Over the years, exploitation objectives have changed alongside the associated efforts by vendors to protect their software. Exploitation has moved from remote exploits on Unix servers to the community focusing on client-side targets, such as document viewers and browsers. Some prime examples of these are the Aurora and IE peers zero-days actively exploited in the wild. These bugs answer many questions related to what the new breed of attacker is focusing on, yet all hype aside the real lesson is: botnet authors are learning how to fuzz for these vulnerabilities but are not able to write reliable exploits to accompany them.
With that premise in mind, this presentation intends to explore the techniques used to exploit the "use-after-free" bug class on Internet Explorer 8, diving into the API internals, reviewing the art of heap crafting and presenting new techniques to improve it.
Immunity Nicolas Waisman joined Immunity in February 2004. Nicolas has experience in all areas of offense-related software security, from vulnerability analysis to exploit and trojan development. Nico is an internationally recognized heap expert and teaches Immunity's most advanced class, heap exploitation. Nico has taught governments and commercial sector students from all over the world in both private and public classroom settings.