But what if you don??™t know where that location is, or what if it continually changes? Skylined??™s
answer was just to fill the process??™s entire heap with nop sled and shellcode! This
is called ???spraying??? the heap.
An attacker-controlled web page running in a browser with JavaScript enabled has a
tremendous amount of control over heap memory. Scripts can easily allocate an arbitrary
amount of memory and fill it with anything. To fill a large heap allocation with
nop slide and shellcode, the only trick is to make sure that the memory used stays as a
contiguous block and is not broken up across heap chunk boundaries. Skylined knew
that the heap memory manager used by IE allocates large memory chunks in 0x40000-
byte blocks with 20 bytes reserved for the heap header. So a 0x40000 ??“ 20 byte allocation
would fit neatly and completely into one heap block. InternetExploiter programmatically
concatenated a nop slide (usually 0x90 repeated) and the shellcode to be the
proper size allocation. It then created a simple JavaScript Array() and filled lots and lots
of array elements with this built-up heap block. Filling 500+ MB of heap memory with
nop slide and shellcode grants a fairly high chance that the IE memory error jumping off
into ???random??? heap memory will actually jump into InternetExploiter-controlled heap
memory.
Pages:
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693