Heap spraying

In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The term is also used to describe the part of the source code of an exploit that implements this technique. In general, code that "sprays the heap" attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process' heap and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the location everytime the heap spray is run.

History

Heap sprays have been used occasionally in exploits since at least 2001 [ [http://research.eeye.com/html/advisories/published/AD20010618.html eEye Digital Security - Research ] ] , but the technique started to see widespread used in exploits for web browsers soon after the release a series of exploits that used it that exploited a wide range of bugs in Internet Explorer [ [http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php Internet Explorer IFRAME src&name parameter BoF remote compromise] ] [ [http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/details_msie_ani.html.php Internet Exploiter 3: Technical details] ] [ [http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php Microsoft Internet Explorer DHTML Object handling vulnerabilities (MS05-20)] ] [ [http://www.frsirt.com/english/advisories/2005/0935 FrSIRT - Microsoft Internet Explorer javaprxy.dll COM Object Vulnerability / Exploit (Security Advisories) ] ] [ [http://www.frsirt.com/english/advisories/2005/1450 FrSIRT - Microsoft Internet Explorer "Msdds.dll" Remote Code Execution / Exploit (Security Advisories) ] ] . The heap sprays used in all these exploits was very similar, which showed its versatility and ease of use without need for major modifications between exploits. It proved simple enough to understand and use to allow novice hackers to quickly write reliable exploits for many types of vulnerabilities in web browsers and web browser plug-ins. Many web browser exploits that use heap spraying consist only of a heap spray that is copy-pasted from a previous exploit combined with a small piece of script or HTML that triggers the vulnerability.

Even though the technique was proven to work on other web browsers [ [http://www.milw0rm.com/id.php?id=1224 Mozilla Browsers 0xAD (HOST:) Remote Heap Buffer Overrun Exploit (v2) ] ] , it has not seem the same widespread use as seen for Internet Explorer.

Implementation

JavaScript

Heap sprays for web browsers are commonly implemented in JavaScript and spray the heap by creating large Unicode strings with the same character repeated many times by starting with a string of one character and concatenating it with itself over and over. This causes the length of the string to grow exponentially up to the maximum length allowed by the scripting engine. When the maximum length (or an arbitrary lower length) is reached, the heap spraying code starts to make copies of the long string and stores these in an array, up to the point where enough memory has been sprayed. VBScript is sometimes (though very rarely) used to create strings as well because it is made easy by the "String" function.

Images

Though it has been proven that heap-spraying can be done through other means, for instance by loading image files into the process [ [http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Sutton Michael Sutton & Greg MacManus: Punk Ode—Hiding Shellcode in Plain Sight] ] , this has not seen widespread use (as of August 2008).

References

See also

* NOP slide, a technique which is complementary to heap spraying