dangling pointer dangling pointer
play

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat - PowerPoint PPT Presentation

Oct 27, 2023 •247 likes •543 views

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A 2 What is a

  1. Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1

  2. Table of Contents � What is a Dangling Pointer? � Code Injection � Object Overriding � Demonstrations � Remediation � Summary � Q&A 2

  3. What is a Dangling Pointer? Invalid Pointer: � Dangerous Dangling Dangling Pointer Pointer � Easy to Exploit Pointer Pointer Pointer Pointer Pointer Pointer � Common Deleted Deleted Object Object New Data Object New Data Object Object Object Object Object 3

  4. What is a Dangling Pointer? – An Example � Results: Crash 4

  5. What is a Dangling Pointer? – An Example � Debugger View 5

  6. Where are We � What is a Dangling Pointer? � Code I njection � Object Overriding � Demonstrations � Remediation � Summary � Q&A 6

  7. Code I njection – The Layout of an Object � Class_A: class Class_A Instance_A memory Class_A VFTable vfunc_A1 Code class Class_A Instance_A memory Class_A VFTable vfunc_A1 Code VFTABLE Pointer vfunc_A1 address { VFTABLE Pointer vfunc_A1 address { Assembly code Assembly code member_of_A int member_of_A; vfunc_A2 address member_of_A int member_of_A; vfunc_A2 address public: public: vfunc_A2 Code virtual long vfunc_A1(); vfunc_A2 Code virtual long vfunc_A1(); { { … virtual long vfunc_A2(); … virtual long vfunc_A2(); ... ... Assembly code Assembly code MOVE EAX, [ECX] MOVE EAX, [ECX] static void sfunc_A(); static void sfunc_A(); this.vfunc_A2(); this.vfunc_A2(); CALL [EAX + 4] CALL [EAX + 4] ... ... void funcA(); void funcA(); … } … } }; }; 7

  8. Code I njection – The Double Reference Exploit Exploit Overview: – Free the Object – Override the Object – covered later – Execute a Virtual Function 8

  9. Code I njection – The Double Reference Exploit � Injecting Code � Continue – Free the Object – Automation – Shellcode – Call/Jmp ECX ECX – Original – Finding a “VFTABLE” ECX – Original Object Object – Interpreted as Code VFTABLE Pointer VFTABLE VFTABLE Pointer VFTABLE VFTABLE + 4 VFTABLE + 4 Original Object Freed Space Original Object Freed Space VFTABLE + 8 Pointer VFTABLE + 8 Pointer SHELLCODE SHELLCODE VFTABLE + C VFTABLE + C VFTABLE + 10 CALL/JMP ECX VFTABLE + 10 CALL/JMP ECX 9 9

  10. Code I njection – Double I nheritance Class_A::vfunc_A1 Class_A::vfunc_A1 � Multiple Inheritance Assembly code Assembly code Inherited::Class_A Inherited::Class_A Object’s memory Object’s memory VFTable VFTable class Inherited: public Class_A, public Class_B Inherited::vfunc_A2 class Inherited: public Class_A, public Class_B Inherited::vfunc_A2 A VFTABLE Pointer vfunc_A1 address A VFTABLE Pointer vfunc_A1 address { { Class A member_of_A vfunc_A2 address member_of_A vfunc_A2 address Assembly code public: Assembly code public: � We can now override the second VFTABLE!!! B VFTABLE Pointer B VFTABLE Pointer virtual int vfunc_A2(); virtual int vfunc_A2(); Inherited::Class_B Inherited::Class_B member1_of_B VFTable Class B member1_of_B VFTable virtual int vfunc_B2(); Class_B::vfunc_B1 virtual int vfunc_B2(); Class_B::vfunc_B1 vfunc_B1 address vfunc_B1 address Member2_of_B }; Member2_of_B }; vfunc_B2 address vfunc_B2 address Assembly code Assembly code Inherited::vfunc_B2 Inherited::vfunc_B2 Assembly code Assembly code 10 10

  11. Where are We � What is a Dangling Pointer? � Code Injection � Object Overriding � Demonstrations � Remediation � Summary � Q&A 11

  12. Object Overriding � Allocation Implementation – Numerous heaps • Two Default heaps • Different API • C-Runtime functions – Malloc – Free – New – Delete – Etc. 12 12

  13. Object Overriding � Allocation implementation details – Lookaside List • A list for each size (8-1024) (8) and for each heap • First Allocation Priority • Merges A De-Allocated Buffer Another De-Allocated A De-Allocated Buffer Another De-Allocated Buffer Buffer Next Buffer Pointer NULL Next Buffer Pointer NULL 40 40 40 40 Bytes Bytes Bytes Bytes Lookaside Lookaside list base list base pointer pointer 13 13

