Understanding Heap Spraying

So I’ve been quiet over the last week or two, grappling with some fun hacking concepts but I believe I am finally getting somewhere. In my most recent glossary post I made a modest attempt at explaining what happens when a computer is subjected to a buffer overflow. Heap Spraying is not the same as a buffer overflow but they are in the same family of exploits. That being the family that uses the weaknesses in memory management to attack.

So how does heap spraying work? Well, like a buffer overflow it overwrites data in memory, but whereas a buffer overflow puts more data in memory than the program has control of, heap spraying is targeted and only inserts data in certain parts of memory.

Block of memory before and after spray

The hope is that the spray will force useful code into a place in memory which can then be pointed to and triggered. Making the computer then carry out whatever task the code residing in the data instructs the computer to do.

There can be difficulties if the computer starts reading the code from half way as it will just get confused and possibly crash the computer. To get around this problem the data put into memory is bundled with blanks called NOPs (no operation), these NOPs tell the computer to move on to the next bit of code. So if the computer gets pointed to some of the data and lands in the NOPs section then it will run through the NOPs until it reaches code that will actually do something.

In terms of this project it would make sense to have data that was mostly NOPs and a small amount of code that started updates or other healing processes. This could then be sprayed into memory lots of times at lots of places so that there wasn’t a chance the computer would miss the code.

1 thought on “Understanding Heap Spraying

  1. Pingback: Payload Ready | Ethical Hacking Honours Project – Drive-by Healing

Comments are closed.