Understanding and Exploiting Windows Vista Heap Overflows

Simple stack overflows are mostly dead. Other low hanging fruit, such as straightforward heap overflows are becoming increasingly less common too.

The game these days is to not only find the more obscure heap overflows, but to also reliably exploit them. There is a big difference between a run of the mill Full Disclosure PoC exploit and a reliable exploit fit for commercial use.

This is a 2 to 4 day class of intensive theory and hands on training on understanding and exploiting heap overflows on the windows platform. Basic knowledge of asm and stack overflow exploitation is needed prior to taking this class.

Course Outline:

Day 1 - Basics

Introduction: Immunity, Inc. instructors will introduce themselves as well as the company. Attendees will introduce themselves, and underline an aspect of the class they are particularly interested in.

Knowing the basics: Immunity, Inc. instructors will go over the various terms that will be used during the class as well as the concepts involved. The state of the art of exploitation will be presented, through various real-life examples. We will introduce Python briefly, and review x86 assembly basics.
CANVAS framework: We will introduce the CANVAS framework. We will present VisualSploit, as visual tool for exploit creation, the CANVAS structure and functionalities. We will explain how a basic CANVAS exploit is organized.
Immunity Debugger: An introduction to Windows debugging will be given with Immunity Debugger - a debugger designed for exploit development. We will also cover relevant Immunity Debugger extended features.
Windows Heap Introduction: An introduction to how the Windows 2000 heap works, including the internal structure and the main algorithms. Attendees will build on theory with a hands-on exercise.
Windows Heap Exploitation: An introduction to the common techniques used for the process of heap explotation. Attendees will attack a specially built network service and make it crash. They will debug the target, understand the heap corruption and try to obtain a memory write.

Day 2: Simple Exploit Development

Windows Heap Exploitation: We will go over most of the problems that can appear when exploiting heap overflows, understanding all the alternatives to obtain a memory write. Those include forward and backward coalescation and lookaside unlinking.
Heap Layout Crafting: Introduction to the techniques used to craft the heap layout, including reverse engineering techniques used for finding soft and hard memory leaks. Attendees will use given examples to apply this new concept.
Advanced Heap Exploitation: Attendees will learn by example the different techniques to obtain shellcode execution when exploiting a Windows service bug. Techniques such as write8 and lookaside overwrite will be explained.
Exploit reliability: Reliability is a common issue in publicly available exploits. Some time will be spent explaining how one can make an exploit work against a larger variety of targets, including different versions of Windows and different localizations. The case study of MS06-040 will be analyzed to present a very specific but reliable way of writing a portable exploit.
Heap Overflows and Function Pointers: Various techniques will be explained for identifying function pointers that help transform a memory overwrite into shellcode execution. Attendees will use their recently gained debugging knowledge to discover functions pointers.
Shellcoding: Specially crafted shellcode will be explained and used by the attendees to obtain remote access to a target. Concepts such as heap injection, forkloading and SeDebugPrivilege permissions will be explained.

Day 3: Advance Exploit Development: Windows 2003

Protection measures: Microsoft has implemented some protections in Windows 2003 versions in order to reduce the exploitability of bugs. We will discuss mechanisms such as non-executable pages, heap cookie, safe unlink, DEEP and how to overcome them.
Windows 2003 bypassing: Cutting edge techniques will be explained to understand and bypass the last security mechanisms. Techniques such as lookaside overwrite will be introduced. The case study will present a generic way to exploit heap overflows reliabily on this operating system.
Exploiting DEP: Immunity, Inc. will discuss the problem of DEP protection mechanisms and how to overcome them. The concept of "Ret into the win32 API" will be explained and attendees will apply it to the case of study.

Day 4: The Vista Heap

Basic Vista Heap Concepts: Microsoft has rewritten the whole heap implementation, taking it to a new protection level and making exploitation very difficult. We will discuss non-public details regarding how the new Vista heap algorithm works. Attendees will work on practical examples with the debugger to understand the concepts.
Windows Vista Exploitation: Public and non-public techniques will be presented for exploiting the Vista heap. Attendees are expected to apply the techniques learned during the fours days to bypass Vista protections and exploit a specially built network service.

Prerequisite Knowledge
* Basic stack overflow exploitation
* i386 assembly
* Python language familiarity

Prerequisite Materials
* a laptop with vmware (the native os could be linux or windows)
* a vmware images of a:
* a Windows 2000 Workstation SP4
* a Windows 2003 SP1
* a Windows Vista