[REVS] Exploiting Freelist[0] on Windows XP Service Pack 2



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Exploiting Freelist[0] on Windows XP Service Pack 2
------------------------------------------------------------------------


SUMMARY

The whitepaper linked here explains methods to exploit freelist[0]
overwrites in Windows XP SP2

DETAILS

Abstract:
Windows XP Service pack 2 introduced some new security measures in an
attempt to prevent the use of overwritten heap headers to do arbitrary
byte writing. This method of exploiting heap overflows, and the protection
offered by service pack 2, is widely known and has been well documented in
the past. What this paper will attempt to explain is how other
functionality of the heap management code can be used to gain execution
control after a chunk header has been overwritten. In particular this
paper takes a look at exploiting freelist[0] overwrites.

Two new methods of exploitation are explained in this paper. The first
allows for the address of user supplied data to be written to a semi
arbitrary location. The other allows for a semi arbitrary address to be
returned to a HeapAlloc call.

The full paper, along with code samples can be found at:
<http://www.security-assessment.com/Whitepapers/Exploiting_Freelist[0]_On_XPSP2.zip> Exploiting Freelist[0] On Windows XP Service Pack 2


ADDITIONAL INFORMATION

The information has been provided by
<mailto:brett.moore@xxxxxxxxxxxxxxxxxxxxxxx> Brett Moore.
The original article can be found at:
<http://www.security-assessment.com/Whitepapers/Exploiting_Freelist[0]_On_XPSP2.zip> http://www.security-assessment.com/Whitepapers/Exploiting_Freelist[0]_On_XPSP2.zip



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Virtools Web PlayerMultiple Vulnerabilities (Buffer-Overflow, Directory Traversal)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Virtools does not validate filenames and their length, ... least 262 bytes overwrites the EIP register allowing possible execution of ...
    (Securiteam)
  • [EXPL] Smail preparse_address_1() Heap Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a heap buffer overflow, ... ssize_t Send(int s, const void *buf, size_t len, int flags) ...
    (Securiteam)
  • [EXPL] Internet Explorer DHTML Arbitrary Code Execution (MS05-020)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... MOV EAX, DWORD PTR; EAX = Some pointer to the heap for mshtml ... To get some control over the "dirty" value we try to "spray" the heap ... so we use as big a string as possible. ...
    (Securiteam)
  • [EXPL] Mozilla Browsers Remote Heap Buffer Overrun (Exploit , 0xAD HOST)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A heap buffer overrun vulnerability exists in Mozilla browsers, ... of the string to create more large heap blocks. ... var startDate = new Date; ...
    (Securiteam)
  • [REVS] Microsoft Windows Heap Based Overflow Exploiting
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Presented in this article are several documents discussing Heap based ... heap exploitation and ways to create exploitation more stable. ... A fully documented example on exploiting a heap overflow can be found at: ...
    (Securiteam)