In computer security
, heap spraying
is a technique used in exploits
to facilitate arbitrary code execution
. The term is also used to describe the part of the source code
of an exploit that implements this technique. In general, code that sprays the heap
attempts to put a certain sequence of bytes at a predetermined location in the memory
of a target process
by having it allocate (large) blocks on the process' heap
and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the location everytime the heap spray is run.
Heap sprays have been used occasionally in exploits since at least 2001, but the technique started to see widespread used in exploits for web browsers
soon after the release a series of exploits that used it that exploited a wide range of bugs in Internet Explorer
. The heap sprays used in all these exploits was very similar, which showed its versatility and ease of use without need for major modifications between exploits. It proved simple enough to understand and use to allow novice hackers
to quickly write reliable exploits for many types of vulnerabilities
in web browsers and web browser plug-ins
. Many web browser exploits that use heap spraying consist only of a heap spray that is copy-pasted
from a previous exploit combined with a small piece of script or HTML
that triggers the vulnerability.
Even though the technique was proven to work on other web browsers, it has not seem the same widespread use as seen for Internet Explorer.
and spray the heap by creating large Unicode strings
with the same character repeated many times by starting with a string of one character and concatenating it with itself over and over. This causes the length of the string to grow exponentially
up to the maximum length allowed by the scripting engine
. When the maximum length (or an arbitrary lower length) is reached, the heap spraying code starts to make copies of the long string and stores these in an array, up to the point where enough memory has been sprayed. VBScript
is sometimes (though very rarely) used to create strings as well because it is made easy by the String
Though it has been proven that heap-spraying can be done through other means, for instance by loading image files into the process, this has not seen widespread use (as of August 2008).
- NOP slide, a technique which is complementary to heap spraying