Memory vulnerabilities are programmatic flaws in which the application improperly accesses or handles objects stored in memory. These vulnerabilities can result in memory corruption leading to arbitrary code execution or denial of service. Because memory exploits work outside the normal bounds of the operating system, many activities conducted during those exploits will not be logged. If you exploit a memory vulnerability, you must keep in mind that you have destabilized that particular service or the system. Set up your backdoor and get out. If you run a buffer overflow against a target, you usually cannot run the same overflow again until the target reboots and resets its memory.
Common exploits against Windows memory include:
- Use-After-Free—One of the simplest ways to corrupt memory. The attacker attempts to access memory that has been freed (is no longer needed) by the program. This can cause the program to crash or allow execution of arbitrary code.
- Buffer overflow—A difficult attack to develop but very powerful when done correctly. The attacker attempts to put more data in a program’s memory buffer than it can hold. This overruns the buffer’s boundaries, allowing malicious code to be entered (and executed) in adjacent memory addresses.
- Heap overflow—A type of buffer overflow that occurs in dynamically allocated memory addresses.
- Integer overflow—An arithmetic operation that creates a numeric value that is outside the range (too large or too small) of the bits assigned to represent it. It could allow an attacker to access arbitrary parts of memory for code execution.
- Memory leak denial of service—The intentional triggering of a memory leak to crash the program or take advantage of unexpected behavior due to low memory.
There are many Windows memory exploits available. A search on www.exploit-db.com for windows memory returns 97 entries. To find Metasploit modules that exploit Windows memory, open the msf console and enter these searches:
search integer platform:windows
search “Buffer Overflow” platform:windows -S great
search Use-After-Free platform:windows