Dailydave mailing list archives
Re: Heap Overflow (UnHandledExceptionFilter) question
From: "class 101" <class101 () hat-squad com>
Date: Sun, 5 Dec 2004 06:17:15 +0100
To add some more infos , that hole is on the Windows Internet Name Service. Im able to control actually EAX in read ,which, pointed to my buffer, this is controling ECX and EDX in write. As I explained in the first mail , I tried the UEF in that way but it doesnt works or Im doing something wrong. I heard about the RtlEnterCriticalSection PEB method , I think its the one wich should be used there according to Nicolas waisman paper... Anyway Id like the feedback of a specialist :) thanx ------------------------------------------------------------- class101 Hat-Squad.com ------------------------------------------------------------- ----- Original Message ----- From: class 101 To: dailydave () lists immunitysec com Sent: Sunday, December 05, 2004 5:32 AM Subject: Heap Overflow (UnHandledExceptionFilter) question Hello the list, Sorry firstly for my crap english , I will try to do quick and clear.. I'm currently learning Heap Overflows with some examples and a recent windows hole found by an excellent team :> I resume quickly the exploitation via the UEF (UnHandledExceptionFilter) for thos who forgot: if we are able to overwrite the pointer of EAX and ECX in that case : mov dword [ecx], eax mov dword [eax+4],ecx We succesfully exploits the hole pointing ECX to my UEF address, and pointing EAX to an address with this content:(assuming that I'm on win2k) call dword [esi+4c] the esi+4c, wich is pushed when the unhandled exception occurs, point to my buffer and then read my shellcode... Ok the question is now, if Im able to overwrite the pointer of ECX and EDX in that case : mov dword [ecx], edx I tried to apply the UEF method on this hole without success because I think EAX is no more pointing to a call instruction wich is needed. Maybe someone can confirm me that I can use only EAX and ECX via this method and is there another way to exploit it , maybe via the PEB method? Anyway thanx for your time dude. ------------------------------------------------------------- class101 Hat-Squad.com ------------------------------------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Heap Overflow (UnHandledExceptionFilter) question class 101 (Dec 04)
- <Possible follow-ups>
- Re: Heap Overflow (UnHandledExceptionFilter) question class 101 (Dec 04)