[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: win32 heap overflow exploitation

----- Original Message ----- 
From: "Adik" <netninja@xxxxxxxxxx>
To: <vuln-dev@xxxxxxxxxxxxxxxxx>
Cc: <pen-test@xxxxxxxxxxxxxxxxx>
Sent: Sunday, October 26, 2003 3:29 AM
Subject: win32 heap overflow exploitation

> Hi there folks,
> I'm havin a problem exploiting an application vulnerable to heap overflow. i 
> can write 4 bytes to any place in the memory.
> mov dword ptr[eax], ecx
> mov dword ptr[ecx+4], eax
> I control ecx and eax. I tried overwriting unhandledexceptionfilter pointer 
> (located at address 77ee044c) with a pointer to call [ebp-28] this is where a 
> pointer to my shellcode is located. 
> eax=77ee044c   <--- unhandledexceptionfilter pointer of my version of Windows
> ecx=77f8ce83   <--- .text unwritable address points to -> call [ebp-28]
> The second line mov dword ptr[ecx+4], eax suppouse to trigger access violation 
> on write , because ecx is unwritable address thus invokin exception handler. 
> Because exception handler address is overwritten with pointer to call [ebp-28], 
> it should theoretically execute call [ebp-28] then my shellcode. But its not 
> doin so. Maybe i'm doin somethin wrong. A little help on that would b great. 

Have you set a breakpoint on the filter to verify that the offset contains your data?
If using the unhandled exception filter your data should also exist at [esi+4c].
> What else can i overwrite with my 4 bytes except exception pointers? eEye 
> mentioned overwriting PEB lockin pointers. Could anyone please clarify it? I 
> couldn't find info on that. Any tips/tricks/methods/techniques/links/papers on 
> exploiting windows based heap overflows would b greatly appreciated. thanx

The PEB is the Process Environment Block, there is some documentation of the
structure at http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html
At PEB_BASE+0x20 and PEB_BASE+0x24 are pointers to the peb lock and unlock routines.
As the PEB is always mapped at 7FFDF000, overwriting a lock pointer is a good route to take to achieve reliability across versions.
Remember to replace the function pointer address when your shellcode is executing.
> Adik
Barnaby Jack
Research Engineer
eEye Digital Security