Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In 2020 a critical vulnerability was discovered in the processing of DNS on Windows. Using this memory corruption bug, it was theorized that a malicious website could take over a computer just by using a few calls to DNS. This article is an explained POC on how this was actually weaponized.

The vulnerability is an integer overflow on a size allocation. The issue is that the size of the buffer is 16-bits and has a header size appended to it. So, by having a size of 0xFFFF and a header size of 0x2, the buffer size would underflow, resulting in a large buffer overflow.

Hitting this code was extremely complicated, from a DNS perspective though. In reality, DNS compression had to be used in order to trigger this bug, which I had no idea was a thing!

The awesome part of this article is the explanation of the exploitation method, mainly the heap grooming. WinDNS allocates its own memory pools of 0xA0, to prevent constant calls to the heap allocator. If the size is larger than 0xA0, then the regular Windows allocator is used. When the WinDNS buffered are freed, they are inserted into a singly linked list of chunks (LIFO) instead of going back to the native heap allocator.

With an integer underflow bug like this, we have created a wildcopy scenario. The memcpy will cause the code to crash, as we are writing outside of the bounds of the allocated heap after a while. In order to avoid this, the size of the overflown buffer had to be allocated at a specific size in order to have enough room to continue writing.

To keep the program from crashing because of overwritten data, the author allocates and frees a bunch of chunks. Now, when the data structures we do not want to corrupt are allocated, they will take these spots.

In order to leak memory, a structures size was overwritten with a larger value in order to induce an OOB read. Once this happens, the chunk above the overwritten chunk is freed, resulting in a pointer being inserted as part of the linked list. Because of the overwritten size from before, this will be leaked in the next request.

To break ASLR for program addresses, the author used the same trick from above to leak a program address. A structure called DNS_timeout was put into this place to leak library addresses and had a function pointer in it (to be used later).

The DNS libraries are compiled with control flow guard (CFG). So, getting code execution is not as simple as overwriting a function pointer, which would have been trivial to do via a function pointer used for leaks.

In order to bypass CFG, the author found the address of system. Then, they replaced the address of the function pointer with system. Here is the real kicker though: they controlled a parameter being passed in! So, they could control the string being passed to system in order to get RCE.

This is an awesome blog post into real world heap grooming and bypasses for Windows CFG.