field within the page heap header contains a pointer to the stack trace of our allocated block. A pointer to this stack trace is listed in !mona\u2019s output under DPH_BLOCK_INFORMATION*** table (highlighted above). This allows us to see which functions were called just prior to our allocation.<\/p>\n This information can also be obtained without !mona by using the !heap command while supplying an address within the heap chunk:<\/p>\n !heap \u2013p \u2013a 0x06209dc0<\/strong><\/p>\n <\/p>\n You can also retrieve this information using the \u2018dt\u2019 command and the address of the chunk\u2019s \u201cStartStamp\u201d.<\/p>\n dt _DPH_BLOCK_INFORMATION 0x06209da0.<\/strong><\/p>\n<\/blockquote>\n With that said, let\u2019s use the \u2018dds\u2019 command to display the stack trace of the allocated chunk.<\/p>\n Here we can see two GOM functions (GSFU!DLLUnregisterServer and GSFU!DLLGetClassObject) are called prior to the allocation. First, let\u2019s take a quick glance at the function just prior to our call to ntdll!RtlAllocateHeap using IDA Pro.<\/p>\n So as we would expect, here we can see a call to HeapAlloc. The value being provided as dwBytes would be 0x9C (our requested size).<\/p>\n It\u2019s important to note here that IDA Pro, unlike WinDbg, has the ability to enumerate functions such as this. When it identifies a call to a known function, it will automatically apply comments in order to identify known variables supplied to that function. In the case of HeapAlloc (ntdll!RtlAllocateHeap), it will accept 3 arguments; dwBytes (size of the allocation), dwFlags, and hHeap (a pointer to the owning heap). More information on this function can be found at the MSDN page here<\/a>.<\/p>\n Now in order to identify where the value of dwBytes is introduced, let\u2019s go ahead and take a quick look at the previous function (GSFU!DllUnregisterServer+0x23661) in our stack trace. Interesting. Here we can see that a call to the Calloc function is made, which in turn calls HeapAlloc. Before we continue, we need to have a short discussion about Calloc.<\/p>\n Calloc<\/a> is a function used to allocate a contiguous block of memory when parsing an array. It accepts two arguments:<\/p>\n It will allocate a region of memory using a size derived by multiplying both arguments (Number of Objects * Size of Objects). Then, by calling memset<\/a> it will zero initialize the array (not really important for the purpose of this article). What is important to note however, is that rather than using the CRT version of Calloc (msvcrt!calloc), an internal implementation is used. We can see this by following the call (the code is included in the GSFU module rather than making an external call to msvcrt)***. The importance of this will become clear very soon.<\/p>\n You can easily follow any call in IDA Pro by simply clicking on the called function. In this case, clicking on \u201c_calloc\u201d will bring us to our inlined function. We can determine that the function has been inlined as GSFU.ax is our only loaded module. A jump to the msvcrt!calloc function would be displayed by an \u201cextrn\u201d, or external, data reference (DREF).<\/p>\n<\/blockquote>\n Now, with a quick look at our two calling functions, let\u2019s go ahead and set a one time breakpoint on the first value being supplied to Calloc so that once it is hit, another breakpoint is applied to ntdll!RtlAllocateHeap. Then, we\u2019ll trace until ntdll!RtlAllocateHeap is hit.<\/p>\n Let\u2019s go ahead and apply the following breakpoint, and then tell the process to continue running (g)<\/p>\n When analyzing operations like this, I typically find it best to start from the bottom up. Since we already know that our requested allocation size is 0x9C, we can begin at the point where the value 0x9C is provided as the dwBytes argument for ntdll!RtlAllocateHeap (GSFU!DllGetClassObject+0x29f80).<\/p>\n The next thing we need to do is look for the instruction, prior to our push instruction, that either introduces the value 0x9C to esi or modifies it. Looking back a few lines, we see this instruction:<\/p>\n Interesting. It appears that we\u2019re performing signed multiplication of the value contained in esi (0x4) and our \u201cNumber of Entries\u201d element within the \u201cstsz\u201d atom (as pointed to by our stack entry located at 0x0012bdb0). This makes sense since Calloc, as we had previously discussed, will perform an allocation of data with a size of (Number of Elements * Size of Elements). However, there seems to be a problem with our math. When multiplying 0x80000027 * 0x4, our result should be 0x20000009C rather than 0x0000009C. The reason for this is that we\u2019re attempting to store a value larger than what our 32 bit register can hold. When doing so, an integer overflow occurs and our result is \u201cwrapped,\u201d causing only the 32 least significant bits to be stored in our register.<\/p>\n With this, we can control the size of our allocations by manipulating the value contained within our \u201cNumber of Entries\u201d element. By allocating a chunk smaller than the data we intend to write, we can trigger a heap overflow.