If we modify the preceding code to the following:
; allocate a 280 byte buffer in lieu of a 256 byte buffer
push 280
call malloc
then the attacker??™s assumptions about the location of the heap control structure become
invalid and his exploit becomes far more likely to fail. Heap mutations become somewhat
more complicated when the size of the allocated buffer must be computed at
runtime. In these cases, we must find a way to modify the computation in order to compute
a slightly larger size.
Mutations Against Format String Exploits
Like stack overflows, format string exploits require the attacker to have specific knowledge
of the layout of the stack. This is because the attacker requires pointer values to fall
in very specific locations in the stack in order to achieve the arbitrary write capability
that format string exploits offer. As an example, an attacker may rely on indexed parameter
values such as ???%17$hn??? (refer to Chapter 8 for format string details) in her format
string. Mutations to mitigate format string vulnerability rely on the same layout modification
assumptions that we have used for mitigating stack and heap overflows. If we can
modify the stack in a way that causes the attackers??™ assumptions about the location of
their data to become invalid, then it is likely to fail.
Pages:
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867