Vulnerability Development mailing list archives
Re: win32 heap overflow exploitation
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Mon, 27 Oct 2003 15:53:01 +0000
----- Original Message ----- From: "Barnaby Jack" <bjack () eeye com> Sent: Monday, October 27, 2003 5:26 AM ----- Original Message ----- From: "Adik" <netninja () hotmail kg> Sent: Sunday, October 26, 2003 3:29 AMHi there folks,I'm havin a problem exploiting an application vulnerable to heap overflow. i can write 4 bytes to any place in the memory.mov dword ptr[eax], ecx mov dword ptr[ecx+4], eaxI control ecx and eax. I tried overwriting unhandledexceptionfilter pointer (located at address 77ee044c) with a pointer to call [ebp-28] this iswhere a pointer to my shellcode is located.eax=77ee044c <--- unhandledexceptionfilter pointer of my version of Windowsecx=77f8ce83 <--- .text unwritable address points to -> call [ebp-28] The second line mov dword ptr[ecx+4], eax suppouse to trigger accessviolation on write , because ecx is unwritable address thus invokin exception handler. Because exception handler address is overwritten with pointer to call [ebp-28], it should theoretically execute call [ebp-28] then my shellcode. But its not doin so. Maybe i'm doin somethin wrong. A little help on that would b great.Have you set a breakpoint on the filter to verify that the offset contains your data? If using the unhandled exception filter your data should also exist at [esi+4c].
Another possibility is that you are running the code under a debugger. UnhandledExceptionFilter detects this, and deliberately doesn't call the pointer you've overwritten in that case. Here's the relevant code, from w2k sp2 - your version should be very similar:
0:001> u KERNEL32!UnhandledExceptionFilter+6b: 77eb9910 6a07 push 0x7 77eb9912 e8c3d1fcff call KERNEL32!GetCurrentProcess (77e86ada) 77eb9917 50 push eax77eb9918 ff15b810e877 call dword ptr [KERNEL32!_imp__NtQueryInformationProcess (77e810b8)]
77eb991e 3bc3 cmp eax,ebx77eb9920 7c09 jl KERNEL32!UnhandledExceptionFilter+0x7a (77eb992b)
77eb9922 395dc8 cmp [ebp-0x38],ebx77eb9925 0f8529020000 jne KERNEL32!UnhandledExceptionFilter+0x2c3 (77eb9b54) 77eb992b a14cf4ed77 mov eax,[KERNEL32!BasepCurrentTopLevelFilter (77edf44c)]
77eb9930 3bc3 cmp eax,ebx77eb9932 740d jz KERNEL32!UnhandledExceptionFilter+0x98 (77eb9941)
77eb9934 56 push esi 77eb9935 ffd0 call eaxThe call to NtQueryInformationProcess with info type 7 checks if a debugger is attached by seeing if the process debug port setting is non-NULL. If so, the code flow jumps to 0x77eb9b54, which exits and allows the debugger to get at the unhandled exception. So if you're running under the debugger, this branch will be taken. You can bypass this branch (replace with nops) so as to get the expected behaviour under the debugger. Or, noticing that if the NtQuery.... call fails, the test is bypassed and your overwritten exception handler is always called, you can edit the "cmp eax,ebx" to "nop; dec eax" so as to always trigger the jl on the next line: so on w2k sp2, in windbg, you'd just say
eb 77eb991e 90 48 and then your shellcode should be called.Credit is due to Dave Aitel, for mentioning this in his writeup of the recent DCOM bug "MSRPC Heap Overflow Part II". I've only just started experimenting with heap-based overflows myself and it took me ages of single stepping through UnhandledExceptionFilter to see why my function wasn't getting called, then I remembered reading this paper and the penny dropped. Cheers Dave!
DaveK _________________________________________________________________It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger
Current thread:
- win32 heap overflow exploitation Adik (Oct 26)
- RE: win32 heap overflow exploitation Brett Moore (Oct 26)
- <Possible follow-ups>
- Re: win32 heap overflow exploitation Barnaby Jack (Oct 26)
- Re: win32 heap overflow exploitation Dave Korn (Oct 27)