<\/p>\n However, the root cause of our issue is not exactly as clear as it may seem. When we looked at our function in IDA Pro earlier, we determined that rather than using the CRT version of calloc (msvcrt!calloc), GOM used a wrapped version instead. Had the actual Calloc function been used, this vulnerability would not exist. To explain this, let\u2019s take a look at the code snippet below:<\/p>\n <\/p>\n The example above demonstrates a valid (albeit it, not the best) use of the Calloc. Here we\u2019re trying to allocate an array with a size of 0x200000009C (0x4 * 0x80000027). Let\u2019s see what would happen if we were to compile and run this code:<\/p>\n Interesting. Calloc will fail to allocate a buffer due to checks intended in detect wrapped values. Under Windows XP SP3, this functionality can be seen in the following 2 instructions.<\/p>\n Here we can see that the (near) maximum value for a 32 bit register (0xFFFFFFE0) is divided by our first argument supplied to Calloc. The result is then compared against the second value supplied to calloc. If the second value is larger, Calloc is able to determine that an integer overflow will occur and exit.<\/p>\n However, the _Calloc function found in the GSFU module, unlike msvcrt!calloc, does not contain this check. Take a look at the following example:<\/p>\n Here we can see that instead of using the actual calloc function, we\u2019re multiplying our two values (\u201cElement Size\u201d and \u201cNumber of Elements\u201d) and storing the result in a variable called \u201cchunk_size\u201d. That value is then supplied as the size argument to malloc.<\/p>\n Using the values from our mutated seed, let\u2019s take a look at our sample program\u2019s output:<\/p>\n As we expected, the application readily accepts our wrapped value (0x9C) and provides this as the size argument being supplied to malloc. This in turn will cause our buffer to be undersized allowing our heap overflow to occur.<\/p>\n <\/p>\n <\/p>\n Excellent. So with that, we\u2019ve successfully identified the root cause of our exception. Let\u2019s summarize what we\u2019ve already discovered:<\/p>\n As with our previous vulnerability (KMPlayer), this level of control actually provides us with a number of ways to exploit this issue.<\/p>\n <\/p>\n Before we continue I\u2019d like to outline some of the challenges we will face when attempting to exploit this issue (if for no other reason than to garner some sympathy for my likely \u201cunreliable\u201d techniques).<\/p>\n <\/span><\/p>\n In this article we will cover a number of basic concepts of the Windows XP SP3 heap manager. Rather than attempting to poorly reiterate the incredible work done by actual researchers<\/span> in the past, I highly recommend that you read the following two documents as prerequisites prior to beginning this section.<\/p>\n I cannot stress enough the importance of the documents listed above. The intention of this article is to apply heap exploitation techniques discovered in the past to our GOM specific vulnerability. In order to do so, I must first reiterate a great deal of information that has already been explained (with greater depth and clarity) in the 2 documents listed above. This document is not intended to be a definitive guide and should not be used as one.<\/p>\n <\/p>\n Each application by default is provided with a singular heap, known as the default or process heap, to perform memory management functions. As application complexity increases and more requests are handled by the heap manager, an application can greatly improve performance by creating additional, private heaps. This is done by calling the HeapCreate<\/a> function. Under WinDbg, you can enumerate a list of all active heaps by using the !heap extension.<\/p>\n Each heap contains a very important structure known as the heap base. This structure maintains information about the heap and it\u2019s capabilities, as well as data regarding additional, referenced structures. Under WinDbg, you can enumerate the heap base structure by using the _HEAP variable name.<\/p>\n Using either the default heap or private heaps, an application can then request (allocate) a region of memory to be used by the application. This can be performed by using several commands including but not limited to HeapAlloc<\/a>, malloc<\/a>, and new<\/a>. Although the syntax of each command differs, the result is generally the same with a call being made to the ntdll!RtlAllocateHeap<\/a> function in order to directly reserve our requested region of memory.<\/p>\n Now as the heap manager receives these requests, it will need to identify a suitable block to return back to the user. In order to identify which block to return, the heap manager will first check the front-end heap manager. If the front end heap manager can not service this request, the back end heap manager will be checked. In most cases, the back-end heap manager will be able to service the request*.<\/p>\n In rare cases where both the front-end and back-end managers are unable to service application requests, the heap will reserve the memory directly from an associated UCR segment. More information can be found on this structure in Practical Windows XP\/2003 Exploitation by McDonald and Valasek.