[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Windows Heap Overflows In General



Dave wrote:
> e.g.
> call dword ptr [ecx + 14H]
>
> It's important to remember that heap overflows isn't just about
> overflowing
> character arrays that have been malloc()ed.

Yup thats true, playing with different sizes and differents hex codes to
overflow can land you in many different spots such as

call [ecx + ??]
mov [ecx],[eax]
movsb
cmp al,?? -> mov something.

The main point I was trying to press is that we can use the routines to
write our egg into a known writable address. Albiet a tricky and time
consuming way, so the trick is to write a small jumper to known memory and
call the jumper. The jumper can then locate out main shell code and run it.

With the 4 bytes you are limited to something like [reg +/- 80] or so... But
can do stuff like add esp,?? ret or prepend our jumper to known fixed hex
codes so as we can leave a byte or two out giving us 6 bytes.

>From the recent CFMX6 overflow. The exploit lands on the normal mov
[ecx],eax carries on checks a byte to see if there is more, and then uses
another byte to calculate the offset to where the next structure is. Even if
only chunk structure has been overwritten we now have control of where the
routine will look for the next structure. Massive amounts of repeated code
allows for a good chance to hit the spot.

Brett

> -----Original Message-----
> From: David Litchfield [mailto:david@xxxxxxxxxxxxxxx]
> Sent: Monday, 2 December 2002 22:29
> To: pen-test@xxxxxxxxxxxxxxxxx; vuln-dev@xxxxxxxxxxxxxxxxx
> Subject: Re: Windows Heap Overflows In General
>
>
> > *) Remember with heap based overflows you can write multiple sets of 4
> > bytes. It's not the registers you are overflowing, but a structure. What
> do
> > the other structure bytes control? Size does matter!
> > http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html
> > * Wheres our code at? It's not just esp that holds important variable
> > locations. Where do all those other numbers point?
>
> In the case overflowing the data section of one object into the vtable of
> another object you'll be overwriting function pointers and when one is
> called you can redirect program control
>
> e.g.
> call dword ptr [ecx + 14H]
>
> It's important to remember that heap overflows isn't just about
> overflowing
> character arrays that have been malloc()ed.
>
> Cheers,
> David Litchfield
> http://www.ngssoftware.com/
>