Results 1 to 2 of 2

Thread: UAF object poisoning Share/Save - My123World.Com!

  1. #1

    UAF object poisoning

    I have a question that bother me allot lately regarding to the UAF of aurora exploit (and in general to all UAF).
    I have seen slides (Operation Aurora Exploit Analysis Dino Dai Zovi _lt; in WinXP with IE7 starting to fragment the heap with a loop of 128 times with creation of element "param"

    what i don't get is:
    1. why 128 ? (in the IE6 in the same slides they use 200 also i don't understand why 200 ?)

    2. the flow we are doing is
    A. allocate 200 "param" object
    B. free the TreeNode object
    C. use the "name" attribute of "param" to allocate precised sized block like the one we freed.
    the question is, why it would take 128 times of the same allocation to succeed poisoning the free object memory.

    3. does it matter (the loop amount) on what SP# is this as well ? due to changes in the memory manager in XP SP1,2,3 ?

    i have seen many articles about this and many examples but non of them explain it correctly and also many are doing it
    differently. for example in fuzzySecurity web site (FuzzySecurity | ExploitDev: Part 9) he explain allot but nothing about this issues of how to inject with reliability just putted this loop regardless to the size of the object that was freed:

    for (var i=0;i<1150;i++)
    objArray[i] = document.createElement('div');
    objArray[i].className = data += unescape("%u0c0c%u0c0c");

    i think this is wrong because this is just trusting the luck of the how the heap will get in to and not really doing it
    the way it should be.

    i have seen also more examples that put holes without any good explanation of why this amount of loop
    and why the holes help (i know that this technique is more related to heap overflow that we need object after an object etc)
    exactly like showed in "Writing Exploits with the Elderwood Kit (Part 2)".

    i know i have asked allot here but i have never found answers to those questions and i have read almost all there
    is in this matter and still came up with nothing clear.

    i really want to understand the reliability issue and how one should do it correctly and not blindly and i hope that you could
    help in clearing this thing up.


  2. #2
    You need a debugger and notepad. Try to change the numbers and start coding your own exploit from vulnerability trigger.
    Play with the numbers and objects and analyse the changes in memory blocks sprays and sprayed block sizes. This is the only way to understand the behaviour of all browsers as every browser behaves differently and therefore we have to develop different sprayers for different versions.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts