Saturday, January 27, 2018

How about expanding your knowledge on Intrusion Detection or Incident Handling, Hacker Techniques and Exploits? Then come hangout at one of my upcoming SANS classes to learn more

Upcoming Courses Taught By Nik Alleyne
TypeCourse / LocationDateRegister

Community SANS
Community SANS Kansas City SEC504 Kansas City, MO
Apr 16, 2018 - 
Apr 21, 2018

Community SANS
Community SANS Toronto SEC504 Toronto, ON
Apr 30, 2018 - 
May 5, 2018

Community SANS
Community SANS Virginia Beach SEC503 Virginia Beach, VA
May 7, 2018 - 
May 12, 2018

Community SANS
Community SANS Columbia SEC503 Columbia, MD
Aug 13, 2018 - 
Aug 18, 2018
*Course contents may vary depending upon location, see specific event description for details.

Beginning Windows Exploit Development - Understanding Heap Spraying

This post is based on understanding the heap as a payload delivery mechanism especially when exploiting browsers, flash, PDF, etc.

Before we get started, I must state clearly that this information is based on the guidance provided from corelan.be website as shown in the references section.

For some folks reading my material may be easier, for others reading the material from Corelan.be will be easier. Whichever you choose, please note that this is all based on the guidance provided by those folks and thus nothing here is my original work.

Now that the attribution is out of the way. Let's get going.

Some key points.
- Heap spraying, heap overflow and heap exploitation are not the same
- Heap spraying is a payload delivery technique
- The heap is deterministic
- Chunks of memory of the heap must be filled before gaining control of EIP
- Browsers are good candidates for heap spraying because they support scripting languages such as VBScript or JavaScript
- The concept is not limited to browsers but also can be used on AdobeReader, etc.
- For heap spraying to work, you must be able to deliver the shellcode to the correct location of memory before taking control of EIP
- The follow order must be followed: Spray the heap -> Trigger the vulnerability -> Control EIP and point EIP to the heap

The lab I have is the same as corelan's so see his documentation in the reference section for the lab requirements

First up some code to help me to understand the heap:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
<!-- HeapSpray_Basic_Allocation.html 
 Author: Nik Alleyne
 Blog: securitynik.blogspot.com -->

<html>
 <title> SecurityNik - Learning about the heap </title>
 <body>
  <script language='javascript'>
   var myvar = 'SecurityNik';
   var myvar = new String('securitynik.blogspot.com');
   alert('We\'re done allocating memory!');
  </script>
 </body>
</html>

The file was then opened with IE 7. Next up was to attach WinDbg to the "IEXPLORE.EXE" process.

Searching memory in WinDbg for the ASCII string "securitynik.blogspot.com" we get:

1
2
3
4
5
0:005> s -a 0x00000000 L?0x7fffffff "securitynik.blogspot.com"
001a751c  73 65 63 75 72 69 74 79-6e 69 6b 2e 62 6c 6f 67  securitynik.blog
001a75e2  73 65 63 75 72 69 74 79-6e 69 6b 2e 62 6c 6f 67  securitynik.blog
001a8880  73 65 63 75 72 69 74 79-6e 69 6b 2e 62 6c 6f 67  securitynik.blog
001a8946  73 65 63 75 72 69 74 79-6e 69 6b 2e 62 6c 6f 67  securitynik.blog

When we look for Unicode string "securitynik.blogspot.com" we get:

1
2
3
4
5
6
7
8
9
0:005> s -u 0x00000000 L?0x7fffffff "securitynik.blogspot.com"
00183b04  0073 0065 0063 0075 0072 0069 0074 0079  s.e.c.u.r.i.t.y.
001a8574  0073 0065 0063 0075 0072 0069 0074 0079  s.e.c.u.r.i.t.y.
001a8700  0073 0065 0063 0075 0072 0069 0074 0079  s.e.c.u.r.i.t.y.
01472034  0073 0065 0063 0075 0072 0069 0074 0079  s.e.c.u.r.i.t.y.
014721b0  0073 0065 0063 0075 0072 0069 0074 0079  s.e.c.u.r.i.t.y.
01a42eec  0073 0065 0063 0075 0072 0069 0074 0079  s.e.c.u.r.i.t.y.
01a43618  0073 0065 0063 0075 0072 0069 0074 0079  s.e.c.u.r.i.t.y.
01a4381c  0073 0065 0063 0075 0072 0069 0074 0079  s.e.c.u.r.i.t.y.

