What is heap spraying?
Heap spraying is a technique using which an attacker can write a certain sequence of bytes at a predetermined memory location of a process. Then, the attacker can exploit that to facilitate the execution of arbitrary malicious code. Let’s try to understand how heap spraying works.
What is the heap?
A process in execution uses different sections of memory for different purposes.
Text Section: The text section is used to store the static code of the program. It is usually marked as read-only and cannot be modified by the program.
Data Section: The data section is used to store static and global variables.
Stack Section: Usually, every function uses some local variables. They are in use as long as the process executes that particular function. After that, they are not needed anymore. A process uses the stack section to store those local variables. Memory is allocated in the stack section when a function is called. The memory is freed upon returning from the function.
Heap Section: Many times, it is not possible for a process to know in advance how much memory it will need for a certain variable. A dynamic array or a linked list may be a good example of that. For that purpose, the process dynamically allocates memory for that variable at run time. For storing these dynamically allocated data, a process uses the heap section.
In heap spraying, an attacker writes a series of bytes in the heap section of a process and later exploits that for malicious purposes.
How does heap spraying work?
In heap spraying, attackers exploit the fact that the heap is usually deterministic. It often starts at a predetermined location in memory, and it is located in a consecutive manner.
So, the attackers first use some mechanism to put their shellcode to some predictable location in the heap. Then, they trigger a bug to make the EIP instruction pointer to point to the location directly.
A browser is an easy mechanism to do this. The attackers can use scripting support to spray the heap and then trigger the bug. The attackers can even use other mechanisms like JavaScript or Actionscript in Adobe Reader to put the shellcode in a predetermined location in the heap.
So, to summarize, in heap spraying, attackers first take scripting support to put their shellcode …
0 Comments