<\/p>\n<\/blockquote>\n Now in it\u2019s most basic form, the front-end and back-end heap managers can simply be thought of as structures which maintain a list of pointers to free blocks (free blocks are simply regions of memory assigned to a particular heap that are ready for allocation). Under Windows XP, the front-end heap manager can exist (or not exist) in 3 forms: none, Lookaside Lists (LAL), or under rare cases the Low Fragmentation Heap (LFH)*. For the purpose of this article, we will only be discussing the Lookaside Lists (LAL).<\/p>\n Beginning with Windows Vista and beyond, the Low Fragmentation Heap (LFH) is the default front-end heap manager.<\/p>\n<\/blockquote>\n <\/p>\n Now as I mentioned, when an allocation request is issued, the heap manager will first check the front-end heap manager. Under Windows XP, this will (in nearly all cases) be the structure known as the Lookaside List (LAL). The LAL is used to service memory requests of 1016 bytes or less (plus 8 bytes for the heap entry header). Requests for memory regions larger than 1016 bytes will be forwarded to the back-end heap manager.<\/p>\n A pointer to this structure is located at offset +0x580 from the _HEAP base.<\/p>\n Now the top level hierarchy of the LAL structure contains 127 lists. Each list is associated with a LAL entry for that particular size. This creates a logical layout similar to the following:<\/p>\n Each list head is 0x30 bytes in length and has the following structure:<\/p>\n Please note, that the Flink, or forward link pointer, points to the first chunk in the list. If this value is NULL, this means that this list head is empty and does not reference any LAL chunks. A chunk on the LAL will have the following structure:<\/p>\n Please note that the Flink in this case will point to the next chunk in the list. If this value is NULL, this means this is the last chunk in our list.<\/p>\n This all may seem quite confusing at first. However, let\u2019s see if we can put it all together by analyzing the following scenario. Consider for a moment, that we have an active Lookaside list associated with our default heap (0x00160000), with multiple entries on LAL nodes 2 and 3 (sizes 16 and 24 bytes respectively). This would create a logical structure similar to the following:<\/p>\n Please note: This information was generated using the \u201c!py mona heap -h 0x00160000 \u2013t fea\u201d command. Please see mona\u2019s help output for further information.<\/p>\n<\/blockquote>\n Now let\u2019s break it down. Here we can see that there are 3 entries associated with LAL [2]. The chunk size for these entries are 0x10 bytes with 0x8 bytes of usable space (as 0x8 bytes are reserved for the chunk header). The Flink of our list head points to the first chunk in this LAL at address 0x00163730. Looking at our list, we can see our chunk as designated by the ChunkPtr with an address of 0x00163728. This chunk has a Flink of 0x00164498 which points to the next chunk in or list. Continuing along the chain, we see that our final chunk has a Flink of 0x00000000. This means that this is the final chunk in the list.<\/p>\n This method of pointing to, or identifying the next chunk in the list, creates what is known as a "singly-linked" list. Meaning that we have 1 variable which will always point to the next chunk in the list until we\u2019ve reached the end.<\/p>\n Looking at our second list head (LAL [3]), we see much of the same. There are 2 chunks associated with this list. The Flink on the list head points to a chunk at 0x00164230 and this chunk has a Flink pointing to the final chunk on the list with an address of 0x00164210. These entries are of course 0x18 bytes in size with 0x10 bytes of usable space.<\/p>\n Now if the application were to request 0x10 bytes of space, the heap manager would begin looking at the Lookaside List. It would traverse the list until it landed upon LAL [3]. You may be wondering however, why the heap manager wouldn\u2019t select LAL[2] to service this allocation? Well, remember that although the list size is 0x10 bytes, 0x8 bytes are reserved for the chunk header. So instead, LAL [3] would be chosen as it would be able to provide the 0x10 bytes of usable space needed by the application. Now when attempting to allocate data from the LAL, chunks are handled in a last in, first out (LIFO) order. Since freed chunks are placed at the beginning of the list, the first chunk in the list will be the one that is returned to the application when an allocation request of the same size is received.<\/p>\n So back to our list. If an allocation request is received for 0x10 bytes, the application would identify LAL [3], follow the Flink of the list head which points to 0x00164498 and return this chunk. This process is called \u201cunlinking\u201d as the free chunk is unlinked from the Lookaside List and returned. This would leave the list looking like this:<\/p>\n So here we can see that our chunk has been removed and that the Flink of the list head has been updated to point to the next Chunk in the list. This means that the next request with a size of 0x10 bytes will be return 0x00164210 (assuming no new chunks have been freed, or \u201clinked\u201d to LAL[3]).<\/p>\n Excellent. Now that we\u2019ve covered that, we can move on to the back end allocator also known as the Freelists. However, as many of these principals will also apply to the Freelists, it is very important that you understand the LAL structure before moving on.