FFR EXCALOC Exploitability Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp 1
2
3
4
5
Saved EBP! (int a, char c) char buf[] Saved EBP Canary! (int a, char c) char buf[] 6
int vuln(char *arg) { char buf[128]; Canarycookie } strcpy(buf, arg); printf("buf = %s\n", buf); return 0; Canarycookie 7
char *arg2 int arg1) Saved EBP (int a, char c) int arg1) Saved EBP (int a, char c) char buf[] char *p char buf[] 8
void vuln(char *s, int l) { char *a; char buf[32]; a = buf; while (*s!= '\0') { *a++ = *s++ + 1; } printf("buf = %s\n", buf); return ; } 9
10
void vuln(char *s, int l) { int len; char buf[32]; len = strlen(s); printf("length = %d, %d\n", len, l); Canary } strcpy(buf, s); return ; Canary 11
char *arg2 int arg1) Saved EBP (int a, char c) char *p char buf[] char* arg2) Not use int arg1) Saved EBP (int a, char c) char buf[] char *p char *arg2 12
void vuln(char *s, int l) { int len; char buf[32]; len = strlen(s); printf("length = %d, %d\n", len, l); strcpy(buf, s); arg_0src return ; } 13
14
LOAD_CONFIG 0x00 0x48. 0x40 SEHandlerTable 0x44 SEHandlerCount SEHandlerTable 0x0000XXXX... 15
SEHandlerTable 16
17
HEAP Segments[] FreeList[] HEAP_SEGMENT SignatureFFEEFFEE HEAP FirstEntry HEAP_ENTRY 18
HEAP_SEGMENT SignatureFFEEFFEE HEAP FirstEntry HEAP_ENTRY 19
HEAP FreeList Segments[] FreeList[0] FreeBlock FreeBlock FreeBlock FreeBlock FreeList[n] FreeBlock FreeBlock FreeBlock FreeList[] FreeBlock FreeBlock FreeBlock 20
21
Heap Manager Heap FreeList FreeList Heap Heap FreeList 22
HeapHeader FreeList FreeList 4byte 4byte Heap FreeList HeapManager HeapManager 23
Heap FreeList[0] FreeBlock FreeBlock FreeBlock FreeList FreeList[1] FreeBlock FreeBlock FreeBlock FreeBlock FreeBlock 4byte FreeBlock FreeBlock 24
FreeList 25
26
FreeList 27
28
Heap Header Heap Header[0] Heap Header[1] Heap Header HeapHeader[0] HeapHeader[1] HeapHeader[2] 29
HeapHeader[0] HeapHeader[1] HeapHeader[2] HeapHeader Heap Heap Heap HeapHeader FreeList 30
Heap HeapHeader FreeList Heap Heap Heap 31
Heap HeapHeader FreeList FreeBlock FreeBlock 0x00000000 32
HeapHeader FreeList 33
34
FreeList 35
36
37
38
[EBP-X] 39
40
[EBP+] LEA 41
42
MOV 43
44
VC Delphi fs:0eaxpush VC fs BCC fs:0 fs:0 45
46
47
48
49
Visual C++ BCC32 GCC Delphi 50
51
52
53
Compiler Type Stack Protection Safe SEH Heap Manager Visual C++ /GS Windows Heap Manager 0x00401609 0x88 0x02 0x00401887 0x14D 0x01 0x00401DE4 0x2AB 0x01 54
Compiler Type Stack Protection Safe SEH Heap Manager Visual C++ 0x00401000 0xDC 0x01 0x004010DC 0x08 0x01 0x004010F0 0x59 0x01 55
Compiler Type Stack Protection Safe SEH Heap Manager Borland Delphi Delphi Heap Manager 0x0040114D 0x1CF 0x01 0x00403AEA 0x105 0x06 0x00403EEC 0x62 0x03 56
= A B C A B C Canary = 1, Canary= 1, = 2 Heap Manager Windows = 1, Borland C++ = 2, Delphi = 2 SafeSEH = 1, SafeSEH= 1, SafeSEH= 2 57
Exploitability = / 58
59
60
61
Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp <ishiyama@fourteenforty.jp> 62