Heap Spray
Content
Zero day internet explorer flaw attempts to bypass ASLR (Address Space Layout
Randomisation).
ASLR protects from buffer overflow attacks by randomising the location where system
executables are loaded into memory.
Non-ASLR modules can be loaded when the browser loads a page with ‘ms-help://’ in the
URL and is not compiled with ASLR.
This is a known ASLR bypass for Internet Explorer 8/9 on Windows 7.
Heap spray is where you spray a large part of the heap memory with shell code and nops.
That way, when you jump to any part of the heap, most of the heap has been sprayed with nops
and your shell code, so there is a decent probability that you’re jumping to a nop followed by
your shell code and then you can execute your shell code.
The whole point of having nops is that you often don’t have precise control where your exploit
code can overtake the execution.
As long as your exploit lands somewhere inside this nop sled, then it will just slide straight
into your shell code.
The exploit code utilises a use-after-free vulnerability, which is a type of memory corruption
flaw that accesses memory after it has been freed.
At this point, control is passed over to the heap and then the shell code can be run.
The shell code can drop a malicious payload onto the computer.
The way this exploit gets to the user in the first place is the attack has to be socially engineered
onto the user.
This can be via an email attachment, install file, etc.
Zero day internet explorer flaw attempts to bypass ASLR (Address Space Layout
Randomisation).
ASLR protects from buffer overflow attacks by randomising the location where system
executables are loaded into memory.
Non-ASLR modules can be loaded when the browser loads a page with ‘ms-help://’ in the
URL and is not compiled with ASLR.
This is a known ASLR bypass for Internet Explorer 8/9 on Windows 7.
Heap spray is where you spray a large part of the heap memory with shell code and nops.
That way, when you jump to any part of the heap, most of the heap has been sprayed with nops
and your shell code, so there is a decent probability that you’re jumping to a nop followed by
your shell code and then you can execute your shell code.
The whole point of having nops is that you often don’t have precise control where your exploit
code can overtake the execution.
As long as your exploit lands somewhere inside this nop sled, then it will just slide straight
into your shell code.
The exploit code utilises a use-after-free vulnerability, which is a type of memory corruption
flaw that accesses memory after it has been freed.
At this point, control is passed over to the heap and then the shell code can be run.
The shell code can drop a malicious payload onto the computer.
The way this exploit gets to the user in the first place is the attack has to be socially engineered
onto the user.
This can be via an email attachment, install file, etc.
