Win32 Heap Exploits

[Stefan Lochbihler <steve01 () chello at>]

Hi there

during collecting of  some knowlegde about heap overflows
i get a few problems. Please take a look below to help me
with them.

i write a little daemon with the following code.

HeapCreate(NULL,1000,2000);
when recvdata:
hp1=HeapAlloc(hp,NULL,500);
strcpy(hp1,buffer);
Heapfree(hp,NULL,hp1);


For debugging i opened the server with ollydbg.
At the second time when i send my exploit my pointers get copied to the 
stack and thread information block.

eax=7FFDDFFC  (tib-4)
ecx=0012F358    (add ress 4 bytes before pointer to heap)

Mov [ecx],eax
Mov [eax+4],ecx

->
[7FFDE000] 0012F358

[0012F358] 7FFDDFFC  Pointer to next SEH record
[................] 00390688     SE handler

After this Olldydbg get stopped because of an access violation.

When i pass the exception the shellcode get successfully executed.
(shellcode use some tricks from litchfield to repair the heap)

But if i execute the server without ollydbg there happen nothing.
Have anybody an idea what i make wrong. Test on a winxp sp1 system.

cheers
Steve



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/