<\/p>\n <\/p>\n As I mentioned earlier, if a request cannot be serviced by the front end allocator, in this case the Lookaside Lists, it is then forwarded on to the backend allocator. Under Windows XP (and later versions), this is known as the Freelists. It\u2019s important to understand that allocation requests may be forwarded to the Freelists for one of two reasons. First, if the allocation request is for a size greater than 1016 bytes (the maximum size handled by the LAL), the request will be forwarded on to the Freelists. Also, if an allocation request is issued for a size not present on the LAL, meaning that no chunks are available for that size, it\u2019ll be forwarded on to the Freelists.<\/p>\n As with the LAL, a pointer to the Freelists structure can be found at offset +0x178 from the heap base. Furthermore, like the LAL, each list head entry on the Freelists is organized based upon size. This size equates to the list head position * 0x8 (just like the LAL). The only exception to this rule is Freelist[0], which is responsible for managing all requests greater than 1024 bytes. Consider the following layout.<\/p>\n Each Freelist list head has the following structure:<\/p>\n The Flink, or forward link pointer in the list head will point to the first free chunk in the list entry. The Blink, or backward link pointer, will point to the UserPtr of the last chunk in the list. If however, the list is empty, both the Flink and Blink will point to themselves.<\/p>\n Using the _LIST_ENTRY variable, we can enumerate a bit about the Freelist structure. In this example, we\u2019ll be looking at Freelist[0] belonging to the heap at 0x00160000.<\/p>\n Please note, the addresses of the list heads will always have a static offset from the heap base. For instance, Freelist[0] will always exist at offset +0x178 from the heap base.<\/p>\n<\/blockquote>\n Here we can see that Freelist[0] is not in fact, empty. If it were, both the Flink and Blink would have pointers to 0x00160178. On the contrary however, following the Flink we can see that the UserPtr of the first chunk in the list is located at 0x051B4468. We can also see that the UserPtr of the last chunk in the list is located at 0x051B6010. This however, leaves quite a bit unanswered as we don\u2019t currently know how many chunks belong to Freelist[0]. Before we determine that, we first must discuss the structure of the chunks belonging to the Freelists.<\/p>\n As with the Freelist list head, we can see that the Freelists chunks themselves also contain Flink and Blink pointers. In this case, the Flink in Blink pointers are used to point to the chunk prior to and after the current chunk, depending on the location in the list. In the case of the first chunk in the list, the Blink would point back to the list head. In the case of the last chunk in the list, the Flink would also point back to the list head. This creates what is known as a doubly-linked list as every element in the structure contains a pointer to identify the elements which precede and follow the current element.<\/p>\n Once again, let\u2019s evaluate the following Freelist in order to better understand its structure. Again, using the example of our default heap (0x00160000):<\/p>\n This information can be derived using the following !mona command:<\/p>\n !py mona heap -h 0x00160000 -t bea<\/strong><\/p>\n<\/blockquote>\n <\/p>\n Looking at Freelist[0], we can see that there are 3 chunks, each of which is greater than 1024 bytes. Looking at the first chunk, we can see that the Flink points to the UserPtr of the next chunk. The Blink however in this case, points back to the list head. The second chunk in the list again has a Flink pointing to the next chunk and a Blink pointing back to the first chunk. This behavior continues with the remaining chunks in the list with the exception of our final chunk. In order to complete our doubly-linked list, we can see that the final chunk contains a Flink which points back to the list head.<\/p>\n With Freelist[2], we again see much of the same. Here we have 2 chunks, our first of which contains a Flink to the next chunk and a Blink pointing back to the list head. Our second chunk contains a Blink pointing back to the first chunk and a Flink pointing to the list head.<\/p>\n Freelist[3] however, we can see that as there is only a single chunk in the list, both the Flink and Blink point back to the list head.<\/p>\n Now consider the following scenario. If the application were to issue an allocation request for 8000 (0x1F40) bytes, the heap manager would first evaluate the size and determine that it is too large to be serviced by the LAL. With this, the request would then be forwarded on to the Freelists. As the requested size is greater than 1024 bytes, the heap manager would then begin traversing Freelist[0] as this is the only list which tracks chunks greater than 1024 bytes. Moving along the list, the heap manager would select the 2nd chunk in Freelist[0] as it is the first chunk in the list larger than 8000 bytes. However, we run into a slight issue as the chunk we\u2019ve selected is actually larger than the chunk size requested (8648 > 8000). What ends up happening is that the heap manager will \u201cunlink\u201d the 8000 bytes requested by the application. Then, a new chunk will be created using the 648 bytes remaining (640 bytes actually as we must account for 8 bytes for the heap header). As this chunk is no longer greater than 1024 bytes, it will be moved to a Freelist[80]*** (which manages chunks 640 (0x280) bytes in length). The chunks in Freelist[0] will then have their Flink and Blink pointers updated to account for the now missing chunk.