[REVS] Exploiting Freelist on Windows XP Service Pack 2
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Jan 2006 17:27:26 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Exploiting Freelist on Windows XP Service Pack 2
The whitepaper linked here explains methods to exploit freelist
overwrites in Windows XP SP2
Windows XP Service pack 2 introduced some new security measures in an
attempt to prevent the use of overwritten heap headers to do arbitrary
byte writing. This method of exploiting heap overflows, and the protection
offered by service pack 2, is widely known and has been well documented in
the past. What this paper will attempt to explain is how other
functionality of the heap management code can be used to gain execution
control after a chunk header has been overwritten. In particular this
paper takes a look at exploiting freelist overwrites.
Two new methods of exploitation are explained in this paper. The first
allows for the address of user supplied data to be written to a semi
arbitrary location. The other allows for a semi arbitrary address to be
returned to a HeapAlloc call.
The full paper, along with code samples can be found at:
<http://www.security-assessment.com/Whitepapers/Exploiting_Freelist_On_XPSP2.zip> Exploiting Freelist On Windows XP Service Pack 2
The information has been provided by
<mailto:brett.moore@xxxxxxxxxxxxxxxxxxxxxxx> Brett Moore.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] arp_spoofer - Full ARP Packets Manipulation
- Next by Date: [TOOL] Oreka VoIP Sniffer
- Previous by thread: [TOOL] arp_spoofer - Full ARP Packets Manipulation
- Next by thread: [TOOL] Oreka VoIP Sniffer