lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7068df00-8b0b-e29b-ad6a-bd6d217e43fb@nwever.nl>
Date: Fri, 18 Nov 2016 11:32:28 +0100
From: Berend-Jan Wever <berendj@...ver.nl>
To: fulldisclosure@...lists.org, Bugtraq <bugtraq@...urityfocus.com>
Subject: [FD] Tetris heap spraying: spraying the heap on a budget

L.S.

Over the past decade, heap sprays have become almost synonymous with
exploits in web-browsers. After having developed my first practical
implementation of a heap spray about ten years ago, I found that the
amount of memory needed in some cases was too much for a realistic
attack scenario. I needed a new kind of heap spray that did not allocate
as much RAM as traditional heap sprays do. So, I developed a heap spray
that uses significantly less RAM than a traditional heap spray does. In
practice it uses about 33% less in most cases, but theoretically it
could be much, mush less in ideal situations. This
technique requires only the ability to free some of the blocks of memory
used to spray the heap during spraying and should otherwise be
applicable to every existing implementation.

I wrote an article on my blog that describes the technical details of
this technique, you can find it here:

http://blog.skylined.nl/20161118001.html

I recently used this technique in a Proof-of-Concept for a vulnerability
in Microsoft Edge. You can find details about that vulnerability and the
PoC here:

http://blog.skylined.nl/20161118002.html

Cheers,

SkyLined

Download attachment "0x2557C5AA.asc" of type "application/pgp-keys" (2036 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