<\/p>\n ***Please note: When a chunk is resized, a new independent chunk is not always created. If the remaining space is adjacent to other free heap chunks, this space may then be coalesced, or combined, with the adjacent heap chunks to create a singular, larger heap chunk. Again, a significantly better and more thorough explanation can be found in Practical Windows XP\/2003 Exploitation<\/a> by McDonald and Valasek.<\/p>\n<\/blockquote>\n <\/p>\n The result of this allocation request would then modify our Freelist structure as follows:<\/p>\n Here we can see that Freelist[0] now contains only 2 chunks. Boh of which have had their Flink and Blink pointers updated so that they point at each other. Furthermore, we can see the addition of our chunk at Freelist[80].<\/p>\n <\/p>\n Now before we attempt to exploit this bug there\u2019s a few minor details that we must cover. Prior to Windows XP SP2, gaining an 4 byte arbitrary write was a fairly straightforward process. Although at the time, not many people were exploiting heap based bugs as the amount of documentation regarding the subject was very limited. One method available targeted the unlink process of chunks belonging to a doubly-linked list.<\/p>\n<\/a>Identifying the Cause of Exception<\/h3>\n
<\/a>Page heap<\/h4>\n
<Agent name="LocalAgent">\n <Monitor class="debugger.WindowsDebugEngine">\n <Param name="CommandLine" value="C:\\Program Files\\GRETECH\\GomPlayer\\GOM.EXE "C:\\fuzzed.mov"" \/>\n <Param name="StartOnCall" value="GOM.EXE" \/>\n <\/Monitor>\n <Monitor class="process.PageHeap">\n <Param name="Executable" value="GOM.EXE"\/>\n <\/Monitor>\n<\/Agent><\/pre>\n
<\/a> <\/strong><\/p>\n\n
C:\\Program Files\\Debugging Tools for Windows (x86)>gflags \/p \/enable GOM.exe \/full<\/pre>\n
<\/a>Initial analysis<\/h4>\n
<\/a><\/p>\nwindbg.exe "C:\\Program Files\\GRETECH\\GomPlayer\\GOM.EXE" "C:\\Path-To\\MutatedSeed.mov"<\/pre>\n
<\/a><\/p>\nSize: 0x00000100 \nType: 0x7374737A (ASCII stsz) \nVersion: 0x00 \nFlags: 0x000000 \nSample Size: 0x00000000\nNumber of Entries: 0x8000000027<\/span><\/strong>\nSample Size Table(1): 0x000094B5\nSample Size Table(2): 0x000052D4<\/pre>\n<\/a>Reversing the Faulty Function<\/h3>\n
<\/a><\/p>\n\n
movzx edx, dword ptr [esi]<\/pre>\n
loc_3B04960:\ncmp ebx, 4\njl short loc_3B0499D\t; Jump outside of our block\n\nmovzx edx, dword ptr [esi]\t; Writes reverse byte order ([::-1])\nmov ecx, [edi+28h]\nmov ecx, [ecx+10h]\nmov [ecx+eax*4], edx \t; Exception occurs here.\n\t\t\t\t; Write @edx to [ecx+eax*4]\nmov edx, [edi+28h]\nmov ecx, [edx+0Ch]\nadd esi, 4\nsub ebx, 4\ninc eax\ncmp eax, ecx\njb short loc_3B04960<\/pre>\n
\n
r @$t0 = 1\nbp GSFU!DllUnregisterServer+0x23680 ".printf \\"Block iteration #%p\\\\n\\", @$t0; r @$t0 = @$t0 + 1; .if (@ebx <= 0x4) {.printf \\"1st condition is true. Exiting block iteration\\\\n\\"; } .else {.printf \\"1st condition is false (@ebx == 0x%p). Performing iteration\\\\n\\", @ebx; gc}"\nbp GSFU!DllUnregisterServer+0x236a9 ".printf \\"The value, 0x%p, is taken from 0x%p and written to 0x%p\\\\n\\", @edx, @esi, (@ecx+@eax*4); gc"\nbp GSFU!DllUnregisterServer+0x236b9 ".if (@eax == @ecx) {.printf \\"2nd is false. Exiting block iteration.\\\\n\\\\n\\"; } .else {.printf \\"2nd condition is true. ((@eax == 0x%p) <= (@ecx == 0x%p)). Performing iteration\\\\n\\\\n\\", @eax, @ecx; gc}"<\/pre>\nBlock iteration #00000001\n1st condition is false (@ebx == 0x000000ec). Performing iteration\nThe value, 0x000094b5, is taken from 0x07009f14 and written to 0x0700df60\n2nd condition is true. ((@eax == 0x00000001) <= (@ecx == 0x80000027)). Performing iteration\n\nBlock iteration #00000002\n1st condition is false (@ebx == 0x000000e8). Performing iteration\nThe value, 0x000052d4, is taken from 0x07009f18 and written to 0x0700df64\n2nd condition is true. ((@eax == 0x00000002) <= (@ecx == 0x80000027)). Performing iteration\n\n...truncated...\n\nBlock iteration #00000028\n1st condition is false (@ebx == 0x00000050). Performing iteration\nThe value, 0x00004fac, is taken from 0x07009fb0 and written to 0x0700dffc\n2nd condition is true. ((@eax == 0x00000028) <= (@ecx == 0x80000027)). Performing iteration\n\nBlock iteration #00000029\n1st condition is false (@ebx == 0x0000004c). Performing iteration\nThe value, 0x00004f44, is taken from 0x07009fb4 and written to 0x0700e000\n(1974.1908): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=00000028 ebx=0000004c ecx=0700df60 edx=00004f44 esi=07009fb4 edi=07007fb8\neip=06e64989 esp=0012bdb4 ebp=07009f00 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206\nGSFU!DllUnregisterServer+0x236a9:\n06e64989 891481 mov dword ptr [ecx+eax*4],edx ds:0023:0700e000=????????<\/pre>\n
