WEBVTT

00:00.510 --> 00:03.300
Chapter 8 heap overflow attacks

00:08.240 --> 00:14.700
the unauthorized reproduction in whole or in part of this publication in any form is prohibited.

00:32.940 --> 00:35.940
Let's copy the required files into the temporary directory

00:48.460 --> 00:54.040
will now have a look at the program in the example it uses a few memory areas depending on how the data

00:54.050 --> 00:55.110
are located.

01:03.940 --> 01:06.690
Let's compile and analyze our program in the example

01:18.440 --> 01:23.450
as we can see the program has specified all used memory areas

01:36.120 --> 01:38.350
thanks to the RBJ dump application.

01:38.430 --> 02:07.630
And we can also gain insight into every memory area and analyze the code located in.

02:07.660 --> 02:13.590
Now we will familiar lies ourselves with another example in this case operating only in the hip area.

02:16.920 --> 02:20.640
In the program the R.K. function has been used to change the heap size.

02:20.640 --> 02:22.730
Let's check how this function works.

02:25.110 --> 02:31.150
The function determines the end of the data area according to the argument and data segment

02:34.280 --> 02:40.800
the SBIR function was used to obtain current size of the data area which was called with the zero argument

02:44.650 --> 02:46.840
we will now check how the program is functioning

02:50.650 --> 02:56.040
let's now have a look at another example that we will use to demonstrate the overflow in the hip area.

03:30.570 --> 03:37.460
The overflow happened after a perimeter of size above 16 bytes was transferred.

03:37.650 --> 03:49.940
The next example we will see will use the heap overflow.

03:50.020 --> 03:54.540
The program copies the data transfer as a call parameter without checking their length

04:31.910 --> 04:33.560
after entering a call argument.

04:33.560 --> 04:37.660
It was possible to display the content of a file other than the intended file

04:54.290 --> 04:58.420
if the suspectible program is working with the privileges of the system administrator.

04:58.430 --> 05:19.200
It is possible to read any file.

05:19.210 --> 05:24.220
Now let's try another example to demonstrate the use of overflow in the BSM area.

05:48.500 --> 05:53.000
Let's try to change the course of the program in a way that instead of adding it divides

05:59.830 --> 06:08.810
as we can see when transferring an invalid argument the application ended with an error.

06:08.820 --> 06:13.460
The program tried to jump to an area that was not located in its address space.

06:15.570 --> 06:47.040
We can check the address of the F div division function and change the course of the program.

06:47.050 --> 06:49.640
We did it despite the add argument.

06:49.660 --> 06:54.290
The program performed the division operation which is visible on the screen.

06:54.310 --> 06:59.160
Now we will use our own shellcode to take advantage of the error in the example program.