It is a busy time for me and as you see I rarely find time to write on my own blog, but as promised in the past I'll keep on posting some of my notes. Today, for example, I want to stare a nice trick to bypassNoozle and (theoretically) Bubble; two of the most used anti heap spray techniques. Both of the techniques aim to block the "Heap Spray payload delivering". While Noozle recognizes a sprayed payload and block it, Bubble blocks the execution of the payload by messying up the memory.
Lets start to keep a quick and dirty look into the "Heap Spray Payload Delivery Technique". The following image shows how the payload is delivered through the "spray" technique.
 | ||
| Payload Delivering technique: Heap Spray (From Microsot Noozle paper) |
The attacker delivers to the target machine a significant number of payloads composed by a NOP sequence (white in the picture) and a final Shellcode (red in the picture). In order to guarantee high performances the kernel allocates memory randomly (ASLR) BUT in organized and atomic blocks. Dependining on the memory blocks size it happens to have contiguous payloads. Once the payloads have loaded into the memory the attacker needs to "fire" one of them by pointing EIP to the top-level addressese (NOP) which will eventually take the CPU to execute the desired Shellcode.
read more..........http://marcoramilli.blogspot.it/2013/03/nozzle-and-bubble-trick-to-jump-them.html