Before we get started, I must state clearly that this information is based on the guidance provided from corelan.be website as shown in the references section.
For some folks reading my material may be easier, for others reading the material from Corelan.be will be easier. Whichever you choose, please note that this is all based on the guidance provided by those folks and thus nothing here is my original work.
Now that the attribution is out of the way. Let's get going.
Some key points.
- Heap spraying, heap overflow and heap exploitation are not the same
- Heap spraying is a payload delivery technique
- The heap is deterministic
- Chunks of memory of the heap must be filled before gaining control of EIP
- Browsers are good candidates for heap spraying because they support scripting languages such as VBScript or JavaScript
- The concept is not limited to browsers but also can be used on AdobeReader, etc.
- For heap spraying to work, you must be able to deliver the shellcode to the correct location of memory before taking control of EIP
- The follow order must be followed: Spray the heap -> Trigger the vulnerability -> Control EIP and point EIP to the heap
The lab I have is the same as corelan's so see his documentation in the reference section for the lab requirements
First up some code to help me to understand the heap:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <!-- HeapSpray_Basic_Allocation.html Author: Nik Alleyne Blog: securitynik.blogspot.com --> <html> <title> SecurityNik - Learning about the heap </title> <body> <script language='javascript'> var myvar = 'SecurityNik'; var myvar = new String('securitynik.blogspot.com'); alert('We\'re done allocating memory!'); </script> </body> </html> |
The file was then opened with IE 7. Next up was to attach WinDbg to the "IEXPLORE.EXE" process.
Searching memory in WinDbg for the ASCII string "securitynik.blogspot.com" we get:
1 2 3 4 5 | 0:005> s -a 0x00000000 L?0x7fffffff "securitynik.blogspot.com" 001a751c 73 65 63 75 72 69 74 79-6e 69 6b 2e 62 6c 6f 67 securitynik.blog 001a75e2 73 65 63 75 72 69 74 79-6e 69 6b 2e 62 6c 6f 67 securitynik.blog 001a8880 73 65 63 75 72 69 74 79-6e 69 6b 2e 62 6c 6f 67 securitynik.blog 001a8946 73 65 63 75 72 69 74 79-6e 69 6b 2e 62 6c 6f 67 securitynik.blog |
When we look for Unicode string "securitynik.blogspot.com" we get:
1 2 3 4 5 6 7 8 9 | 0:005> s -u 0x00000000 L?0x7fffffff "securitynik.blogspot.com" 00183b04 0073 0065 0063 0075 0072 0069 0074 0079 s.e.c.u.r.i.t.y. 001a8574 0073 0065 0063 0075 0072 0069 0074 0079 s.e.c.u.r.i.t.y. 001a8700 0073 0065 0063 0075 0072 0069 0074 0079 s.e.c.u.r.i.t.y. 01472034 0073 0065 0063 0075 0072 0069 0074 0079 s.e.c.u.r.i.t.y. 014721b0 0073 0065 0063 0075 0072 0069 0074 0079 s.e.c.u.r.i.t.y. 01a42eec 0073 0065 0063 0075 0072 0069 0074 0079 s.e.c.u.r.i.t.y. 01a43618 0073 0065 0063 0075 0072 0069 0074 0079 s.e.c.u.r.i.t.y. 01a4381c 0073 0065 0063 0075 0072 0069 0074 0079 s.e.c.u.r.i.t.y. |
From above we can see the "00" infront of all the characters depicting they are 16 bits or 2 bytes wide.
Rewriting the code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <!-- HeapSpray_Basic_Allocation.html Author: Nik Alleyne Blog: securitynik.blogspot.com --> <html> <title> SecurityNik - Learning about the heap </title> <body> <script language='javascript'> var myvar = unescape('%u454E%u5359%u2141%u2121'); // 'NEYSA!!!' var myvar = new String('securitynik.blogspot.com'); alert('We\'re done allocating memory!'); </script> </body> </html> |
Then searching for the ASCII string "NEYSA!!!" using "s -a 0x00000000 L?7fffffff "NEYSA!!!"" we get:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 | 0:016> s -a 0x00000000 L?7fffffff "NEYSA!!!" 001eaf64 4e 45 59 53 41 21 21 21-00 00 61 00 74 00 6f 00 NEYSA!!!..a.t.o. 001fa504 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 001fe51c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00202534 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0020454c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00206564 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0020857c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0020e43c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0021813a 4e 45 59 53 41 21 21 21-0d 0a 0d 0a 09 09 09 6d NEYSA!!!.......m 0021a146 4e 45 59 53 41 21 21 21-0d 0a 0d 0a 09 09 09 6d NEYSA!!!.......m 00223d74 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00225d8c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00227da4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00229dbc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0022bdd4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0022ddec 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00232f94 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00236f8c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00238fa4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0023afbc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0023ef7c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00242f84 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00246f8c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 00248fec 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0024b004 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0024d01c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f5004c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f52064 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f5407c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f56094 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f580ac 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f5a0c4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f5c0dc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f5e0f4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f6010c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f62124 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f6413c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f66154 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f6816c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f6a184 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f6c19c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f6e1b4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f701cc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f721e4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f741fc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f76214 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f7822c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f7a244 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f7c25c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f7e274 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f8028c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f822a4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f842bc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f862d4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f882ec 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f8a304 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f8c31c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f8e334 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f9034c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f92364 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f9437c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f96394 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f983ac 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f9a3c4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f9c3dc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02f9e3f4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fa040c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fa2424 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fa443c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fa6454 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fa846c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02faa484 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fac49c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fae4b4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fb04cc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fb24e4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fb44fc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fb6514 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fb852c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fba544 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fbc55c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fbe574 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fc058c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fc25a4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fc45bc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fc65d4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fc85ec 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fca604 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fcc61c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fce634 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fd064c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fd2664 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fd467c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fd6694 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fd86ac 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fda6c4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fdc6dc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fde6f4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fe070c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fe2724 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fe473c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fe6754 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fe876c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fea784 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fec79c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02fee7b4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02ff07cc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02ff27e4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02ff47fc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02ff6814 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02ff882c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02ffa844 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02ffc85c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 02ffe874 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0300088c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030028a4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030048bc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030068d4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030088ec 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0300a904 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0300c91c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0300e934 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0301094c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03012964 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0301497c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03016994 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030189ac 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0301a9c4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0301c9dc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0301e9f4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03020a0c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03022f34 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03024f4c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03026f64 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03028f7c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0302af94 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0302cfac 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0302efc4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03030fdc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03032ff4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0303500c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03037024 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0303903c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0303b054 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0303d06c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0303f084 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0304109c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030430b4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030450cc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030470e4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030490fc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0304b114 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0304d12c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0306004c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03062064 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0306407c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03066094 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030680ac 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0306a0c4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0306c0dc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0306e0f4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0307010c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03072124 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0307413c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03076154 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0307816c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0307a184 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0307c19c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0307e1b4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030801cc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030821e4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030841fc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 03086214 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0308822c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0308a244 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0308c25c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0308e274 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 0309028c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030ac3b4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030ae3cc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030b03e4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030b23fc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030b4414 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030b642c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030b8444 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030ba45c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030bc474 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030be48c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030c04a4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030c24bc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030c44d4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030c64ec 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030c8504 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030ca51c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030cc534 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030ce54c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030d0564 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030d257c 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030d4594 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030d65ac 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030d85c4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030da5dc 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030dc5f4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ |
From the above, we see that "NEYSA!!!" is followed by NOOPs.
Dumping the memory at offset "030dc5f4":
1 2 3 4 5 6 7 8 9 | 0:016> d 030dc5f4 030dc5f4 4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90 NEYSA!!!........ 030dc604 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc614 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc624 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc634 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc644 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc654 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc664 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ |
This shows our string "NEYSA!!!" followed by the NOPs.
Looking into the Process Environment Block (PEB) to identify the default heap we see:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | 0:016> !peb PEB at 7ffdb000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: Yes ImageBaseAddress: 00400000 Ldr 00251e90 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00251f28 . 00255700 Ldr.InLoadOrderModuleList: 00251ec0 . 002556f0 Ldr.InMemoryOrderModuleList: 00251ec8 . 002556f8 Base TimeStamp Module 400000 41107b81 Aug 04 02:00:33 2004 C:\Program Files\Utilu IE Collection\IE600XPSP2\iexplore.exe 7c900000 4802a12c Apr 13 20:11:24 2008 C:\WINDOWS\system32\ntdll.dll 7e410000 4802a11b Apr 13 20:11:07 2008 C:\WINDOWS\system32\USER32.dll ------------- < TRUNCATED FOR BREVITY >------------- 72d20000 4802a12c Apr 13 20:11:24 2008 C:\WINDOWS\system32\wdmaud.drv 77bd0000 4802a0ec Apr 13 20:10:20 2008 C:\WINDOWS\system32\midimap.dll SubSystemData: 00000000 ProcessHeap: 00150000 ProcessParameters: 00020000 ------------ <TRUNCATED FOR BREVITY> ------------- |
From above we see the default heap can be found at address: "ProcessHeap: 00150000"
Additionally, we can use the "!heap" extension to learn more about the heap. Let's do that.
Let's first leverage the "!heap -stat" command to dump all the process heaps associated with the process iexplore.exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 | 0:016> !heap -stat _HEAP 00db0000 Segments 00000001 Reserved bytes 00400000 Committed bytes 00400000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00150000 Segments 00000003 Reserved bytes 00400000 Committed bytes 0027a000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00900000 Segments 00000001 Reserved bytes 00100000 Committed bytes 00100000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00030000 Segments 00000002 Reserved bytes 00110000 Committed bytes 00043000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 028c0000 Segments 00000002 Reserved bytes 00110000 Committed bytes 00014000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 01290000 Segments 00000001 Reserved bytes 00010000 Committed bytes 0000c000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00da0000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00007000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 01280000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00006000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 012d0000 Segments 00000001 Reserved bytes 00100000 Committed bytes 00006000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00250000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00006000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 012b0000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00004000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00ab0000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00004000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 003d0000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00004000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 02890000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00003000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 011f0000 Segments 00000001 Reserved bytes 00040000 Committed bytes 00003000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 011b0000 Segments 00000001 Reserved bytes 00040000 Committed bytes 00003000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00ba0000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00003000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00260000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00003000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 _HEAP 00350000 Segments 00000001 Reserved bytes 00010000 Committed bytes 00002000 VirtAllocBlocks 00000000 VirtAlloc bytes 00000000 |
Focusing specifically on the handle's allocation statistics for the heap at "00150000" we see:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | 0:016> !heap -stat -h 00150000 heap @ 00150000 group-by: TOTSIZE max-display: 20 size #blocks total ( %) (percent of total busy bytes) 2010 c2 - 184c20 (63.27) 18000 1 - 18000 (3.91) 8000 3 - 18000 (3.91) 4000 3 - c000 (1.95) 4010 2 - 8020 (1.30) 3ff0 2 - 7fe0 (1.30) 20 307 - 60e0 (0.99) 57f0 1 - 57f0 (0.89) 614 d - 4f04 (0.80) 2a4 16 - 3a18 (0.59) 3980 1 - 3980 (0.58) 800 6 - 3000 (0.49) 580 8 - 2c00 (0.45) 388 b - 26d8 (0.40) d8 2b - 2448 (0.37) 20fa 1 - 20fa (0.34) 1034 2 - 2068 (0.33) 200c 1 - 200c (0.33) 1000 2 - 2000 (0.33) 1800 1 - 1800 (0.24) |
Looking at above, it seems we have 63% of our chunks with 0x2010 bytes