  14. Object Overriding � And Finally – Overriding – Search for Allocations • Static Analysis – Method: Disassembly – Restriction: Static Size – Validation: Controllable Content – Usage: Causing the Allocation • Dynamic analysis – Method: API Breakpoints – Restriction: Static/Dynamic Size – Validation: Controllable Content 14 14

  15. Object Overriding – The VFTABLE Exploit � Exploitation: � Continue: – Empty the Lookaside List – Free the Object – Allocate a Buffer – Execute a VFunc – Insert Content – Free the Buffer VFTABLE VFTABLE VFTABLE Pointer VFTABLE Pointer NULL SHELLCODE New Buffer SHELLCODE New Buffer Original Object Original Object VFTABLE + 8 Pointer Rest of Rest of CALL/JMP EAX CALL/JMP EAX SHELLCODE SHELLCODE 15

  16. Object Overriding – The Lookaside Exploit � Empty the Lookaside � Free One Buffer � Allocate Two Buffers � Free The Other � Insert Shellcode � Free The Object � Execute the Destructor The De-Allocated The De-Allocated The Shellcode The De-Allocated The De-Allocated The Shellcode Object Buffer Buffer Object Buffer Buffer A VFTABLE A Function NULL A VFTABLE A Function NULL Pointer Pointer GAME OVER!!! Pointer Pointer Shellcode … … Shellcode … … 16 16

  17. Object Overriding – The Lookaside Exploit � Executing NULL – NO Problem 17 17

  18. Summary � Summary – Double Reference • Controllable First DWORD • Static Address – VFTABLE Exploit • Controllable Allocations • No First DWORD • Static Address – Lookaside Exploit • Controllable Allocations • No First DWORD • No Static Address • Destructor Execution 18

  19. Where are We � What is a Dangling Pointer? � Code Injection � Object Overriding � Demonstrations � Remediation � Summary � Q&A 19

  20. Demonstrations – Configuration I tem � Allocating the Object � De-Allocation the Object 20

  21. Demonstrations – Configuration I tem � Allocating User Data 21

  22. Demonstrations – Configuration I tem � Executing a VFunc 22

  23. Demonstrations – Configuration I tem � Putting it Together – De-Allocate – Re-Allocate – Execute 23

  24. Demonstrations – Remote Exploit � Another Exploit on IIS, but this time – a remote one 24

  25. Where are We � What is a Dangling Pointer � Code Injection � Object Overriding � Demonstrations � Remediation? � Summary � Q&A 25

  26. Remediation � Known Protection Mechanisms – NX Bit – ASLR � VFTABLE Sanitation � Safe Programming 26

  27. Summary � Technical Background – Memory Allocations – Objects Implementation � Exploits – Double Reference Exploit – VFTABLE Exploit – Lookaside Exploit � Demonstrations – Configuration Item – Remote Exploit � Dangling Pointer – Only Object Oriented Objects 27

  28. Questions � Ask Away… 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June 30, 2011 Dangling nodes on the web Dangling nodes denote the nodes without outgoing links Some web pages do not contain any valid hyperlinks

467 views • 20 slides
Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and

Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and

Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and included in the result. A tuple is dangling if it do esn't join with an y other tuple. = R A B 1 2 3 4 = S B C 2 5 2

185 views • 18 slides
Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual memory management is error prone

574 views • 35 slides
Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an integer as long as result is still within the bounds of the array Can subtract a pointer from another pointer iff both point to

140 views • 9 slides
Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer is a variable that stores a memory address. Pointers are used to store the addresses of other variables or memory items. Pointers are very

742 views • 23 slides
Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer Interpretation: declare x as a variable on the stack that holds the numeric address of the location in memory at which are 32 bits that we intend

359 views • 15 slides
HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University

HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University

The 5 th ATS at Fukuoka HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University Hospital. 2 HD-SCR: High Definition Streaming Combined Remote conference system Concepts of New system Hi quality HD image

108 views • 7 slides
HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National

HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National

Medical WG Technology session APAN 32 nd meeting at New Delhi HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National Taiwan University Torata N and Cao Duc Minh, Kyushu University Hospital. 1 HD-SCR:

347 views • 10 slides
A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs Mentors: Artem Dergachev Etvs Lornd University, Budapest, Hungary Gbor Horvth rekanikolett@gmail.com Real-world example return

257 views • 9 slides
Pointers and Memory 1 Pointer values Pointer values are memory addresses

Pointers and Memory 1 Pointer values Pointer values are memory addresses

Pointers and Memory 1 Pointer values Pointer values are memory addresses Think of them as a kind of integer values The first byte of memory is 0, the next 1, and so on A pointer p can hold the address of a memory

1.01k views • 31 slides
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song,

Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song,

Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University Emerging Threat: Use-after-free

923 views • 43 slides
FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically

FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically

FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically metadata contains the base and bounds of the pointer which is essentially the valid accessible memory region by the pointer if(

