that reminded me of this awesome writeup by justin schuh about turning a firefox bug into a sploit
i'm really curious about leveraging heap sprays in javascript enabled applications beyond the browser (such as PDFs and Flash), but i doubt i'll get motivated enough to play. i am way behind on things already!
i keep putting off my pending semi-substantial blog post too... /me sighs...
2 comments:
The exploit uses similar techniques to a heap spray in setting up the memory space. However, the goals of each method are different. With heap spraying, you're generally trying to set up patterns in memory so that approximate addresses will point to exploit data. With my approach, I'm intentionally growing the heap in order to force a specific memory allocation to fail. The content of the heap, however, isn't an important part of my exploit because offsetting from the returned NULL pointer on a failed allocation lets you overwrite an exact address.
Also, my exploit was a very application-specific attack, and not useful as a general technique. Although, HTML canvasses are useful for fine-grained control of the size and content of memory buffers, which may come in handy for heap spraying and other exploit techniques.
Justin
good deal man, thanks for the clarification.
so mb it is fair to say that being able to manipulate the size and/or contents of the heap is a way to control execution in bugs which otherwise might just be crashes...?
/me has lotsa learnin to do :D
Post a Comment