Dailydave mailing list archives
Re: A 3 a.m. Riddle
From: jf <jf () danglingpointers net>
Date: Thu, 31 May 2007 04:25:20 +0000 (UTC)
It would probably be worthwhile, I'd think anyways, to walk backwards through your stackframes and see if there are any local variables that you can increment to modify/alter execution flow, specifically maybe a counter in a loop or even a saved frame pointer (emulate off-by-one?), et cetera. On Wed, 30 May 2007, Matt Conover wrote:
Date: Wed, 30 May 2007 10:30:05 -0700 From: Matt Conover <mconover () gmail com> To: dailydave () lists immunitysec com Subject: Re: [Dailydave] A 3 a.m. Riddle Can you do any many "inc" as you want? I think there are a lot of options if you use this against the heap. For example, change Heap->Lookaside[x].ListHead.Flink to point into middle of existing chunk (since heap base is reliable except for Vista), increment the ListHead enough to point into the middle of chunk data, so that you can setup a fake chunk and wait until it's allocated, then it will cause a 4-byte overwrite without safe unlink check (lookaside has no safe unlink issues). You could also use "inc" to change heap flags, that may also be interesting On 5/30/07, Nicolas Waisman <nicolas.waisman () immunitysec com> wrote:You can only do it one time. Note: The riddle is taken from an old silenty patched bug on WINS. Nico On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:On 30 May 2007 07:13, Nicolas Waisman wrote:Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its all night insomnia.) The riddle: Let said you are trying to exploit a remote service on an old Windows 2000 (whatever SP you want) and the primitive is thefollowinginc [edi] // you control edi What would be the best option for edi?Depends what else you control apart from edi, and whether you can doit morethan once. If you can overwrite an SEH handler, point edi at an illegal address to invoke your code. If you can do it multiple times, perhapsyou canpoint edi somewhere on the stack and increment a stored ebp to point atdatayou control. Don't forget the possibility of pointing it at a non-word-aligned address to e.g increment just the high byte of a stored pointer. cheers, DaveK -- Can't think of a witty .sigline today...._______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A 3 a.m. Riddle Nicolas Waisman (May 30)
- Message not available
- Fwd: A 3 a.m. Riddle Isaac Dawson (May 30)
- Message not available
- Re: A 3 a.m. Riddle Dave Korn (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Matt Conover (May 30)
- Re: A 3 a.m. Riddle jf (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Dave Aitel (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Brett Moore (May 30)
- <Possible follow-ups>
- Re: A 3 a.m. Riddle Piotr Bania (May 30)
- Re: A 3 a.m. Riddle Chris Anley (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)