511 views • 49 slides
Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer Arithmetic When you add to or subtract from a pointer, the amount by which you do that is multiplied by the size of the type the pointer points

689 views • 33 slides
Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

841 views • 64 slides
Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal

Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal

Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal Motivation 222748: Canonicalize store (cast V), P -> store V, (cast P) 220138: Canonicalize cast (load P) -> load (cast P)

649 views • 25 slides
A few more pointer points A few more pointer points Beware null & wayward pointers! (Learn

A few more pointer points A few more pointer points Beware null & wayward pointers! (Learn

A few more pointer points A few more pointer points Beware null & wayward pointers! (Learn from Binky) Command line arguments int main(int argc, char *argv[]) {} Equivalent argv declaration: char **argv Either way,

403 views • 14 slides
September 2010 BOV-SA Public Affairs Presentation Natty Montoya, 11 Jake Nelson, 11

September 2010 BOV-SA Public Affairs Presentation Natty Montoya, 11 Jake Nelson, 11

September 2010 BOV-SA Public Affairs Presentation Natty Montoya, 11 Jake Nelson, 11 Charter Day 2011 Presented by Brian Focarino (11) and Brittany Fallon (11) -The Administration and Students are pairing up to increase the

329 views • 18 slides
Overview of Regulation 650/2012 Patrick Wautelet CNUE Reg. successions 24 03 2014 Plan 1) The

Overview of Regulation 650/2012 Patrick Wautelet CNUE Reg. successions 24 03 2014 Plan 1) The

International successions: Overview of Regulation 650/2012 Patrick Wautelet CNUE Reg. successions 24 03 2014 Plan 1) The Regulation: general principles 2) Application of the Regulation: illustrations CNUE Reg. successions 24 03

403 views • 36 slides
Cimple Graham Shankara Pancham Barab Pailoor preet Kaur Motivation Struggles of a C

Cimple Graham Shankara Pancham Barab Pailoor preet Kaur Motivation Struggles of a C

Cimple Graham Shankara Pancham Barab Pailoor preet Kaur Motivation Struggles of a C programmer No Code-Reuse, except standard library; With Inheritance, Cimple to the rescue. Resource Management - all the malloc , calloc , realloc

348 views • 12 slides
LOCONTE & PARTNERS WEALTH MANAGEMENT *** International estates in the Italian legal and tax

LOCONTE & PARTNERS WEALTH MANAGEMENT *** International estates in the Italian legal and tax

LOCONTE & PARTNERS WEALTH MANAGEMENT *** International estates in the Italian legal and tax system Loconte & Partners Studio Legale e Tributario 1 CROSS-BORDER ESTATES According to Italian international private law an estate is

649 views • 49 slides
Check Against Delivery VI OLENCE AGAI NST OLDER W OMEN I N TANZANI A Ms Teresa Minja, Tanzania

Check Against Delivery VI OLENCE AGAI NST OLDER W OMEN I N TANZANI A Ms Teresa Minja, Tanzania

Check Against Delivery VI OLENCE AGAI NST OLDER W OMEN I N TANZANI A Ms Teresa Minja, Tanzania Social Protection Netw ork Paper prepared for the panel discussion: Violence and abuse against older persons, 2 nd August 2 0 1 1 , Second W orking

200 views • 4 slides
Announcing Coastal Expansion 2019-2020 WHO WE ARE Muddy Sneakers is a 501(c)(3) nonprofit that

Announcing Coastal Expansion 2019-2020 WHO WE ARE Muddy Sneakers is a 501(c)(3) nonprofit that

Announcing Coastal Expansion 2019-2020 WHO WE ARE Muddy Sneakers is a 501(c)(3) nonprofit that delivers high-quality outdoor science education to fifth-grade public school students. It was founded in Brevard in 2007 with the goal of

386 views • 27 slides
PUPPET Use at General Mills Preface HP UX platform at GMI is 15+ years old Consolidated

PUPPET Use at General Mills Preface HP UX platform at GMI is 15+ years old Consolidated

PUPPET Use at General Mills Preface HP UX platform at GMI is 15+ years old Consolidated Superdome architecture today Moving enterprise apps to RHEL6 Oracle SAP BW/BI Warehouse Management Short migration timeframe

493 views • 31 slides
MINISTRY OF FINANCE CITIZEN SATISFACTION STUDY Beneficiary Funded By Stakeholders / Partners

MINISTRY OF FINANCE CITIZEN SATISFACTION STUDY Beneficiary Funded By Stakeholders / Partners

MINISTRY OF FINANCE CITIZEN SATISFACTION STUDY Beneficiary Funded By Stakeholders / Partners USAID AMIDEAST Institute of Finance Ministry of Finance - Revenues Directorate - Expenditures Directorate - Corporate

308 views • 26 slides

More recommend