7

I have been reading this article about an Internet Explorer exploit and I am a little confused about why the memory addresses effected by the heap-spray "work".

The paper states that the attack uses a heap-spray to spray ~320MB worth of 0x12121212's. This address was chosen because the attack has control over the memory in and around 0x12121212. In fact, at memory address 0x12121212 is where the ROP chain is placed.

I am confused why this works with ASLR enabled, wouldn't the memory addresses be randomized every time?

How is it that 0x12121212 can be used reliably?

MikeTGW
  • 173
  • 5

1 Answers1

6

According to the Windows Internals 5th Edition book, the 5-bit ASLR bias for heaps is "multiplied by 64KB to generate the final base address, starting at 0, giving a possible range of 0x00000000 to 0x001F0000 for the initial heap".

As such, the initial heap for IE on Windows 7 will always be between 0x00000000 and 0x001F0000, with 32 possible locations. By filling the heap with 320MB of data (0x14000000 bytes), the attacker can almost certainly guarantee that the 0x12121212 address is filled:

  • Low address case (heap is created at 0x00000000): We fill all addresses from 0x00000000 to 0x14000000, so 0x12121212 is filled.
  • High address case (heap is created at 0x001F0000): We fill all addresses from 0x001F0000 to 0x141F0000, so 0x12121212 is filled.

This is mitigated in 64-bit Windows 8 and later when the application is compiled with the /HIGHENTROPYVA flag: the size of the ASLR bias for the heap is 24-bit which results in 16,777,216 possible locations for the heap over a memory address space of 1TB.

You can find more information about ASLR in the BlackHat 2012 talk "Exploit Mitigation Improvements in Windows 8.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Sorry for taking so long to accept. The explanation makes perfect sense! – MikeTGW Jul 02 '16 at 03:42
  • 1
    No problem. As a minor clarification: in Windows 8 and later setting the `/HIGHENTROPYVA` flag *alone* in 64-bit applications places the application into an ASLR compatibility mode which reduces the overall entropy of the base address randomness. To avoid this, one should always also specify that the application is large-address aware (via the `/LARGEADDRESSAWARE` flag) and specify a preferred base address above the 64-bit boundary (i.e. 0x100000000 or higher). Both of these are true by default in 64-bit Microsoft compilers (default base is 0x180000000 for 64-bit executables). – Polynomial Jul 11 '16 at 16:20