Dailydave mailing list archives
Re: A 3 a.m. Riddle
From: "Dave Aitel" <dave.aitel () gmail com>
Date: Wed, 30 May 2007 20:29:30 -0400
And for those of you who can make it, Nico will be presenting on heapy things at SyScan '07 in Singapore shortly. :> Does anyone else really like the idea of the Palm Foleo? It runs Linux, has instant-on, is 2.5 pounds, and has a five hour battery life. Sounds awesome to me. :> I'm still too much of a T-Mobile sidekick fan to think about a Treo or Windows Mobile device though. (After sidekick, those interfaces HURT) -dave On 5/30/07, Nicolas Waisman <nicolas.waisman () immunitysec com> wrote:
Sweet! You got it. Theoretically you have only one inc [edi], and the idea was to make it: o generic (works on every server) o and non addy dependant (not based on any SP) At least the used technique. So my approach was to point edi to the FreeListInUse Bitmask on the Heap. The FreeListInUse bitmask is a 4 dword bitmask which every bit correspond to an entry of the FreeList double linked list array. So if the bit 4 is setted , that means that at that entry of the FreeList[4] there would be at least, one Free Chunk. The trick then is to inc one of the bytes of the FreeListInUse which is always at a fixed offset from the begging of the heap (So, if we use the Default Heap, the begging of the bitmask would start at: 0x70158). The bit we are overwriting need to be 0, so we can turn it on. The next time we try to allocate with a size smaller than the one we theoretically set on the bitmask, it will try to pop a chunk from the double linked list (But since it doesn't have any Chunk, the FLINK/BLINK should point to the FreeList Entry itself). When the magic is finally done, RtlAllocateHeap will end up returning the address of the FreeList entry. And the exciment continues, at a fixed offset from the returned address, there should be a the Heap Function pointer CommitRoutine. voila! I bet there is probably better others ways to do it, but thats how i did it back in the time. (It obviously sounds much easier than there is, but the primitive works). Also, if you think about it (and we discuss it with Oded), there is another trick with a similar primitive, when you Overwrite the Size header of a "Lonely" Free Chunk. (Note, this technique theoretically might work on XP SP2) Nico On Wed, May 30, 2007 at 10:30:05AM -0700, Matt Conover wrote: > Can you do any many "inc" as you want? I think there are a lot of options if > you use this against the heap. For example, change > Heap->Lookaside[x].ListHead.Flink to point into middle of existing chunk > (since heap base is reliable except for Vista), increment the ListHead > enough to point into the middle of chunk data, so that you can setup a fake > chunk and wait until it's allocated, then it will cause a 4-byte overwrite > without safe unlink check (lookaside has no safe unlink issues). You could > also use "inc" to change heap flags, that may also be interesting > > On 5/30/07, Nicolas Waisman <nicolas.waisman () immunitysec com> wrote: > > > >You can only do it one time. > >Note: The riddle is taken from an old silenty patched bug on WINS. > > > >Nico > > > > > >On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote: > >> On 30 May 2007 07:13, Nicolas Waisman wrote: > >> > >> > Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its all > >> > night insomnia.) > >> > > >> > The riddle: Let said you are trying to exploit a remote service on an > >> > old Windows 2000 (whatever SP you want) and the primitive is the > >following > >> > inc [edi] // you control edi > >> > > >> > What would be the best option for edi? > >> > >> Depends what else you control apart from edi, and whether you can do > >it more > >> than once. If you can overwrite an SEH handler, point edi at an illegal > >> address to invoke your code. If you can do it multiple times, perhaps > >you can > >> point edi somewhere on the stack and increment a stored ebp to point at > >data > >> you control. Don't forget the possibility of pointing it at a > >> non-word-aligned address to e.g increment just the high byte of a stored > >> pointer. > >> > >> cheers, > >> DaveK > >> -- > >> Can't think of a witty .sigline today.... > >> > >_______________________________________________ > >Dailydave mailing list > >Dailydave () lists immunitysec com > >http://lists.immunitysec.com/mailman/listinfo/dailydave > > > _______________________________________________ > Dailydave mailing list > Dailydave () lists immunitysec com > http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A 3 a.m. Riddle Nicolas Waisman (May 30)
- Message not available
- Fwd: A 3 a.m. Riddle Isaac Dawson (May 30)
- Message not available
- Re: A 3 a.m. Riddle Dave Korn (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Matt Conover (May 30)
- Re: A 3 a.m. Riddle jf (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Dave Aitel (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Brett Moore (May 30)
- <Possible follow-ups>
- Re: A 3 a.m. Riddle Piotr Bania (May 30)
- Re: A 3 a.m. Riddle Chris Anley (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)