Heap Exploitation
- Heap exploitation abstraction by example (OWASP AppSec Research 2012 talk)
- Project Heapbleed (ZeroNights and Balccon 2014 material)
Adobe Flash
CENSUS researcher Chariton Karamitas published on Phrack magazine Volume 0x0f, Issue 0x45 an article on the exploitation of an Adobe Flash Player bug.
jemalloc (NetBSD, FreeBSD, vlc, Firefox, Android)
We have investigated in depth the exploitation of the jemalloc memory allocator and the Mozilla Firefox browser. Our research on this subject is divided into four parts.
The first part covers an in-depth analysis of the jemalloc memory allocator as used in the libc of the FreeBSD and NetBSD operating systems:
- Pseudomonarchia jemallocum [Phrack Volume 0x0e, Issue 0x44]
- Exploiting VLC: A case study on jemalloc heap overflows [Phrack Volume 0x0e, Issue 0x44]
The second part of our research applied the exploitation primitives we have identified in the first part to the Mozilla Firefox browser. This work was presented a) in Las Vegas at the Black Hat USA 2012 information security conference, and b) in Athens at AthCon 2013:
- Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap, Black Hat USA 2012 Briefings [slides] [source code]
- Firefox Exploitation, AthCon 2013 [slides]
The third part defines a reusable exploitation methodology against the latest versions of the Mozilla Firefox browser in the context of the modern protections provided by most operating systems. It was presented in Miami Beach at the INFILTRATE offensive security conference:
- OR’LYEH? The Shadow over Firefox, INFILTRATE Security Conference 2015 [slides] [source code]
The fourth part of our research on jemalloc focused on the Android operating system. As the jemalloc allocator became the libc allocator of Android, CENSUS researchers Tsaousoglou and Argyroudis released the shadow v2 tool at INFILTRATE 2017 that enables vulnerability researchers to explore Android heap structures and cuts down on the time needed to develop a heap corruption exploit for an Android application.