Full Disclosure mailing list archives
Exploiting heap overflows in W2K
From: Ivan Stroks <ivanstroks () yahoo co nz>
Date: Tue, 1 Aug 2006 07:46:23 +1200 (NZST)
Hi list, I am trying to exploit a Heap buffer overflow vulnerability and facing some problems, hope you could help. I run the vulnerable program in a VMWare, attached with Olly. These are my problems: 1. I control both EAX and ESI, when the program goes to mov [esi], eax mov [eax + 4], esi First of all, I tried gainig control of execution through PEB but, according to Halvar's presentation, there are some restrictions to what you can write in the header of the overflowed buffer. Quoting: " Properties our block must have: Bit 0 of Flags must be set Bit 3 of Flags must be set Field_4 must be smaller than 0x40 The first field (own size) must be larger than 0x80 The block XXXX99XX meets all requirements" So, supposing PEB pointer to overwrite is 0x7FFDF020 I would need to specify for example: XXXX20f0fd7f, but this is not matching required properties and so RtlFreeHeap exits. I am sure I must be missing something here, but can't find it. 2. An aditional problem I am facing, due to the fact that this is my first heap overflowing session, is that when I trigger the vulnerability as soon as the programs comes back from "revert snapshot" then I get to rtlHeapFree ok, but if some other request are performed to the program before, then I cannot reproduce that behaviour again and different behaviours and situation arise. It is obvious that my exploit won't be the first request the program receives so, how can I manage this? Hope you could help! Regards IvaN! Send instant messages to your online friends http://au.messenger.yahoo.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting heap overflows in W2K Ivan Stroks (Jul 31)