Re: win32 heap overflow exploitation

From: Barnaby Jack (bjack_at_eeye.com)
Date: 10/27/03

  • Next message: Andres Martinez: "Wireless network assessment" 
    Date: Sun, 26 Oct 2003 21:26:48 -0800
To: <pen-test@securityfocus.com>, <netninja@hotmail.kg>, <vuln-dev@securityfocus.com>

     
    ----- Original Message -----
    From: "A***" <netninja@hotmail.kg>
    To: <vuln-dev@securityfocus.com>
    Cc: <pen-test@securityfocus.com>
    Sent: Sunday, October 26, 2003 3:29 AM
    Subject: win32 heap overflow exploitation

    > Hi there folks,
    >
    > I'm havin a problem exploiting an application vulnerable to heap overflow. i
    > can write 4 bytes to any place in the memory.
    >
    > mov dword ptr[eax], ecx
    > mov dword ptr[ecx+4], eax
    >
    > I control ecx and eax. I tried overwriting unhandledexceptionfilter pointer
    > (located at address 77ee044c) with a pointer to call [ebp-28] this is where a
    > pointer to my shellcode is located.
    >
    > eax=77ee044c <--- unhandledexceptionfilter pointer of my version of Windows
    > ecx=77f8ce83 <--- .text unwritable address points to -> call [ebp-28]
    >
    > The second line mov dword ptr[ecx+4], eax suppouse to trigger access violation
    > on write , because ecx is unwritable address thus invokin exception handler.
    > Because exception handler address is overwritten with pointer to call [ebp-28],
    > it should theoretically execute call [ebp-28] then my shellcode. But its not
    > doin so. Maybe i'm doin somethin wrong. A little help on that would b great.

     
    Have you set a breakpoint on the filter to verify that the offset contains your data?
    If using the unhandled exception filter your data should also exist at [esi+4c].
     
    >
    > What else can i overwrite with my 4 bytes except exception pointers? eEye
    > mentioned overwriting PEB lockin pointers. Could anyone please clarify it? I
    > couldn't find info on that. Any tips/tricks/methods/techniques/links/papers on
    > exploiting windows based heap overflows would b greatly appreciated. thanx

     
    The PEB is the Process Environment Block, there is some documentation of the
    structure at http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html
     
    At PEB_BASE+0x20 and PEB_BASE+0x24 are pointers to the peb lock and unlock routines.
    As the PEB is always mapped at 7FFDF000, overwriting a lock pointer is a good route to take to achieve reliability across versions.
    Remember to replace the function pointer address when your shellcode is executing.
     
    >
    >
    > A***
     
    Barnaby Jack
    Research Engineer
    eEye Digital Security

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_pen-test_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Andres Martinez: "Wireless network assessment"