Re: ColdFusion Heap Overflow -continued

["Riley Hassell" <rhassell () eeye com>]

If you can move 4 bytes of choice to any location in your virtual
environment you can overwrite any stored 32 bit address. Loaded Image data
sections ands and loader environment data have reliable addresses due the
support of basing by the operating system and loader. If you want immediate
execution overwrite a hook address. Many API's suites have hooks you can
overwrite. The hook you choose depends on the situation of the vulnerability
you are dealing with.

In this situation you may throw a fault after the following 'mov'
instruction attempts to access a memory address of the data you supplied. If
the 4 bytes you overwrote data with do not signify a valid address, a fault
will be issued. So use the fault-handling system in place. On win* this is
structured exception handling.

When a fault is generated in a thread an exception list taken from the
threads TIB. This list is cycled twice and then the default exeception
handler is called. This default exception handler is in charge of generated
a window so that the interface user can see the application had a fatal
error. To allow the configurability of this default behavior developers
introduced a hook so that another developer in the future could create his
or her own default handler.

This hook is loaded into an address that can be modified at runtime, it's
also loaded in data with write privilege. Overwrite it with a relative
address of a call or jmp that references a stack offset. This stack offset
is where the address of your payload buffer will be. Keep in mind that if
you can't find a sufficient byte sequence for your relative call, any data
on the stack is seen as code to the processor during execution. Use any
value you can control on the stack for your benefit. Every 32 bit function
variable is an instruction up to 4 bytes in length if you can control it.
Data sizes, id's ,index's, port numbers....

Turn your  stack into a big buffer of your code :)


-R


Riley Hassell
Security Research Associate
eEye Digital Security





----- Original Message -----
From: "Gary O'leary-Steele" <garyo () sec-1 com>
To: <pen-test () securityfocus com>; <vuln-dev () securityfocus com>
Sent: Friday, November 15, 2002 9:26 AM
Subject: ColdFusion Heap Overflow -continued


> Hi all,
>
> I am attempting to write exploit code for the coldfusion heap overflow
> (still).
>
> On advice from various on the secfocus list i have installed softice and
> located the exception handler in question.
>
> The handler code starts at
>
> 0x77f82b95
>
> The code I am trying to manipulate is at
>
> 0x77f8e43b Mov ecx, [ebp+0x18]
> 0x77f8e43e call ecx
>
> where ebp changes each time the exception is called
>
> I can control the following values within the following instruction,
>
> mov    [ecx] ,  eax
>
>
> where ecx and eax can be any value I specify. The problem (or my lack of
> understanding) is that the stack frame is set-up when the exception is
> handled and i can't seem to write to [ebp+0x18] due to the fact it changes
> etc (stop me if i'm wrong)
>
> attempting to overwrite the instruction (sorry if this is a basic can't
do)
> with mov [ecx],eax where ecx = 0x77f8e43b and eax =0x41414141 doesn't seem
> to do anything ?
>
>
> Any help or pointers are greatly appreciated.
>
>
>
>
> Thanks in advance.
>
> Kind Regards
> Gary
> Sec-1