0:000> db 0x0700df60\n0700df60 b5 94 00 00 d4 52 00 00-a8 52 00 00 2c 52 00 00 .....R...R..,R..\n0700df70 7c 52 00 00 80 52 00 00-a4 52 00 00 28 53 00 00 |R...R...R..(S..\n0700df80 18 53 00 00 94 52 00 00-20 53 00 00 ac 52 00 00 .S...R.. S...R..\n0700df90 28 53 00 00 e0 51 00 00-d0 52 00 00 88 52 00 00 (S...Q...R...R..\n0700dfa0 e0 52 00 00 94 52 00 00-18 53 00 00 14 52 00 00 .R...R...S...R..\n0700dfb0 14 52 00 00 5c 52 00 00-34 52 00 00 08 52 00 00 .R..\\R..4R...R..\n0700dfc0 d4 51 00 00 84 51 00 00-d8 51 00 00 d8 50 00 00 .Q...Q...Q...P..\n0700dfd0 3c 51 00 00 04 52 00 00-a4 51 00 00 bc 50 00 00 <q...r...q...p..<\/pre>\n
\n
gflags.exe \/p \/enable gom.exe<\/pre>\n
0:000> bp GSFU!DllUnregisterServer+0x236a9 ".printf \\"The value, 0x%p, is taken from 0x%p and written to 0x%p\\\\n\\", @edx, @esi, (@ecx+@eax*4)"<\/span>\n<\/strong>Bp expression 'GSFU!DllUnregisterServer+0x236a9' could not be resolved, adding deferred bp\n0:000> g<\/span><\/strong>\n\nThe value, 0x000094b5, is taken from 0x06209c4c and written to 0x06209dc0<\/span><\/strong>\neax=00000000 ebx=000000ec ecx=06209dc0 edx=000094b5 esi=06209c4c edi=06209bb8\neip=06034989 esp=0012bdb4 ebp=06209c38 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202\nGSFU!DllUnregisterServer+0x236a9:\n06034989 891481 mov dword ptr [ecx+eax*4],edx ds:0023:06209dc0=00000000\n0:000> !py mona info -a 0x06209dc0<\/span><\/strong>\nHold on...\n[+] Generating module info table, hang on...\n - Processing modules\n - Done. Let's rock 'n roll.\n[+] NtGlobalFlag: 0x02000000\n 0x02000000 : +hpa - Enable Page Heap\n\n[+] Information about address 0x06209dc0\n {PAGE_READWRITE}\n Address is part of page 0x06200000 - 0x0620a000\n This address resides in the heap\n\nAddress 0x06209dc0 found in \n _HEAP @ 06200000, Segment @ 06200680\n ( bytes ) (bytes)\n HEAP_ENTRY Size PrevSize Unused Flags UserPtr UserSize Remaining - state\n 06209d98 000000d8 00000050 00000014 [03] 06209dc0 000000a4 0000000c Extra present,Busy (hex)\n 00000216 00000080 00000020 00000164 00000012 Extra present,Busy (dec)\n\n Chunk header size: 0x8 (8)\n Extra header due to GFlags: 0x20 (32) bytes\n DPH_BLOCK_INFORMATION Header size: 0x20 (32)\n StartStamp : 0xabcdaaaa\n Heap : 0x86101000\n RequestedSize : 0x0000009c<\/span><\/strong>\n ActualSize : 0x000000c4\n TraceIndex : 0x0000193e\n StackTrace : 0x04e32364<\/span><\/strong>\n EndStamp : 0xdcbaaaaa\n Size initial allocation request: 0xa4 (164)\n Total space for data: 0xb0 (176)\n Delta between initial size and total space for data: 0xc (12)\n Data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...\n\n[+] Disassembly:\n Instruction at 06209dc0 : ADD BYTE PTR [EAX],AL\n\nOutput of !address 0x06209dc0:\n\nUsage: <unclassified>\nAllocation Base: 06200000\nBase Address: 06200000\nEnd Address: 0620a000\nRegion Size: 0000a000\nType: 00020000.MEM_PRIVATE\nState: 00001000.MEM_COMMIT\nProtect: 00000004.PAGE_READWRITE<\/pre>\n\n
0:000> dds 0x04e32364\n\n04e32364 abcdaaaa\n04e32368 00000001\n04e3236c 00000004\n04e32370 00000001\n04e32374 0000009c\n04e32378 06101000\n04e3237c 04fbeef8\n04e32380 04e32384\n04e32384 7c94b244 ntdll!RtlAllocateHeapSlowly+0x44\n04e32388 7c919c0c ntdll!RtlAllocateHeap+0xe64\n04e3238c 0609c2af GSFU!DllGetClassObject+0x29f8f\n04e32390 06034941 GSFU!DllUnregisterServer+0x23661<\/span><\/strong><\/pre>\n<\/a><\/p>\n<\/a><\/p>\nsize_t num ; Number of Objects\nsize_t size ; Size of Objects<\/pre>\n
\n
0:000> bp GSFU!DllUnregisterServer+0x23653 \/1 "bp ntdll!RtlAllocateHeap; ta"<\/span><\/strong>\nBp expression 'GSFU!DllUnregisterServer+0x23653 \/1' could not be resolved, adding deferred bp\n0:000> g<\/span><\/strong>\n\neax=050d9d70 ebx=000000f8 ecx=050d9d70 edx=80000027<\/span><\/strong> esi=050d9c48 edi=050d9bb8\neip=06034934 esp=0012bdb0 ebp=050d9c38 iopl=0 nv up ei ng nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286\nGSFU!DllUnregisterServer+0x23653\n06034933 52 push edx ; Number of Elements<\/span><\/strong>\neax=050d9d70 ebx=000000f8 ecx=050d9d70 edx=80000027 esi=050d9c48 edi=050d9bb8\neip=06034934 esp=0012bdb0 ebp=050d9c38 iopl=0 nv up ei ng nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286\nGSFU!DllUnregisterServer+0x23654:\n06034934 6a04 push 4 ; Size of Elements<\/span><\/strong>\neax=050d9d70 ebx=000000f8 ecx=050d9d70 edx=80000027 esi=050d9c48 edi=050d9bb8\neip=06034936 esp=0012bdac ebp=050d9c38 iopl=0 nv up ei ng nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286\nGSFU!DllUnregisterServer+0x23656:\n06034936 83c604 add esi,4\neax=050d9d70 ebx=000000f8 ecx=050d9d70 edx=80000027 esi=050d9c4c edi=050d9bb8\neip=06034939 esp=0012bdac ebp=050d9c38 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202\nGSFU!DllUnregisterServer+0x23659:\n06034939 83eb0c sub ebx,0Ch\neax=050d9d70 ebx=000000ec ecx=050d9d70 edx=80000027 esi=050d9c4c edi=050d9bb8\neip=0603493c esp=0012bdac ebp=050d9c38 iopl=0 nv up ei pl nz ac po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212\nGSFU!DllUnregisterServer+0x2365c:\n0603493c e8e6780600 call GSFU!DllGetClassObject+0x29f07 (0609c227) ; Calloc<\/span><\/strong>\n\n...truncated...