[REVS] Exploiting Freelist[0] on Windows XP Service Pack 2

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Exploiting Freelist[0] on Windows XP Service Pack 2


The whitepaper linked here explains methods to exploit freelist[0]
overwrites in Windows XP SP2


Windows XP Service pack 2 introduced some new security measures in an
attempt to prevent the use of overwritten heap headers to do arbitrary
byte writing. This method of exploiting heap overflows, and the protection
offered by service pack 2, is widely known and has been well documented in
the past. What this paper will attempt to explain is how other
functionality of the heap management code can be used to gain execution
control after a chunk header has been overwritten. In particular this
paper takes a look at exploiting freelist[0] overwrites.

Two new methods of exploitation are explained in this paper. The first
allows for the address of user supplied data to be written to a semi
arbitrary location. The other allows for a semi arbitrary address to be
returned to a HeapAlloc call.

The full paper, along with code samples can be found at:
<http://www.security-assessment.com/Whitepapers/Exploiting_Freelist[0]_On_XPSP2.zip> Exploiting Freelist[0] On Windows XP Service Pack 2


The information has been provided by
<mailto:brett.moore@xxxxxxxxxxxxxxxxxxxxxxx> Brett Moore.
The original article can be found at:
<http://www.security-assessment.com/Whitepapers/Exploiting_Freelist[0]_On_XPSP2.zip> http://www.security-assessment.com/Whitepapers/Exploiting_Freelist[0]_On_XPSP2.zip


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.