Vulnerability Development mailing list archives
PEB heap exploitation question
From: <6d79676d61696c6163636f756e74 () gmail com>
Date: 21 May 2005 05:14:51 -0000
Hello folks, I am trying to modify an exploit to use the PEB method to exploit a heap overflow which currently overwrites the unhandled exception filter. What I have tried doing is to make 2 writes - the first, overwriting the FastPEBLockRoutine pointer to a writable address inside the PEB, then what I have been told is that I need to overwrite the freelist head for the allocated size with the same address so that the next allocation would be made from there and the shellcode would be placed at that location (thus this requires the application to stay live after the first overwrite). I am having trouble figuring out where the heap base address is and what size the vulnerable application is allocating - thus I don't know the address of the freelist which I need to overwrite. I am also having trouble making the program not crash after overwriting the PEB - thus I don't even reach the point of overwriting the freelist. I don't know why this is happening because the PEB is writable and indeed was overwritten with my address. It seems to be crashing somewhere inside RtlAllocateHeap when it is accessing a weired random address (not data which I sent). Is there a method of exploitation which is SP independant and does not require multiple successful writes? What is the best way to debug the service and find the allocation size and base heap address? You help is greatly appreciated!
Current thread:
- PEB heap exploitation question 6d79676d61696c6163636f756e74 (May 23)
- <Possible follow-ups>
- Re: PEB heap exploitation question nolimit bugtraq (May 25)