Full Disclosure mailing list archives
Win32 Heap Exploits
From: Stefan Lochbihler <steve01 () chello at>
Date: Thu, 29 Dec 2005 01:51:51 +0100
Hi there during collecting of some knowlegde about heap overflows i get a few problems. Please take a look below to help me with them. i write a little daemon with the following code. HeapCreate(NULL,1000,2000); when recvdata: hp1=HeapAlloc(hp,NULL,500); strcpy(hp1,buffer); Heapfree(hp,NULL,hp1); For debugging i opened the server with ollydbg.At the second time when i send my exploit my pointers get copied to the stack and thread information block.
eax=7FFDDFFC (tib-4) ecx=0012F358 (add ress 4 bytes before pointer to heap) Mov [ecx],eax Mov [eax+4],ecx -> [7FFDE000] 0012F358 [0012F358] 7FFDDFFC Pointer to next SEH record [................] 00390688 SE handler After this Olldydbg get stopped because of an access violation. When i pass the exception the shellcode get successfully executed. (shellcode use some tricks from litchfield to repair the heap) But if i execute the server without ollydbg there happen nothing. Have anybody an idea what i make wrong. Test on a winxp sp1 system. cheers Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Win32 Heap Exploits Stefan Lochbihler (Dec 28)