[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Exploiting heap overflows in W2K
From: Ivan Stroks <ivanstroks () yahoo ! co ! nz>
Date: 2006-07-31 19:46:23
Message-ID: 20060731194623.17944.qmail () web55213 ! mail ! re4 ! yahoo ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi list,
I am trying to exploit a Heap buffer overflow vulnerability and facing some problems, hope \
you could help. I run the vulnerable program in a VMWare, attached with Olly.
These are my problems:
1. I control both EAX and ESI, when the program goes to
mov [esi], eax
mov [eax + 4], esi
First of all, I tried gainig control of execution through PEB but, according to Halvar's \
presentation, there are some restrictions to what you can write in the header of the overflowed \
buffer. Quoting:
" Properties our block must have:
Bit 0 of Flags must be set
Bit 3 of Flags must be set
Field_4 must be smaller than 0x40
The first field (own size) must be larger than 0x80
The block ‘XXXX99XX’ meets all requirements"
So, supposing PEB pointer to overwrite is 0x7FFDF020 I would need to specify for example: \
XXXX20f0fd7f, but this is not matching required properties and so RtlFreeHeap exits. I am sure \
I must be missing something here, but can't find it.
2. An aditional problem I am facing, due to the fact that this is my first heap overflowing \
session, is that when I trigger the vulnerability as soon as the programs comes back from \
"revert snapshot" then I get to rtlHeapFree ok, but if some other request are performed to the \
program before, then I cannot reproduce that behaviour again and different behaviours and \
situation arise. It is obvious that my exploit won't be the first request the program receives \
so, how can I manage this?
Hope you could help!
Regards
IvaN!
Send instant messages to your online friends http://au.messenger.yahoo.com
[Attachment #5 (text/html)]
Hi list,<br> <br> I am trying to exploit a Heap buffer overflow vulnerability and facing \
some problems, hope you could help.<br> I run the vulnerable program in a VMWare, \
attached with Olly.<br> <br> These are my problems:<br> <br> 1. I control both EAX \
and ESI, when the program goes to <br> <br> mov [esi], eax<br> \
mov [eax + 4], esi<br> <br> First of all, I tried gainig \
control of execution through PEB but, according to Halvar's presentation, there are some \
restrictions to what you can write in the header of the overflowed buffer.<br> \
Quoting: <br> <br> " Properties our \
block must have:<br> <br> Bit 0 of Flags must be set<br> \
Bit 3 of Flags must be set<br> \
Field_4 must be smaller than 0x40<br> \
The first field (own size) must be larger than 0x80<br> <br> \
The block ‘XXXX99XX’ meets all requirements"<br> <br> \
So, supposing PEB pointer to overwrite is 0x7FFDF020 I would need to specify \
for example: XXXX20f0fd7f, but this is not matching required properties and so RtlFreeHeap \
exits.<br> I am sure I must be missing something here, but can't find \
it.<br> <br> 2. An aditional problem I am facing, due to the fact that this is my first \
heap overflowing session, is that when I trigger the vulnerability as soon as the programs \
comes back from "revert snapshot" then I get to rtlHeapFree ok, but if some other request are \
performed to the program before, then I cannot reproduce that behaviour again and different \
behaviours and situation arise.<br> It is obvious that my exploit won't be the \
first request the program receives so, how can I manage this?<br> <br> <br> Hope \
you could help!<br> Regards<br> <br> IvaN!<br> <br> <p> Send instant messages \
to your online friends http://au.messenger.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic