RE: Understanding Windows Heap Overflows

["Ben Nagy" <ben () iagu net>]

Hi,

There were a couple of talks at Ruxcon in Australia which might help you. I
attempted to do one that condensed work by a whole lot of different people
into something simple (well as simple as it's going to get) and
understandable - but that will only cover the theory.

The other thing I thought was much cooler was that Brett Moore stood up
right afterwards and owned some random app with a heap-based long file
parameter bug, and he did it by stages so you could see what was going on.
As he said, the heap is wacky - you might not even need to attack the heap
management routines themselves if you can make your target app eventually
call a register you control (which is what happened). Given that the 4-byte
overwrites get crazy under SP2 and a lot of tasty pointers are encoded /
removed / randomised that kind of approach is (imho) Teh Futur. Hopefully
his demo files will go up as well as his slides (right Brett? ;).

In terms of references, you didn't mention any Windows papers by Matt
Conover - I would highly recommend you get anything you can by him, but the
CSW Conover/Oded presentation in particular is a must-read.

Finally, in your code, I'm not sure it's a good test proggie, is it? For
Conover's coalesce on free 4-byte you need h1 to get freed, and for a
busy-block overwrite like Halvar's virtualalloc 4-byte then you need your
faked (next to h1) block to get freed. Well, anyway, you usually want
_something_ to be freed.

The exception are the "maybe there happens to be a free block that happens
to be next to my buffer, and the second alloc will provoke a list deletion"
style attacks which you shouldn't need for < SP2 (plus they require the heap
layout to be just so).

If you want to follow that up with a 4-to-n-byte overwrite via the lookaside
lists then you'll need your test program to do some realistic pointer
copies, because it needs to copy badstuff --> my sekrit location at some
point.

--- code reprint ---
                h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);

           printf("HEAP: %.8x %.8x\n", h1, &h1);

           // Heap overflow occurs here:
           strcpy(h1, buf);

           // The second call to HeapAlloc() is when we gain control

           h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
--- end code ---

So, my suggestion would be that you code something that does "loop: get a
packet from client, allocate heap space, copy the packet data unsafely, free
the block when done". Have a play with that and you might have more fun.

Anyway, good luck.

Cheers,

ben

> -----Original Message-----
> From: Brett Moore [mailto:brett.moore () security-assessment com]
[...]
> As for the heap stuff.... The heap is a fical place...
> a) Try longer / shorter bursts of data
> b) Try data of different chars (ie: X or A or Y) etc... I used to find
> 0x48  a good heap manipulator (H).
>
> Good luck
[...]
> -----Original Message-----
> From: pbb [mailto:pbb () 65535 com]
[...]
> With the example given, I couldn't get it to do anything, no 4 byte
> overwrite.
[...]
> > ----- Original Message ----- From: "pbb" <pbb () 65535 com>
[...]
> > > I really would like to
> get to grips
> > > with Heap overflows. [...]