Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Heap Overflow (UnHandledExceptionFilter) question

From: "class 101" <class101 () hat-squad com>
Date: Sun, 5 Dec 2004 06:17:15 +0100
To add some more infos , that hole is on the Windows Internet Name Service.

Im able to control actually EAX in read ,which, pointed to my buffer, this is controling ECX and EDX in write.

As I explained in the first mail , I tried the UEF in that way but it doesnt works or Im doing something wrong.

I heard about the RtlEnterCriticalSection PEB method , I think its the one wich should be used there according to 
Nicolas waisman paper...

Anyway Id like the feedback of a specialist :)

thanx 

-------------------------------------------------------------
class101
Hat-Squad.com
-------------------------------------------------------------
  ----- Original Message ----- 
  From: class 101 
  To: dailydave () lists immunitysec com 
  Sent: Sunday, December 05, 2004 5:32 AM
  Subject: Heap Overflow (UnHandledExceptionFilter) question


  Hello the list,

  Sorry firstly for my crap english , I will try to do quick and clear..
  I'm currently learning Heap Overflows with some examples and a recent windows hole found by an excellent team :>

  I resume quickly the exploitation via the UEF (UnHandledExceptionFilter) for thos who forgot:

  if we are able to overwrite the pointer of EAX and ECX in that case :
                  mov dword [ecx], eax
                  mov dword [eax+4],ecx

  We succesfully exploits the hole pointing ECX to my UEF address, and pointing EAX to an address with this 
content:(assuming that I'm on win2k)

                  call dword [esi+4c]

  the esi+4c, wich is pushed when the unhandled exception occurs, point to my buffer and then read my shellcode...
   
  Ok the question is now, if Im able to overwrite the pointer of ECX and EDX in that case : 
                  
                  mov dword [ecx], edx

  I tried to apply the UEF method on this hole without success because I think EAX is no more pointing to a call 
instruction wich is needed. Maybe someone can confirm me that I can use only EAX and ECX via this method and is there 
another way to exploit it , maybe via the PEB method?

  Anyway thanx for your time dude.

   
  -------------------------------------------------------------
  class101
  Hat-Squad.com
  -------------------------------------------------------------
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: