- Nov 5, 2011
- 5,855
On corelan.be : Exploit writing tutorial part 11 : Heap Spraying Demystified : https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
QUOTE:
'Heap Spray Protections:
Nozzle & BuBBle
Nozzle and BuBBle are 2 examples of defense mechanisms against heap spraying attacks. Implemented inside the browser, they will attempt to detect a heap spray and prevent it from working.
The Nozzle research paper, published by Microsoft, explains that the Nozzle mechanism attempts to detect series of bytes that would translate into valid instructions. Nozzle will attempt to recognize recurring bytes that translate into valid instructions (a NOP sled for example), and prevent the allocation.
The BuBBle routine is based on the fact that heap sprays trigger allocations that contain the same (or very similar) content : a large nop sled + shellcode (or padding + rop chain + shellcode + padding). If a javascript routine attempts to allocate multiple blocks that have the same content, BuBBle will detect this and prevent the allocations.
This technique is now implemented in Firefox.
Both these techniques would be successful in blocking most heap sprays that deploy nops + shellcode (or even nops + rop + shellcode + nops in case of a precise heap spray). In fact, when I tested heap spraying against more recent versions of most mainstream browsers (Internet Explorer 9, Firefox 9), I discovered that both of them most likely implement at least one of these techniques.
EMET
EMET, a free utility from Microsoft, allows you to enable a variety of protection mechanisms that will decrease the likelihood an exploit can be used to take over your system. You can find a brief overview of what EMET offers here.
When enabled, the heapspray protection will pre-allocate certain “popular” regions in memory. If locations such as 0a0a0a0a or 0c0c0c0c are already allocated by something else (EMET in this case), your heapspray would still work, but your popular target address would not contain your data, so jumping to it would not make a lot of sense.
If you want more control over the kind of protections EMET will enable for a given application, you can simply add any executable and set the desired options.
HeapLocker
The HeapLocker tool, written by Didier Stevens, provides yet another protection mechanism against heap sprays. It deploys a number of techniques to mitigate a heap spray attack, including:
It will pre-allocate certain memory regions (just like EMET does), and injects some custom shellcode that will show a popup, and will terminate the application immediately.It will attempt to detect nop sleds and strings in memoryIt will monitor private memory usage, and allows you to set a maximum amount of memory a given script is allowed to allocate.Heaplocker is delivered as a dll file. You can make sure the dll gets loaded into every process using LoadDLLViaAppInit or by including the heaplocker dll in the IAT of the application you want to protect.' (Emphasis by me).
QUOTE:
'Heap Spray Protections:
Nozzle & BuBBle
Nozzle and BuBBle are 2 examples of defense mechanisms against heap spraying attacks. Implemented inside the browser, they will attempt to detect a heap spray and prevent it from working.
The Nozzle research paper, published by Microsoft, explains that the Nozzle mechanism attempts to detect series of bytes that would translate into valid instructions. Nozzle will attempt to recognize recurring bytes that translate into valid instructions (a NOP sled for example), and prevent the allocation.
The BuBBle routine is based on the fact that heap sprays trigger allocations that contain the same (or very similar) content : a large nop sled + shellcode (or padding + rop chain + shellcode + padding). If a javascript routine attempts to allocate multiple blocks that have the same content, BuBBle will detect this and prevent the allocations.
This technique is now implemented in Firefox.
Both these techniques would be successful in blocking most heap sprays that deploy nops + shellcode (or even nops + rop + shellcode + nops in case of a precise heap spray). In fact, when I tested heap spraying against more recent versions of most mainstream browsers (Internet Explorer 9, Firefox 9), I discovered that both of them most likely implement at least one of these techniques.
EMET
EMET, a free utility from Microsoft, allows you to enable a variety of protection mechanisms that will decrease the likelihood an exploit can be used to take over your system. You can find a brief overview of what EMET offers here.
When enabled, the heapspray protection will pre-allocate certain “popular” regions in memory. If locations such as 0a0a0a0a or 0c0c0c0c are already allocated by something else (EMET in this case), your heapspray would still work, but your popular target address would not contain your data, so jumping to it would not make a lot of sense.
If you want more control over the kind of protections EMET will enable for a given application, you can simply add any executable and set the desired options.
HeapLocker
The HeapLocker tool, written by Didier Stevens, provides yet another protection mechanism against heap sprays. It deploys a number of techniques to mitigate a heap spray attack, including:
It will pre-allocate certain memory regions (just like EMET does), and injects some custom shellcode that will show a popup, and will terminate the application immediately.It will attempt to detect nop sleds and strings in memoryIt will monitor private memory usage, and allows you to set a maximum amount of memory a given script is allowed to allocate.Heaplocker is delivered as a dll file. You can make sure the dll gets loaded into every process using LoadDLLViaAppInit or by including the heaplocker dll in the IAT of the application you want to protect.' (Emphasis by me).