\n\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=00000004<\/span><\/strong> edi=050d9bb8\neip=05d5c236 esp=0012bd78 ebp=0012bda4 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206\nGSFU!DllGetClassObject+0x29f16:\n05d5c236 0faf750c imul esi,dword ptr [ebp+0Ch] ss:0023:0012bdb0=80000027<\/span><\/strong>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c<\/span><\/strong> edi=050d9bb8\neip=05d5c23a esp=0012bd78 ebp=0012bda4 iopl=0 ov up ei pl nz na pe cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200a07\nGSFU!DllGetClassObject+0x29f1a:\n05d5c23a 8975e0 mov dword ptr [ebp-20h],esi ss:0023:0012bd84=0012d690\n\n...truncated...\n\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c<\/span><\/strong> edi=00000000\neip=05d5c2a0 esp=0012bd78 ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nGSFU!DllGetClassObject+0x29f80:\n05d5c2a0 56 push esi ; Allocation Size<\/span><\/strong>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c edi=00000000\neip=05d5c2a1 esp=0012bd74 ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nGSFU!DllGetClassObject+0x29f81:\n05d5c2a1 6a08 push 8 ; Flags<\/span><\/strong>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c edi=00000000\neip=05d5c2a3 esp=0012bd70 ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nGSFU!DllGetClassObject+0x29f83:\n05d5c2a3 ff35a0cada05 push dword ptr [GSFU!DllGetClassObject+0x7a780 (05dacaa0)] ds:0023:05dacaa0=05dc0000 ; HeapHandle<\/span><\/strong>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c edi=00000000\neip=05d5c2a9 esp=0012bd6c ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nGSFU!DllGetClassObject+0x29f89:\n05d5c2a9 ff15ece0d605 call dword ptr [GSFU!DllGetClassObject+0x3bdcc (05d6e0ec)] ds:0023:05d6e0ec={ntdll!RtlAllocateHeap (7c9100c4)}<\/span><\/strong>\nBreakpoint 1 hit\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=0000009c edi=00000000\neip=7c9100c4 esp=0012bd68 ebp=0012bda4 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\nntdll!RtlAllocateHeap:\n7c9100c4 6804020000 push 204h<\/pre>\neax=0012bd94 ebx=000000ec ecx=050d9d70 edx=80000027 esi=00000004<\/span><\/strong> edi=050d9bb8\neip=05d5c236 esp=0012bd78 ebp=0012bda4 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206\nGSFU!DllGetClassObject+0x29f16:\n05d5c236 0faf750c imul esi,dword ptr [ebp+0Ch] ss:0023:0012bdb0=80000027<\/span><\/strong><\/pre>\n#include <stdio.h>\n#include <malloc.h>\n\nint main( void )\n{\n\n int size = 0x4; \/\/ Size of Element\n int num = 0x80000027;\t\/\/ Number of Elements\n int *buffer;\n printf( "Attempting to allocate a buffer with size: 0x20000009C" );\n buffer = (int *)calloc( size, num ); \/\/ Size of Element * Number of Elements\n if( buffer != NULL )\n printf( "Allocated buffer with size (0x%X)\\n", _msize(buffer) );\n else\n printf( "Failed to allocate buffer.\\n" );\n free( buffer );\n}<\/pre>\nAttempting to allocate a buffer with size: 0x200000009C\nFailed to allocate buffer.<\/pre>\n
eax=ffffffe0 ebx=00000000 ecx=00000004 edx=00000000 esi=016ef79c edi=016ef6ee\neip=77c2c0dd esp=0022ff1c ebp=0022ff48 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\nmsvcrt!calloc+0x1a:\n77c2c0dd f7f1 div eax,ecx\neax=3ffffff8 ebx=00000000 ecx=00000004 edx=00000000 esi=016ef79c edi=016ef6ee\neip=77c2c0df esp=0022ff1c ebp=0022ff48 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\nmsvcrt!calloc+0x1c:\n77c2c0df 3b450c cmp eax,dword ptr [ebp+0Ch] ss:0023:0022ff54=80000027<\/pre>\n
#include <stdio.h>\n#include <malloc.h>\n\nint _calloc( size_t num, size_t size )\n{\n size_t total = num * size; \/\/ Integer overflow occurs here\n return (total);\n}\n\nint main( void )\n{\n int size = 4; \/\/ Size of Element\n int num = 0x80000017; \/\/ Number of Elements\n int *buffer;\n int chunk_size = _calloc( size, num );\n printf ("Attempting to allocate a buffer with size: 0x%X\\n", chunk_size);\n buffer = (int *)malloc(chunk_size);\n if( buffer != NULL )\n printf( "Allocated buffer with size (0x%X)\\n", _msize(buffer) );\n else\n printf( "Failed to allocate buffer.\\n" );\n free( buffer );\n}<\/pre>\nAttempting to allocate a buffer with size: 0x9C\nAllocated buffer with size (0x9C)<\/pre>\n
<\/a>Determining Exploitability<\/h3>\n
\n
<\/a>Challenges<\/h4>\n
\n
<\/a>Prerequisites<\/h4>\n
\n
<\/a>Heap Basics<\/h4>\n
0:000> !heap\nIndex Address Name Debugging options enabled\n 1: 00250000 \n 2: 00360000 \n 3: 00370000<\/pre>\n
0:000> dt _HEAP 00250000 \nntdll!_HEAP\n +0x000 Entry : _HEAP_ENTRY\n +0x008 Signature : 0xeeffeeff\n +0x00c Flags : 2\n +0x010 ForceFlags : 0\n +0x014 VirtualMemoryThreshold : 0xfe00\n +0x018 SegmentReserve : 0x100000\n +0x01c SegmentCommit : 0x2000\n +0x020 DeCommitFreeBlockThreshold : 0x200\n +0x024 DeCommitTotalFreeThreshold : 0x2000\n +0x028 TotalFreeSize : 0x86\n +0x02c MaximumAllocationSize : 0x7ffdefff\n +0x030 ProcessHeapsListIndex : 1\n +0x032 HeaderValidateLength : 0x608\n +0x034 HeaderValidateCopy : (null) \n +0x038 NextAvailableTagIndex : 0\n +0x03a MaximumTagIndex : 0\n +0x03c TagEntries : (null) \n +0x040 UCRSegments : (null) \n +0x044 UnusedUnCommittedRanges : 0x00250598 _HEAP_UNCOMMMTTED_RANGE\n +0x048 AlignRound : 0xf\n +0x04c AlignMask : 0xfffffff8\n +0x050 VirtualAllocdBlocks : _LIST_ENTRY [ 0x250050 - 0x250050 ]\n +0x058 Segments : [64] 0x00250640 _HEAP_SEGMENT\n +0x158 u : __unnamed\n +0x168 u2 : __unnamed\n +0x16a AllocatorBackTraceIndex : 0\n +0x16c NonDedicatedListLength : 1\n +0x170 LargeBlocksIndex : (null) \n +0x174 PseudoTagEntries : (null) \n +0x178 FreeLists : [128] _LIST_ENTRY [ 0x259bd8 - 0x259bd8 ]\n +0x578 LockVariable : 0x00250608 _HEAP_LOCK\n +0x57c CommitRoutine : (null) \n +0x580 FrontEndHeap : 0x00250688 Void\n +0x584 FrontHeapLockCount : 0\n +0x586 FrontEndHeapType : 0x1 ''\n +0x587 LastSegmentIndex : 0 ''<\/pre>\n