From above we can see the "00" infront of all the characters depicting they are 16 bits or 2 bytes wide.

Rewriting the code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
<!-- HeapSpray_Basic_Allocation.html 
 Author: Nik Alleyne
 Blog: securitynik.blogspot.com -->

<html>
 <title> SecurityNik - Learning about the heap </title>
 <body>
  <script language='javascript'>
   var myvar = unescape('%u454E%u5359%u2141%u2121'); // 'NEYSA!!!'
   var myvar = new String('securitynik.blogspot.com');
   alert('We\'re done allocating memory!');
  </script>
 </body>
</html>

Then searching for the ASCII string "NEYSA!!!" using "s -a 0x00000000 L?7fffffff "NEYSA!!!"" we get:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
0:016> s -a 0x00000000 L?7fffffff "NEYSA!!!"
001eaf64  4e 45 59 53 41 21 21 21-00 00 61 00 74 00 6f 00  NEYSA!!!..a.t.o.
001fa504  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
001fe51c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00202534  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0020454c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00206564  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0020857c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0020e43c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0021813a  4e 45 59 53 41 21 21 21-0d 0a 0d 0a 09 09 09 6d  NEYSA!!!.......m
0021a146  4e 45 59 53 41 21 21 21-0d 0a 0d 0a 09 09 09 6d  NEYSA!!!.......m
00223d74  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00225d8c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00227da4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00229dbc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0022bdd4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0022ddec  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00232f94  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00236f8c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00238fa4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0023afbc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0023ef7c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00242f84  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00246f8c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
00248fec  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0024b004  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0024d01c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f5004c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f52064  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f5407c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f56094  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f580ac  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f5a0c4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f5c0dc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f5e0f4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f6010c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f62124  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f6413c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f66154  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f6816c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f6a184  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f6c19c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f6e1b4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f701cc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f721e4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f741fc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f76214  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f7822c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f7a244  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f7c25c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f7e274  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f8028c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f822a4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f842bc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f862d4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f882ec  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f8a304  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f8c31c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f8e334  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f9034c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f92364  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f9437c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f96394  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f983ac  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f9a3c4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f9c3dc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02f9e3f4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fa040c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fa2424  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fa443c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fa6454  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fa846c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02faa484  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fac49c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fae4b4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fb04cc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fb24e4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fb44fc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fb6514  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fb852c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fba544  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fbc55c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fbe574  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fc058c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fc25a4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fc45bc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fc65d4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fc85ec  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fca604  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fcc61c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fce634  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fd064c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fd2664  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fd467c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fd6694  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fd86ac  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fda6c4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fdc6dc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fde6f4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fe070c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fe2724  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fe473c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fe6754  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fe876c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fea784  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fec79c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02fee7b4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02ff07cc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02ff27e4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02ff47fc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02ff6814  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02ff882c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02ffa844  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02ffc85c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
02ffe874  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0300088c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030028a4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030048bc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030068d4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030088ec  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0300a904  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0300c91c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0300e934  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0301094c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03012964  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0301497c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03016994  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030189ac  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0301a9c4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0301c9dc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0301e9f4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03020a0c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03022f34  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03024f4c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03026f64  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03028f7c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0302af94  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0302cfac  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0302efc4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03030fdc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03032ff4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0303500c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03037024  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0303903c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0303b054  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0303d06c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0303f084  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0304109c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030430b4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030450cc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030470e4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030490fc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0304b114  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0304d12c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0306004c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03062064  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0306407c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03066094  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030680ac  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0306a0c4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0306c0dc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0306e0f4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0307010c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03072124  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0307413c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03076154  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0307816c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0307a184  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0307c19c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0307e1b4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030801cc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030821e4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030841fc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
03086214  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0308822c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0308a244  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0308c25c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0308e274  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
0309028c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030ac3b4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030ae3cc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030b03e4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030b23fc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030b4414  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030b642c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030b8444  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030ba45c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030bc474  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030be48c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030c04a4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030c24bc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030c44d4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030c64ec  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030c8504  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030ca51c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030cc534  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030ce54c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030d0564  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030d257c  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030d4594  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030d65ac  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030d85c4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030da5dc  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030dc5f4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........

From the above, we see that "NEYSA!!!" is followed by NOOPs.

Dumping the memory at offset "030dc5f4":

1
2
3
4
5
6
7
8
9
0:016> d 030dc5f4
030dc5f4  4e 45 59 53 41 21 21 21-90 90 90 90 90 90 90 90  NEYSA!!!........
030dc604  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc614  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc624  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc634  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc644  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc654  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc664  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................

