[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
win32 heap overflow exploitation
Hi there folks,
I'm havin a problem exploiting an application vulnerable to heap overflow. i
can write 4 bytes to any place in the memory.
mov dword ptr[eax], ecx
mov dword ptr[ecx+4], eax
I control ecx and eax. I tried overwriting unhandledexceptionfilter pointer
(located at address 77ee044c) with a pointer to call [ebp-28] this is where a
pointer to my shellcode is located.
eax=77ee044c <--- unhandledexceptionfilter pointer of my version of Windows
ecx=77f8ce83 <--- .text unwritable address points to -> call [ebp-28]
The second line mov dword ptr[ecx+4], eax suppouse to trigger access violation
on write , because ecx is unwritable address thus invokin exception handler.
Because exception handler address is overwritten with pointer to call [ebp-28],
it should theoretically execute call [ebp-28] then my shellcode. But its not
doin so. Maybe i'm doin somethin wrong. A little help on that would b great.
What else can i overwrite with my 4 bytes except exception pointers? eEye
mentioned overwriting PEB lockin pointers. Could anyone please clarify it? I
couldn't find info on that. Any tips/tricks/methods/techniques/links/papers on
exploiting windows based heap overflows would b greatly appreciated. thanx