RE: Windows Heap Overflows In General

From: Brett Moore (brett@softwarecreations.co.nz)
Date: 12/02/02

  • Next message: at4r: "IIS Vulnerability Content-Type overflow"
    From: "Brett Moore" <brett@softwarecreations.co.nz>
    To: "David Litchfield" <david@ngssoftware.com>, <pen-test@securityfocus.com>, <vuln-dev@securityfocus.com>
    Date: Tue, 3 Dec 2002 10:56:57 +1300
    
    

    Dave wrote:
    > e.g.
    > call dword ptr [ecx + 14H]
    >
    > It's important to remember that heap overflows isn't just about
    > overflowing
    > character arrays that have been malloc()ed.

    Yup thats true, playing with different sizes and differents hex codes to
    overflow can land you in many different spots such as

    call [ecx + ??]
    mov [ecx],[eax]
    movsb
    cmp al,?? -> mov something.

    The main point I was trying to press is that we can use the routines to
    write our egg into a known writable address. Albiet a tricky and time
    consuming way, so the trick is to write a small jumper to known memory and
    call the jumper. The jumper can then locate out main shell code and run it.

    With the 4 bytes you are limited to something like [reg +/- 80] or so... But
    can do stuff like add esp,?? ret or prepend our jumper to known fixed hex
    codes so as we can leave a byte or two out giving us 6 bytes.

    From the recent CFMX6 overflow. The exploit lands on the normal mov
    [ecx],eax carries on checks a byte to see if there is more, and then uses
    another byte to calculate the offset to where the next structure is. Even if
    only chunk structure has been overwritten we now have control of where the
    routine will look for the next structure. Massive amounts of repeated code
    allows for a good chance to hit the spot.

    Brett

    > -----Original Message-----
    > From: David Litchfield [mailto:david@ngssoftware.com]
    > Sent: Monday, 2 December 2002 22:29
    > To: pen-test@securityfocus.com; vuln-dev@securityfocus.com
    > Subject: Re: Windows Heap Overflows In General
    >
    >
    > > *) Remember with heap based overflows you can write multiple sets of 4
    > > bytes. It's not the registers you are overflowing, but a structure. What
    > do
    > > the other structure bytes control? Size does matter!
    > > http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html
    > > * Wheres our code at? It's not just esp that holds important variable
    > > locations. Where do all those other numbers point?
    >
    > In the case overflowing the data section of one object into the vtable of
    > another object you'll be overwriting function pointers and when one is
    > called you can redirect program control
    >
    > e.g.
    > call dword ptr [ecx + 14H]
    >
    > It's important to remember that heap overflows isn't just about
    > overflowing
    > character arrays that have been malloc()ed.
    >
    > Cheers,
    > David Litchfield
    > http://www.ngssoftware.com/
    >