This shows our string "NEYSA!!!" followed by the NOPs.

Looking into the Process Environment Block (PEB) to identify the default heap we see:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
0:016> !peb
PEB at 7ffdb000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00400000
    Ldr                       00251e90
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00251f28 . 00255700
    Ldr.InLoadOrderModuleList:           00251ec0 . 002556f0
    Ldr.InMemoryOrderModuleList:         00251ec8 . 002556f8
            Base TimeStamp                     Module
          400000 41107b81 Aug 04 02:00:33 2004 C:\Program Files\Utilu IE Collection\IE600XPSP2\iexplore.exe
        7c900000 4802a12c Apr 13 20:11:24 2008 C:\WINDOWS\system32\ntdll.dll
        7e410000 4802a11b Apr 13 20:11:07 2008 C:\WINDOWS\system32\USER32.dll
  ------------- <  TRUNCATED FOR BREVITY >-------------
        72d20000 4802a12c Apr 13 20:11:24 2008 C:\WINDOWS\system32\wdmaud.drv
        77bd0000 4802a0ec Apr 13 20:10:20 2008 C:\WINDOWS\system32\midimap.dll
    SubSystemData:     00000000
    ProcessHeap:       00150000
    ProcessParameters: 00020000  
  ------------ <TRUNCATED FOR BREVITY> -------------

From above we see the default heap can be found at address: "ProcessHeap:       00150000"

Additionally, we can use the "!heap" extension to learn more about the heap. Let's do that.

Let's first leverage the "!heap -stat" command to dump all the process heaps associated with the process iexplore.exe


  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
0:016> !heap -stat
_HEAP 00db0000
     Segments            00000001
         Reserved  bytes 00400000
         Committed bytes 00400000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00150000
     Segments            00000003
         Reserved  bytes 00400000
         Committed bytes 0027a000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00900000
     Segments            00000001
         Reserved  bytes 00100000
         Committed bytes 00100000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00030000
     Segments            00000002
         Reserved  bytes 00110000
         Committed bytes 00043000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 028c0000
     Segments            00000002
         Reserved  bytes 00110000
         Committed bytes 00014000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 01290000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 0000c000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00da0000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00007000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 01280000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00006000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 012d0000
     Segments            00000001
         Reserved  bytes 00100000
         Committed bytes 00006000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00250000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00006000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 012b0000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00004000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00ab0000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00004000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 003d0000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00004000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 02890000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00003000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 011f0000
     Segments            00000001
         Reserved  bytes 00040000
         Committed bytes 00003000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 011b0000
     Segments            00000001
         Reserved  bytes 00040000
         Committed bytes 00003000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00ba0000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00003000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00260000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00003000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000
_HEAP 00350000
     Segments            00000001
         Reserved  bytes 00010000
         Committed bytes 00002000
     VirtAllocBlocks     00000000
         VirtAlloc bytes 00000000

Focusing specifically on the handle's allocation statistics for the heap at "00150000" we see:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
0:016> !heap -stat -h 00150000
 heap @ 00150000
group-by: TOTSIZE max-display: 20
    size     #blocks     total     ( %) (percent of total busy bytes)
    2010 c2 - 184c20  (63.27)
    18000 1 - 18000  (3.91)
    8000 3 - 18000  (3.91)
    4000 3 - c000  (1.95)
    4010 2 - 8020  (1.30)
    3ff0 2 - 7fe0  (1.30)
    20 307 - 60e0  (0.99)
    57f0 1 - 57f0  (0.89)
    614 d - 4f04  (0.80)
    2a4 16 - 3a18  (0.59)
    3980 1 - 3980  (0.58)
    800 6 - 3000  (0.49)
    580 8 - 2c00  (0.45)
    388 b - 26d8  (0.40)
    d8 2b - 2448  (0.37)
    20fa 1 - 20fa  (0.34)
    1034 2 - 2068  (0.33)
    200c 1 - 200c  (0.33)
    1000 2 - 2000  (0.33)
    1800 1 - 1800  (0.24)

