Memory Corruption

Memory corruption exploits refer to security vulnerabilities and attack techniques where attackers manipulate program memory to gain unauthorised control, enabling execution of arbitrary code.

When would-be security researchers initially delve into binary exploitation, they often start with stack-based buffer overflows, where excessive data is written into a stack buffer, leading to the overwrite of the saved return address and facilitating unauthorised code execution.

This classic memory corruption technique allows for arbitrary code execution within the system by taking control of the eip register.

It's important to note that we are actually corrupting a portion of memory on the stack that eventually gets loaded into the eip register as the stack winds down after a function.

This may seem a very trivial distinction, but it is an important one to understand.

Achieving arbitrary code execution often involves corrupting memory that subsequently executes as part of the system's regular operations.

We will look at common vulnerability primitives that achieve, or help achieve this goal, shortly. User mode API calls trigger system calls, which trigger the execution of code within the kernel.

If we could somehow corrupt the memory in the kernel to point to our arbitrary shellcode, instead of the intended function, we can execute our shellcode with a simple user mode call to gain privilege escalation.

An example we will look at later is by overwriting the HalDispatchTable, the normal API function flow is shown below:

User mode call

The intention is that you should never be able to overwrite these pointers in memory, sometimes vulnerable code is written that allows us to do that.

This section is very brief, but it is important to understand that by overwriting function pointers we can take advantage of normal operations to gain arbitrary code execution; whether that be a reverse shell, privilege escalation shellcode or staging malware.