Dailydave mailing list archives
RE: Understanding Windows Heap Overflows
From: "Ben Nagy" <ben () iagu net>
Date: Wed, 5 Oct 2005 10:52:30 +0700
Hi, There were a couple of talks at Ruxcon in Australia which might help you. I attempted to do one that condensed work by a whole lot of different people into something simple (well as simple as it's going to get) and understandable - but that will only cover the theory. The other thing I thought was much cooler was that Brett Moore stood up right afterwards and owned some random app with a heap-based long file parameter bug, and he did it by stages so you could see what was going on. As he said, the heap is wacky - you might not even need to attack the heap management routines themselves if you can make your target app eventually call a register you control (which is what happened). Given that the 4-byte overwrites get crazy under SP2 and a lot of tasty pointers are encoded / removed / randomised that kind of approach is (imho) Teh Futur. Hopefully his demo files will go up as well as his slides (right Brett? ;). In terms of references, you didn't mention any Windows papers by Matt Conover - I would highly recommend you get anything you can by him, but the CSW Conover/Oded presentation in particular is a must-read. Finally, in your code, I'm not sure it's a good test proggie, is it? For Conover's coalesce on free 4-byte you need h1 to get freed, and for a busy-block overwrite like Halvar's virtualalloc 4-byte then you need your faked (next to h1) block to get freed. Well, anyway, you usually want _something_ to be freed. The exception are the "maybe there happens to be a free block that happens to be next to my buffer, and the second alloc will provoke a list deletion" style attacks which you shouldn't need for < SP2 (plus they require the heap layout to be just so). If you want to follow that up with a 4-to-n-byte overwrite via the lookaside lists then you'll need your test program to do some realistic pointer copies, because it needs to copy badstuff --> my sekrit location at some point. --- code reprint --- h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26); printf("HEAP: %.8x %.8x\n", h1, &h1); // Heap overflow occurs here: strcpy(h1, buf); // The second call to HeapAlloc() is when we gain control h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26); --- end code --- So, my suggestion would be that you code something that does "loop: get a packet from client, allocate heap space, copy the packet data unsafely, free the block when done". Have a play with that and you might have more fun. Anyway, good luck. Cheers, ben
-----Original Message----- From: Brett Moore [mailto:brett.moore () security-assessment com]
[...]
As for the heap stuff.... The heap is a fical place... a) Try longer / shorter bursts of data b) Try data of different chars (ie: X or A or Y) etc... I used to find 0x48 a good heap manipulator (H). Good luck
[...]
-----Original Message----- From: pbb [mailto:pbb () 65535 com]
[...]
With the example given, I couldn't get it to do anything, no 4 byte overwrite.
[...]
----- Original Message ----- From: "pbb" <pbb () 65535 com>
[...]
I really would like toget to gripswith Heap overflows. [...]
Current thread:
- Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows MÃ¥rten Cassel (Oct 04)
- Message not available
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows Dave Aitel (Oct 04)
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 04)
- RE: Understanding Windows Heap Overflows Ben Nagy (Oct 04)
- Re: Understanding Windows Heap Overflows pbb (Oct 05)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 05)
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 19)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 19)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 20)
- <Possible follow-ups>
- Understanding Windows Heap Overflows Matt Conover (Oct 06)
- Re: Understanding Windows Heap Overflows pbb (Oct 07)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 07)
- Re: Understanding Windows Heap Overflows Nicolas Waisman (Oct 07)
- Re: Understanding Windows Heap Overflows Dave Aitel (Oct 07)
- Re: Understanding Windows Heap Overflows pbb (Oct 07)