RE: Understanding Windows Heap Overflows

["Brett Moore" <brett.moore () security-assessment com>]

Paul,

Not sure if this is of any use. But with Visual Studio ensure you 
are breaking on all exceptions. Go into the debug->exception menu,
select all (except C++ exceptions) and change them to 'stop always'

As for the heap stuff.... The heap is a fical place...
a) Try longer / shorter bursts of data
b) Try data of different chars (ie: X or A or Y) etc... I used to find
0x48  a good heap manipulator (H).

Good luck

Brett 
-----Original Message-----
From: pbb [mailto:pbb () 65535 com] 
Sent: Wednesday, 5 October 2005 4:38 a.m.
To: halvar () gmx de
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Understanding Windows Heap Overflows

If you remember from Blackhats, the one I showed you, was a management 
app (also had 7 threads) and had a 4byte overwrite but I couldn't get it 
consistantly to where I wanted (there seemed to be many pointer fix ups 
in the heap that made it crash before a control structure overwrite).

With the example given, I couldn't get it to do anything, no 4 byte 
overwrite. I seem not to be able to step through a overwrite of the UEF 
in visual studio, I read somewhere it was because the debugger 
overwrites the Exception handler already so the original pointer isn't 
called thus the overflow overwrites the wrong address.

I was able to get the SP2 one to work out of visual studio but not 
within, does anyone have a way around this issue.

Paul.

halvar () gmx de wrote:

> hey paul,
>
> have you gotten to the point of being able to write arbitrary data ?
>
> ----- Original Message ----- From: "pbb" <pbb () 65535 com>
> To: <dailydave () lists immunitysec com>
> Sent: Tuesday, October 04, 2005 2:04 AM
> Subject: [Dailydave] Understanding Windows Heap Overflows
>
>
> > Hi everyone,
> >
> > I've been a long time lurker but never posted. I know Dave suggested 
> > to me to post about Buffy ;) but I really would like to get to grips 
> > with Heap overflows. I have been trying to understand the Heap 
> > Overflow in windows and have been fumbling with IDAPro and Visual 
> > Studio to try and understand the concept for a while now (in between 
> > real life). I have been reading as many papers as I could and have 
> > read the following and assumed I had some understanding of them(I 
> > listed them at the bottom). I have managed to get the example code 
> > from Defeating Microsoft Windows XP SP2 Heap protection and DEP 
> > bypass by Alexander Anisimov to work but not in Visual Studio. I read 
> > somewhere (long time ago) that the debugger can ruin the overflow as 
> > it intercepts or re-writes the exception handler which you are trying 
> > to overflow. I tried to get David Litchfields example code from his 
> > blackhats presentation in 2004 to work (on a sp1 XP box, so no heap 
> > protection) but inisde or outside a debugger it wouldn't work.
> >
> > I thought I understood the theory of the overwrite of the heap 
> > control structure but struggle to be able to see it in practice. Is 
> > there a way to step through the overflow in a debugger, can anyone 
> > give me example code and a suggested platform to help me see it in 
> > action. I realise there are a couple of different ways to gain the 
> > EIP whether it's through the UEF or PEB or SEH but how do I know 
> > which one to use. I also realise that with a 4 byte overwrite you may 
> > need to somewhere that calls or jmps to a register that points to 
> > your heap but I haven't managed to step through it with a debugger. 
> > As it's abusing the heap management of the OS is it possible to step 
> > through in a debugger.
> >
> > I have been on Halvar's "Analyzing Software for Security 
> > Vulnerabilities" blackhat course (not that I've had time to put much 
> > of that in practice.
> >
> > Need more time :)) And would like to start reversing some 
> > applications that I think have heap overflows in them and attempt to 
> > write an overflow but I'm not confident enough that I know what I'm 
> > doing.
> >
> > I've Read these papers, can anyone suggest any others? (probably need 
> > to re-read them again though.)
> > blackhats-win-04-litchfield-code.rtf
> > blackhats-win-04-litchfield.ppt
> > phrack 61-6 Advanced Doug lea malloc exploits
> > Managing Heap Memory in Win32 -MSDN
> > defeating-xpsp2-heap-protection - Alexander Anisimov
> > Practical-SEH-exploitation.pdf - Johnny Cyberpunk
> > msrpcheap.pdf - Of course Dave Aitel
> > msrpcheap2.pdf - Of course Dave Aitel
> > Practical Win32 and Unicode exploitation - Phenoelit
> >
> > If I had a simple program like below could I overflow it and learn 
> > the theory? (stolen from I think the shellcoder's handbook) What am I 
> > looking for and how can I see this somewhere else.
> >
> > Thanks Guys for your time and hope this newbie questions doesn't 
> > anony anyone.
> >
> > Paul.
> >
> > Here's one I was trying to step through in a debugger.
> >
> > #include <stdio.h>
> > #include <windows.h>
> >
> > DWORD MyExceptionHandler(void);
> > int foo(char *buf);
> >
> > int main(int argc, char *argv[])
> > {
> >   char *filename = NULL; // filename of the data to overflow with.
> >   HMODULE l; // library handle
> >   FILE *fp_overflowFile = NULL; // pointer to datafile
> >   char *buffer = NULL;
> >   int count = 0;
> >   int check = 0;
> >
> >   l = LoadLibrary("mscvrt.dll");
> >   l = LoadLibrary("netapi32.dll");
> >
> >   printf("\n\nHeap overflow program.\n");
> >   if( argc != 2)
> >   {
> >       return printf("ARGS!");
> >   }
> >
> >   foo(argv[1]);
> >   return 0;
> > }
> >
> > DWORD MyExceptionHandler(void)
> > {
> >   printf("In exception handler ...");
> >   ExitProcess(1);
> >   return 0;
> > }
> >
> > int foo(char *buf)
> > {
> >   HLOCAL h1 =0, h2 = 0;
> >   HANDLE hp;
> >  
> >   __try{
> >           hp = HeapCreate(0,0x1000,0x10000);
> >           if(!hp)
> >               return printf("Failed to create heap.\n");
> >                    h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
> >                    printf("HEAP: %.8x %.8x\n", h1, &h1);
> >                    // Heap overflow occurs here:
> >           strcpy(h1, buf);
> >                    // The second call to HeapAlloc() is when we gain 
> > control
> >                    h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
> >   }
> >   __except(MyExceptionHandler()){
> >           printf("Exception occured...");
> >   }
> >   return 0;
> > }



e-mail protected and scanned by Bizo Email Filter - powered by Advascan