Dailydave mailing list archives
RE: Understanding Windows Heap Overflows
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 6 Oct 2005 10:45:11 +1300
Hey.. Forgot to mention, if you want some easy samples to work with have a look at; Windows Heap Overflow Exploitation http://marc.theaimsgroup.com/?l=darklab&m=107575262625706&w=2 Windows Stack Overflow Exploitation http://marc.theaimsgroup.com/?l=darklab&m=107575273225926&w=2 Written last year on a 2kbox... So not sure how much use they will be to you.. Cheers Brett -----Original Message----- From: pbb [mailto:pbb () 65535 com] Sent: Wednesday, 5 October 2005 9:56 p.m. To: Ben Nagy Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] Understanding Windows Heap Overflows Thanks for the suggestions, I thought I'd post the simplest program I was playing with but I think you are right. That was the example code from David Litchfield's blackhat 2004 heap talk. I had another one that allocated 2 heaps then copied on the first then freed. My fiancee went to Ruxcon and was telling me about Brett Moore's talk, sounded very interesting. I'll have to have a look at the talks if I can get my hands on some of them. If I am going to get my target app to call a register then don't I need to still do a 4 byte overwrite of something like the exception handler, isn't using the register so that on the overwrite if you can have say ebx pointing to your heap then you get it to execute that call to ebx so your injected code is run. As I said I actually got the SP2 example to work but couldn't step through it. I haven't read anything by Matt Conover so I will look into that (btw does everyone here think Matt Pietrek but I guess he's more File format's and Dll's). I like your suggestion so I think I'll make a simple prog that reads from a socket (which makes input of the overflow easier) and try that. Thanks everyone for your suggestions. Paul. Ben Nagy wrote:
Hi, There were a couple of talks at Ruxcon in Australia which might help you. I attempted to do one that condensed work by a whole lot of different people into something simple (well as simple as it's going to get) and understandable - but that will only cover the theory. The other thing I thought was much cooler was that Brett Moore stood up right afterwards and owned some random app with a heap-based long file parameter bug, and he did it by stages so you could see what was going on. As he said, the heap is wacky - you might not even need to attack the heap management routines themselves if you can make your target app eventually call a register you control (which is what happened). Given that the 4-byte overwrites get crazy under SP2 and a lot of tasty pointers are encoded / removed / randomised that kind of approach is (imho) Teh Futur. Hopefully his demo files will go up as well as his slides (right Brett? ;). In terms of references, you didn't mention any Windows papers by Matt Conover - I would highly recommend you get anything you can by him, but the CSW Conover/Oded presentation in particular is a must-read. Finally, in your code, I'm not sure it's a good test proggie, is it? For Conover's coalesce on free 4-byte you need h1 to get freed, and for a busy-block overwrite like Halvar's virtualalloc 4-byte then you need your faked (next to h1) block to get freed. Well, anyway, you usually want _something_ to be freed. The exception are the "maybe there happens to be a free block that happens to be next to my buffer, and the second alloc will provoke a list deletion" style attacks which you shouldn't need for < SP2 (plus they require the
heap
layout to be just so). If you want to follow that up with a 4-to-n-byte overwrite via the
lookaside
lists then you'll need your test program to do some realistic pointer copies, because it needs to copy badstuff --> my sekrit location at some point. --- code reprint --- h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26); printf("HEAP: %.8x %.8x\n", h1, &h1); // Heap overflow occurs here: strcpy(h1, buf); // The second call to HeapAlloc() is when we gain control h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26); --- end code --- So, my suggestion would be that you code something that does "loop: get a packet from client, allocate heap space, copy the packet data unsafely,
free
the block when done". Have a play with that and you might have more fun. Anyway, good luck. Cheers, ben-----Original Message----- From: Brett Moore [mailto:brett.moore () security-assessment com][...]As for the heap stuff.... The heap is a fical place... a) Try longer / shorter bursts of data b) Try data of different chars (ie: X or A or Y) etc... I used to find 0x48 a good heap manipulator (H). Good luck[...]-----Original Message----- From: pbb [mailto:pbb () 65535 com][...]With the example given, I couldn't get it to do anything, no 4 byte overwrite.[...]----- Original Message ----- From: "pbb" <pbb () 65535 com>[...]I really would like toget to gripswith Heap overflows. [...]
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
Current thread:
- Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows MÃ¥rten Cassel (Oct 04)
- Message not available
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows Dave Aitel (Oct 04)
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 04)
- RE: Understanding Windows Heap Overflows Ben Nagy (Oct 04)
- Re: Understanding Windows Heap Overflows pbb (Oct 05)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 05)
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 19)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 19)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 20)
- <Possible follow-ups>
- Understanding Windows Heap Overflows Matt Conover (Oct 06)
- Re: Understanding Windows Heap Overflows pbb (Oct 07)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 07)
- Re: Understanding Windows Heap Overflows Nicolas Waisman (Oct 07)
- Re: Understanding Windows Heap Overflows Dave Aitel (Oct 07)
- Re: Understanding Windows Heap Overflows pbb (Oct 07)
- Understanding Windows Heap Overflows Matt Conover (Oct 07)
- RE: Understanding Windows Heap Overflows Kyle Quest (Oct 07)