- Nov 5, 2011
- 5,855
Heap Spraying Demystified on old and newer browsers topic here ..
Exploit writing tutorial part 11 : Heap Spraying Demystified
Published December 31, 2011 | By Corelan Team (corelanc0d3r) - read on corelan.be: https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
Quote:
'A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers have a focus on Internet Explorer 7 (or older versions). Although there are a number of public exploits available that target IE8 and other browsers, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. A good example of such an exploit is the Metasploit module for MS11_050, including DEP bypass targets for IE8 on XP and Windows 7, which were added by sinn3r.
With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer browsers.
I’ll start with some “ancient” (“classic”) techniques that can be used on IE6 and IE7. We’ll also look at heap spraying for non-browser applications.
Next, I’ll talk about precision heap spraying, which is often a requirement to make DEP bypass exploits work on IE8 and newer browsers if your only option is to use the heap.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on newer browsers such as Internet Explorer 9 and Firefox 9.'
Browser versions vs Heap Spray: http://i42.tinypic.com/2z86v6s.jpg - Direct link uploaded with tinypic.com!..
.
Exploit writing tutorial part 11 : Heap Spraying Demystified
Published December 31, 2011 | By Corelan Team (corelanc0d3r) - read on corelan.be: https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
Quote:
'A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers have a focus on Internet Explorer 7 (or older versions). Although there are a number of public exploits available that target IE8 and other browsers, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. A good example of such an exploit is the Metasploit module for MS11_050, including DEP bypass targets for IE8 on XP and Windows 7, which were added by sinn3r.
With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer browsers.
I’ll start with some “ancient” (“classic”) techniques that can be used on IE6 and IE7. We’ll also look at heap spraying for non-browser applications.
Next, I’ll talk about precision heap spraying, which is often a requirement to make DEP bypass exploits work on IE8 and newer browsers if your only option is to use the heap.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on newer browsers such as Internet Explorer 9 and Firefox 9.'
Browser versions vs Heap Spray: http://i42.tinypic.com/2z86v6s.jpg - Direct link uploaded with tinypic.com!..
.