\n
\n
Lookaside Lists<\/h5>\n
+0x580 FrontEndHeap : 0x00250688 Void<\/pre>\n
Lookaside[0] # Unused \nLookaside[1] # Unused \nLookaside[2] # Size: 16 (0x10) \u2013 0x8 (Header) Usable Size: 8 (0x8)\nLookaside[3] # Size: 24 (0x18) - 0x8 (Header) Usable Size: 16 (0x10)\n<\u2026truncated\u2026>\nLookaside[127] # Size: 1016 (0x3F8) - 0x8 (Header) Usable Size: 1008 (0x3F0)<\/pre>\n
Flink: Ptr32\nDepth: Uint2B\nSequence: Uint2B\nDepth2: Uint2B\nMaximumDepth: Uint2B\nTotalAllocates: Uint4B\nAllocateMisses\/AllocateHits: Uint4B\nTotalFrees: Uint4B\nFreeMisses\/FreeHits: Uint4B\nType: Uint4B\nTag: Uint4B\nSize: Uint4B\nAllocate: Uint4B\nFree: Uint4B<\/pre>\n
Self Size: Uint2B - Size of current chunk\nPrevious Size: Uint2B - Size of previous Chunk\nChunk Cookie: Uint1B - Security Cookie\nChunk Flag: Uint1B\nUnused: Uint1B\nSegment Index: Uint1B\nFlink: Ptr32 - Pointer to next chunk in current list<\/pre>\n
\n
LAL [2] @0x0016006e8, Expected Chunksize 0x10 (16), Flink : 0x00163730\n 3 chunks:\n ChunkPtr: 0x00163728, UserPtr: 0x00163730, Flink: 0x00164498, ChunkSize: 0x10, UserSize: 0x4, Userspace: 0x8 (Busy) \n ChunkPtr: 0x00164490, UserPtr: 0x00164498, Flink: 0x00164228, ChunkSize: 0x10, UserSize: 0x8, Userspace: 0x8 (Busy) \n ChunkPtr: 0x00164220, UserPtr: 0x00164228, Flink: 0x00000000, ChunkSize: 0x10, UserSize: 0x8, Userspace: 0x8 (Busy) \n\nLAL [3] @0x00160718, Expected Chunksize 0x18 (24), Flink : 0x00164238\n 2 chunks:\n ChunkPtr: 0x00164230, UserPtr: 0x00164238, Flink: 0x00164210, ChunkSize: 0x18, UserSize: 0xc, Userspace: 0x10 (Busy) \n ChunkPtr: 0x00164208, UserPtr: 0x00164210, Flink: 0x00000000, ChunkSize: 0x18, UserSize: 0x10, Userspace: 0x10 (Busy)<\/pre>\n
LAL [3] @0x00160718, Expected Chunksize 0x18 (24), Flink : 0x00164210\n 1 chunk:\n ChunkPtr: 0x00164208, UserPtr: 0x00164210, Flink: 0x00000000, ChunkSize: 0x18, UserSize: 0x10, Userspace: 0x10 (Busy)<\/pre>\n
<\/a>Freelists<\/h5>\n
Freelist[0] # Manages all sizes > 1024 \nFreelist[1] # Unused \nFreelist[2] # Size: 16 (0x10)\nFreelist[3] # Size: 24 (0x18)\n<\u2026truncated\u2026>\nFreelist[127] # Size: 1016<\/pre>\n
ntdll!_LIST_ENTRY\n +0x000 Flink : Ptr32 _LIST_ENTRY\n +0x004 Blink : Ptr32 _LIST_ENTRY<\/pre>\n
\n
0:012> dt _LIST_ENTRY 00160178\nntdll!_LIST_ENTRY\n [ 0x51b4468 - 0x51b6010 ]\n +0x000 Flink : 0x051b4468 _LIST_ENTRY [ 0x51b6010 - 0x160178 ]\n +0x004 Blink : 0x051b6010 _LIST_ENTRY [ 0x160178 - 0x51b4468 ]<\/pre>\n
Self Size: Uint2B - Size of current chunk\nPrevious Size: Uint2B - Size of previous Chunk\nChunk Cookie: Uint1B - Security Cookie\nChunk Flag: Uint1B\nUnused: Uint1B\nSegment Index: Uint1B\nFlink: Ptr32 - Pointer to next chunk in current list\nBlink: Ptr32 - Pointer to previous chunk in current list<\/pre>\n
\n
[+] FreeList[00] at 0x00160178, Expected size: >1016 (>0x3f8)\n ChunkPtr: 0x0018f8c8, Header: 0x8 bytes, UserPtr: 0x0018f8d0, Flink: 0x00191e40, Blink: 0x00160178, ChunkSize: 0x1da8 (7592), Usersize: 0x1d9e (7582) \n ChunkPtr: 0x00191e38, Header: 0x8 bytes, UserPtr: 0x00191e40, Flink: 0x00181218, Blink: 0x0018f8d0, ChunkSize: 0x21c8 (8648), Usersize: 0x21c0 (8640) \n ChunkPtr: 0x00181210, Header: 0x8 bytes, UserPtr: 0x00181218, Flink: 0x00160178, Blink: 0x00191e40, ChunkSize: 0x9600 (38400), Usersize: 0x95f8 (38392) \n[+] FreeList[02] at 0x00160188, Expected size: 0x10 (16)\n ChunkPtr: 0x0017cdc0, Header: 0x8 bytes, UserPtr: 0x0017cdc8, Flink: 0x00169280, Blink: 0x00160188, ChunkSize: 0x10 (16), Usersize: 0x8 (8) \n ChunkPtr: 0x00169278, Header: 0x8 bytes, UserPtr: 0x00169280, Flink: 0x00160188, Blink: 0x0017cdc8, ChunkSize: 0x10 (16), Usersize: 0x8 (8) \n[+] FreeList[03] at 0x00160190, Expected size: 0x18 (24)\n ChunkPtr: 0x0018dac0, Header: 0x8 bytes, UserPtr: 0x0018dac8, Flink: 0x00160190, Blink: 0x00160190, ChunkSize: 0x18 (24), Usersize: 0x10 (16)<\/pre>\n
\n
[+] FreeList[00] at 0x00160178, Expected size: >1016 (>0x3f8)\n ChunkPtr: 0x0018f8c8, Header: 0x8 bytes, UserPtr: 0x0018f8d0, Flink: 0x00181218, Blink: 0x00160178, ChunkSize: 0x1da8 (7592), Usersize: 0x1d9e (7582) \n ChunkPtr: 0x00181210, Header: 0x8 bytes, UserPtr: 0x00181218, Flink: 0x00160178, Blink: 0x0018f8d0, ChunkSize: 0x9600 (38400), Usersize: 0x95f8 (38392) \n[+] FreeList[02] at 0x00160188, Expected size: 0x10 (16)\n ChunkPtr: 0x0017cdc0, Header: 0x8 bytes, UserPtr: 0x0017cdc8, Flink: 0x00169280, Blink: 0x00160188, ChunkSize: 0x10 (16), Usersize: 0x8 (8) \n ChunkPtr: 0x00169278, Header: 0x8 bytes, UserPtr: 0x00169280, Flink: 0x00160188, Blink: 0x0017cdc8, ChunkSize: 0x10 (16), Usersize: 0x8 (8) \n[+] FreeList[03] at 0x00160190, Expected size: 0x18 (24)\n ChunkPtr: 0x0018dac0, Header: 0x8 bytes, UserPtr: 0x0018dac8, Flink: 0x00160190, Blink: 0x00160190, ChunkSize: 0x18 (24), Usersize: 0x10 (16) \n[+] FreeList[80] at 0x001603f8, Expected size: 0x280 (640)\n ChunkPtr: 0x00193d80, Header: 0x8 bytes, UserPtr: 0x00193d88, Flink: 0x001603f8, Blink: 0x001603f8, ChunkSize: 0x280 (640), Usersize: 0x280 (640)<\/pre>\n
Preventative Security Measures<\/h4>\n
Safe-Unlinking<\/h5>\n
\n