Re: RunAs weirdness...

[Riley Hassell <rhassell () eeye com>]

Yeap, what you're seeing is most likely an overflow in a wide character 
string copying routine. This can be exploited but you need to be able to send 
a significant amount of data, depending on the situation.

If EIP is 00410041 then you can have a payload anywhere in the range of 
00010001 -> 00ff00ff, unless there is some format checking of the data 
your're sending, then your limited to the set of characters allowed through.

You need to find an area in heap that  you can write to, that is in that 
range, which without a doubt there is.

If that service is restarted after you take it out then you have a fresh heap 
to work with, in that case exploitation can be automated. 

Basically flush the heap by nuking the process, then when it starts in a 
guessable range, fill it with between a 5000-30000 Nop/Pad slide that slips 
into your code.

Keep in mind that you can use any service to inject it into heap ;)

One more point you may be able to format your data in a way that you don't 
need to "spray the heap." Take a look at HSJ's ida exploit, he had a neat 
little trick to get around that. It may or may not be available in this 
situation.

-----------
In the event that your seeing the default exception handler pop up and it's 
dumping out do to the fact that it can't read or write to the memory address 
0x00410041, then it gets more interesting. To exploit that you have to 
be precise and timing is crucial. 

Just keep in mind:

If you get an access violation and you can control the data that it is 
attempting to read, write, or execute, almost every time you can control that 
process.  


-R

Riley Hassell
Network Penetration Specialist
eEye Digital Security

Get up...
and light the world on fire


On Wednesday 19 December 2001 08:18, you wrote:
> I noticed that there are only two characters that are important as to which
> memory location gets accessed character #'s 270 & 271 and there needs to be
> at least 288 total characters. I found this by running
>
> runas /user:administrator
> ---------------------------------------------------------------------------
> -
> ---------------------------------------------------------------------------
> -
> ---------------------------------------------------------------------------
> - ------------------------------------------XY----------------
> These can be upper or lower ASCII. There seems to be a memory location that
> it goes to independent of what you type in. 0x002d0031
> This happens when using ^A^A and a few other combinations that I have
> tried. Phillip Nordwall
>
>
>
> -----Original Message-----
> From: KRFinisterre () checkfree com [mailto:KRFinisterre () checkfree com]
> Sent: Tuesday, December 18, 2001 10:12 AM
> To: vuln-dev () security-focus com
> Cc: recon () snosoft com
> Subject: re: RunAs weirdness...
>
> I tested the runas issue that was recently posted on my Win2k build
> 5.00.2195 box. The result was similar to jesperht () hotmail com's results
> however I was able to see some of my data on the stack... from within
> cygwin
> I did Administrator@TERMSRV ~
> $ runas /user:administrator
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A AAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A ABB
> BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
> B BBB
> BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
>
> I noticed if you use too many chars that your data is no longer on the
> stack at the point where it crashed... it refrences some other
> point in memory.
>
> The above string generated an error that stated:
>
> The instruction at "0x77fc90cd" refrenced memory at "0x00420042". The
> memory could not be "written"
> Click on OK to terminate the program
> Click CANCEL to debug the program.
>
> The reason half of my string is A's and the other half is B's is because I
> wanted to make sure that it was indeed my data
> on the stack. If the string is all A's by them selves then the error is as
> follows.
>
> The instruction at "0x77fc90cd" refrenced memory at "0x00410041". The
> memory could not be "written"
> Click on OK to terminate the program
> Click CANCEL to debug the program.
>
> If you feed it too many A's  you get the error
> The instruction at "0x77dd7ef6" refrenced memory at "0x00078000". The
> memory could not be "written"
> Click on OK to terminate the program
>
> and no option to debug.
>
> If I remember correctly the .ida and .idq overflows on IIS  left a similar
> address on the stack with nulls in it like 0x00410041
> and the fellas at eEye busted out some ninja technique to exploit it
> anyway.
> -KF