Skip to main content

Exploiting Double Free Vulnerabilities...





Alsalam alikom wa ra7mat Allah wa barakatoh



Huh!! that's what I said when I first saw that title... but let me explain...


Double Free means that you try to free a pointer two times (which is logically can't work).
Actually windows SP2 and later (even Vista) this can be done (in somehow) and can actually corrupt the heap (Vista will shout at your face if u did) and that can make you able to use and browse the heap as you want..

Facts to know about how Windows frees your pointers:
- There is something called Lookaside buffer (fast access, small size) and another thing is FreeList(slower access, the whole memory).
- Chunk is an object of the DataStructure that holds mainly 2 things: pointer to where the next free Chunk is and pointer to the previous free one (think about it like a node in a linked list)
- The first 4 bytes of the Chunk is the BLink (BackLink) and the second 4 bytes is the FLink
- delete ptr1;
delete ptr2;
Windows takes your Chunk (for ptr1) and puts it in the Lookaside slot (and mark it as Busy), then takes ur second chunk and puts it in another free slot (if exists, if not it'll be sent to the FreeList)

Now, the Vulnerability:
If we succeeded to make something like this :
delete ptr;
delete ptr;
And to ensure that the second delete will be sent to the FreeList, guess what, we have two locations pointing to the same chunk (so what ??.. just wait and c)
Now, if we can then re-allocate a chunk
ptr = new Whatever;
Guess what !! u will take the Chunk in the lookAside back to u.. and u still have those precious 8 bytes that you can play with and actually corrupt or control the freeList entries..

* One last note, about Windows Vista:
- They are using random address for FreeList.
- They are using encoded BLink & FLink after XOR'ing them with a random value generated when the process starts
- The Windows Shout when the heap is corrupted (previous windows just ignore this)


All what is above is a quick review after reading these two articles :
Double Free Vulnerabilities Part1 (Symantec.. what is the bug)
Double Free Vulnerabilities Part2 (Symantec.. how to exploit the bug)

That's it... stay away hackers !!!

Alsalam alikom wa ra7mat Allah wa barakatoh
Labels:

Comments

Post a Comment

Popular posts from this blog

Windows7 adds Math Input Panel

Alsalam alikom wa ra7mat Allah wa barakatoh… I was reading a windows team post about Input Panels improvements in Windows7 [ here ]. When at the end I saw a very interesting –intuitive if you wish- new thing… which is, as you guessed, the Math Input Panel… Yes, that crappy font is mine… I “drew” that by mouse as I don’t have a tablet pen/pc. You can then paste it directly into word and it’ll recognize it as an editable equation… During my tests, the output panel (the top part) hanged, but I liked that the drawing panel was still responsive and I could still write/erase… till the top one started to respond again… One other thing to know, after you click Insert (that button down there) it copies the equation in MathML [ Wikipedia link ] format.. which is a standard way of representing equations and hence any application that recognizes the format can insert it not as an image but as a nice editable equation… If you think it recognized something wrong, you can click “Sele...
5 comments
Read more

What do you do? and how do you do it?

Alsalam alikom wa ra7mat Allah wa barakatoh I've remembered these two questions a couple of minutes ago, they were mentioned in a movie called "The Pursuit of Happyness" and as you see Happyness is written intentionally with 'y' but that's another story! The scene was that the hero who was a depressed poor guy was walking in the street then found a guy parking his very nice & expensive car, he stopped him and asked him "may I as you two questions..." "What do you do? and how do you do it?" Away from the scene and how things went on in the movie, the question that came to me was why don't I ask myself the same questions.. it's not that I'm successful or something but my point is to try to analyze what "were" my goals during my past life... and what did I do to reach the state I am in now -fail/success/progress...- I believe what brought this to my mind is watching -again- Steve Jobs's motivational speech when h...
6 comments
Read more

Question Google Chrome Process Isolation Model..

Alsalam alikom wa ra7mat Allah wa barakatoh Google once published this comics book about Google chrome (their Open Source Web Browser) I've linked to one page that I'm concerning about for now... Page 4, Google Chrome Comics Book It explains that Chrome will have separate process per tab, away from the benefits/concerns about this... I was accidently checking chrome's task manager (Shift + Esc) and found something that -apparently- violates this rule... As you see, tab1 process has actually spanned 3 tabs... which is a similar behavior to what IE8 does... I'm not quite sure why this happens in Chrome... but it's just a question to ask... Thanks, Haytham
10 comments
Read more