Looking at above, it seems we have 63% of our chunks with 0x2010 bytes

Dumping the heap allocation looking for all the chunks with the size 0x2010 using "!heap -flt s 0x2010", we get.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
0:016> !heap -flt s 0x2010
    _HEAP @ 150000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00202528 0403 0000  [01]   00202530    02010 - (busy)
        00204540 0403 0403  [01]   00204548    02010 - (busy)
        00206558 0403 0403  [01]   00206560    02010 - (busy)
        00208570 0403 0403  [01]   00208578    02010 - (busy)
        00223d68 0403 0403  [01]   00223d70    02010 - (busy)
        00225d80 0403 0403  [01]   00225d88    02010 - (busy)
        00227d98 0403 0403  [01]   00227da0    02010 - (busy)
        00229db0 0403 0403  [01]   00229db8    02010 - (busy)
        0022bdc8 0403 0403  [01]   0022bdd0    02010 - (busy)
        0022dde0 0403 0403  [01]   0022dde8    02010 - (busy)
 ---------------- < TRUNCATED FOR BREVITY >-----------------
        030c24b0 0403 0403  [01]   030c24b8    02010 - (busy)
        030c44c8 0403 0403  [01]   030c44d0    02010 - (busy)
        030c64e0 0403 0403  [01]   030c64e8    02010 - (busy)
        030c84f8 0403 0403  [01]   030c8500    02010 - (busy)
        030ca510 0403 0403  [01]   030ca518    02010 - (busy)
        030cc528 0403 0403  [01]   030cc530    02010 - (busy)
        030ce540 0403 0403  [01]   030ce548    02010 - (busy)
        030d0558 0403 0403  [01]   030d0560    02010 - (busy)
        030d2570 0403 0403  [01]   030d2578    02010 - (busy)
        030d4588 0403 0403  [01]   030d4590    02010 - (busy)
        030d65a0 0403 0403  [01]   030d65a8    02010 - (busy)
        030d85b8 0403 0403  [01]   030d85c0    02010 - (busy)
        030da5d0 0403 0403  [01]   030da5d8    02010 - (busy)
        030dc5e8 0403 0403  [01]   030dc5f0    02010 - (busy)
    _HEAP @ 250000
    _HEAP @ 260000
    _HEAP @ 350000
    _HEAP @ 30000
    _HEAP @ 900000
    _HEAP @ 3d0000
    _HEAP @ ab0000
    _HEAP @ ba0000
    _HEAP @ da0000
    _HEAP @ db0000
    _HEAP @ 11b0000
    _HEAP @ 11f0000
    _HEAP @ 12d0000
    _HEAP @ 1280000
    _HEAP @ 1290000
    _HEAP @ 12b0000
    _HEAP @ 2890000
    _HEAP @ 28c0000

Dumping the beginning of the heap chunk at offset "030dc5e8" we get:

1
2
3
4
5
6
7
8
9
0:016> d 030dc5e8
030dc5e8  03 04 03 04 8d 01 08 02-00 20 00 00 4e 45 59 53  ......... ..NEYS
030dc5f8  41 21 21 21 90 90 90 90-90 90 90 90 90 90 90 90  A!!!............
030dc608  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc618  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc628  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc638  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc648  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc658  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................

Looks like we have our "NEYSA!!!" and NOPs. I'm curious as to how wide the space is. Let's see if it fits 512 bytes.

Dumping the address again while specifying a length.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
0:016> d 030dc5e8 L 200
030dc5e8  03 04 03 04 8d 01 08 02-00 20 00 00 4e 45 59 53  ......... ..NEYS
030dc5f8  41 21 21 21 90 90 90 90-90 90 90 90 90 90 90 90  A!!!............
030dc608  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc618  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc628  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc638  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc648  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc658  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc668  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc678  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc688  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc698  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc6a8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc6b8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc6c8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc6d8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc6e8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc6f8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc708  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc718  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc728  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc738  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc748  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc758  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc768  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc778  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc788  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc798  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc7a8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc7b8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc7c8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
030dc7d8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................

Ok! Looks like there is enough space there to hold some shellcode. However, I do understand that to increase the chance of success, the statistics above which shows 63% of the chunks with 0x0210 should probably be around 90+ percent as was the case with both Corelan and Fuzzy Security's entries.

At this point I believe I have enough of the basics I need to build on in the future.
Thanks Corelan and Fuzzy Security

References:
http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Microsoft/EN%20-%20Stack%20Bug%20-%20Exploit%20writing%20tutorial%20part%2011%20heap-spraying%20demystified.pdf
http://windbg.info/doc/1-common-cmds.html
https://www.w3schools.com/jsref/jsref_unescape.asp
https://www.fuzzysecurity.com/tutorials/expDev/8.html