[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: win32 heap overflow exploitation



Possibly because...

You have overwritten unhandledexceptionfilter, assuming you have the correct
address, which will get called after an exception happens that is not
handled
by another exception handler. Thus the name..

So its possible that one of the 'program set' exception handlers is dealing
with the access violation exception caused by the second write. I came
across this same 'problem' when exploiting the first nsiislog.dll issue,
that
required a 'non SEH' exploit.

As eEye often mentions it is possible to overwrite other locations, such
as function pointers
http://www.eeye.com/html/Research/Advisories/AD20030910.html
and PEB locking pointers.
http://www.google.co.nz/search?hl=en&ie=UTF-8&oe=UTF-8&q=peb+riley+hassell

Of the two, the PEB pointers are the more consistent but using them creates
a set of new problems, which I will leave to you to figure out...

Brett


-----Original Message-----
From: Adik [mailto:netninja@xxxxxxxxxx]
Sent: Monday, October 27, 2003 12:29 AM
To: vuln-dev@xxxxxxxxxxxxxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: win32 heap overflow exploitation


Hi there folks,

I'm havin a problem exploiting an application vulnerable to heap overflow. i
can write 4 bytes to any place in the memory.

mov dword ptr[eax], ecx
mov dword ptr[ecx+4], eax

I control ecx and eax. I tried overwriting unhandledexceptionfilter pointer
(located at address 77ee044c) with a pointer to call [ebp-28] this is where
a
pointer to my shellcode is located.

eax=77ee044c   <--- unhandledexceptionfilter pointer of my version of
Windows
ecx=77f8ce83   <--- .text unwritable address points to -> call [ebp-28]

The second line mov dword ptr[ecx+4], eax suppouse to trigger access
violation
on write , because ecx is unwritable address thus invokin exception handler.
Because exception handler address is overwritten with pointer to call
[ebp-28],
it should theoretically execute call [ebp-28] then my shellcode. But its not
doin so. Maybe i'm doin somethin wrong. A little help on that would b great.

What else can i overwrite with my 4 bytes except exception pointers? eEye
mentioned overwriting PEB lockin pointers. Could anyone please clarify it? I
couldn't find info on that. Any tips/tricks/methods/techniques/links/papers
on
exploiting windows based heap overflows would b greatly appreciated. thanx


Adik

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------