Dumping the heap allocation looking for all the chunks with the size 0x2010 using "!heap -flt s 0x2010", we get.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | 0:016> !heap -flt s 0x2010 _HEAP @ 150000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 00202528 0403 0000 [01] 00202530 02010 - (busy) 00204540 0403 0403 [01] 00204548 02010 - (busy) 00206558 0403 0403 [01] 00206560 02010 - (busy) 00208570 0403 0403 [01] 00208578 02010 - (busy) 00223d68 0403 0403 [01] 00223d70 02010 - (busy) 00225d80 0403 0403 [01] 00225d88 02010 - (busy) 00227d98 0403 0403 [01] 00227da0 02010 - (busy) 00229db0 0403 0403 [01] 00229db8 02010 - (busy) 0022bdc8 0403 0403 [01] 0022bdd0 02010 - (busy) 0022dde0 0403 0403 [01] 0022dde8 02010 - (busy) ---------------- < TRUNCATED FOR BREVITY >----------------- 030c24b0 0403 0403 [01] 030c24b8 02010 - (busy) 030c44c8 0403 0403 [01] 030c44d0 02010 - (busy) 030c64e0 0403 0403 [01] 030c64e8 02010 - (busy) 030c84f8 0403 0403 [01] 030c8500 02010 - (busy) 030ca510 0403 0403 [01] 030ca518 02010 - (busy) 030cc528 0403 0403 [01] 030cc530 02010 - (busy) 030ce540 0403 0403 [01] 030ce548 02010 - (busy) 030d0558 0403 0403 [01] 030d0560 02010 - (busy) 030d2570 0403 0403 [01] 030d2578 02010 - (busy) 030d4588 0403 0403 [01] 030d4590 02010 - (busy) 030d65a0 0403 0403 [01] 030d65a8 02010 - (busy) 030d85b8 0403 0403 [01] 030d85c0 02010 - (busy) 030da5d0 0403 0403 [01] 030da5d8 02010 - (busy) 030dc5e8 0403 0403 [01] 030dc5f0 02010 - (busy) _HEAP @ 250000 _HEAP @ 260000 _HEAP @ 350000 _HEAP @ 30000 _HEAP @ 900000 _HEAP @ 3d0000 _HEAP @ ab0000 _HEAP @ ba0000 _HEAP @ da0000 _HEAP @ db0000 _HEAP @ 11b0000 _HEAP @ 11f0000 _HEAP @ 12d0000 _HEAP @ 1280000 _HEAP @ 1290000 _HEAP @ 12b0000 _HEAP @ 2890000 _HEAP @ 28c0000 |
Dumping the beginning of the heap chunk at offset "030dc5e8" we get:
1 2 3 4 5 6 7 8 9 | 0:016> d 030dc5e8 030dc5e8 03 04 03 04 8d 01 08 02-00 20 00 00 4e 45 59 53 ......... ..NEYS 030dc5f8 41 21 21 21 90 90 90 90-90 90 90 90 90 90 90 90 A!!!............ 030dc608 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc618 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc628 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc638 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc648 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc658 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ |
Looks like we have our "NEYSA!!!" and NOPs. I'm curious as to how wide the space is. Let's see if it fits 512 bytes.
Dumping the address again while specifying a length.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | 0:016> d 030dc5e8 L 200 030dc5e8 03 04 03 04 8d 01 08 02-00 20 00 00 4e 45 59 53 ......... ..NEYS 030dc5f8 41 21 21 21 90 90 90 90-90 90 90 90 90 90 90 90 A!!!............ 030dc608 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc618 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc628 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc638 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc648 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc658 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc668 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc678 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc688 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc698 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc6a8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc6b8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc6c8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc6d8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc6e8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc6f8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc708 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc718 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc728 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc738 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc748 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc758 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc768 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc778 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc788 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc798 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc7a8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc7b8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc7c8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 030dc7d8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ |
Ok! Looks like there is enough space there to hold some shellcode. However, I do understand that to increase the chance of success, the statistics above which shows 63% of the chunks with 0x0210 should probably be around 90+ percent as was the case with both Corelan and Fuzzy Security's entries.
At this point I believe I have enough of the basics I need to build on in the future.
Thanks Corelan and Fuzzy Security
References:
http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Microsoft/EN%20-%20Stack%20Bug%20-%20Exploit%20writing%20tutorial%20part%2011%20heap-spraying%20demystified.pdf
http://windbg.info/doc/1-common-cmds.html
https://www.w3schools.com/jsref/jsref_unescape.asp
https://www.fuzzysecurity.com/tutorials/expDev/8.html