Heap Spraying: Introduction
In past several months, Heap spraying has become one of the most prevalent technique to exploit vulnerability in browser. IE “createTextRange()” and Mozilla Firefox “InstallVersion.compareTo()” are the examples of this technique. Because it is undocumented technique – actually not well document, I decide to start to study what is it and how it work.
This technique was introduced by hacker named “SkyLined”. He used Heap Spraying technique to attack the vulnerability in IE, MS04-040 and MS05-020. However I also found the technique like heap spraying, it was mentioned in Microsoft Internet Information Services Remote Buffer Overflow.
After I had read these exploit codes, I got some point about this technique. Heap spraying is used when the vulnerable program (IE, Firefox in this case) call or jmp into invalid memory. This invalid memory must be in the possible heap range address - not in DLL virtual address, PEB, TEB, etc. And it must not higher than 0x7fffffff because above this address is kernel address space. See
Windows Memory Layout for detail. This is one of the limitation of heap spraying technique.
So, what can we do if it jumps into the possible heap range but invalid memory? The answer depends on the nature of the vulnerable program. If we can't control (actually "injected") the application's heap - Gave Over. But if we can, we will inject heap as much as possible until the invalid memory become the valid memory. Sure, the injected heaps contain our nop + shellcode, so the vulnerable program will landing on our nop and shellcode :) That's why this technique is called "Heap Spraying"
I also create a simple picture to demonstrate the basic concept about it. Here's the picture.
Even though heap spraying concept is the simple one, its implementation quite complex. There are many things I must to find out...