With this simple arbitrary write capability an attacker can take
control of the vulnerable process. To design a mutation that prevents a specific overflow
attack, we need to cause the layout of the heap to change to something other than what
the attacker will expect based on his analysis of the vulnerable binary. Since the entire
point of the mutations we are discussing is to generate a simple patch that does not
require major revisions of the binary, we need to come up with a simple technique for
mutating the heap without requiring the insertion of new code into our binary. Recall
that we performed a stack buffer mutation by modifying the function prologue to
change the size of the allocated local variables. For heap overflows the analogous mutation
would be to modify the size of the memory block passed to malloc/new when we
allocate the block of memory that the attacker expects to overflow. The basic idea is to
increase the amount of memory being requested, which in turn will cause the attacker??™s
buffer layout to fall short of the control structures he is targeting. The following listing
shows the allocation of a 256-byte heap buffer:
; allocate a 256 byte buffer in the heap
push 256
call malloc
Following allocation of this buffer, the attacker expects that heap control structures lie
anywhere from 256 to 272 bytes into the buffer (refer to Chapter 8 for a refresher on the
heap layout).
Pages:
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866