Dailydave mailing list archives

Re: Understanding Windows Heap Overflows

From: pbb <pbb () 65535 com>
Date: Wed, 05 Oct 2005 09:55:33 +0100

Thanks for the suggestions, I thought I'd post the simplest program Iwas playing with but I think you are right. That was the example codefrom David Litchfield's blackhat 2004 heap talk. I had another one thatallocated 2 heaps then copied on the first then freed.

My fiancee went to Ruxcon and was telling me about Brett Moore's talk,sounded very interesting. I'll have to have a look at the talks if I canget my hands on some of them.

If I am going to get my target app to call a register then don't I needto still do a 4 byte overwrite of something like the exception handler,isn't using the register so that on the overwrite if you can have sayebx pointing to your heap then you get it to execute that call to ebx soyour injected code is run. As I said I actually got the SP2 example towork but couldn't step through it.

I haven't read anything by Matt Conover so I will look into that (btwdoes everyone here think Matt Pietrek but I guess he's more Fileformat's and Dll's).

I like your suggestion so I think I'll make a simple prog that readsfrom a socket (which makes input of the overflow easier) and try that.


Thanks everyone for your suggestions.

Paul.

Ben Nagy wrote:

Hi,

There were a couple of talks at Ruxcon in Australia which might help you. I
attempted to do one that condensed work by a whole lot of different people
into something simple (well as simple as it's going to get) and
understandable - but that will only cover the theory.

The other thing I thought was much cooler was that Brett Moore stood up
right afterwards and owned some random app with a heap-based long file
parameter bug, and he did it by stages so you could see what was going on.
As he said, the heap is wacky - you might not even need to attack the heap
management routines themselves if you can make your target app eventually
call a register you control (which is what happened). Given that the 4-byte
overwrites get crazy under SP2 and a lot of tasty pointers are encoded /
removed / randomised that kind of approach is (imho) Teh Futur. Hopefully
his demo files will go up as well as his slides (right Brett? ;).

In terms of references, you didn't mention any Windows papers by Matt
Conover - I would highly recommend you get anything you can by him, but the
CSW Conover/Oded presentation in particular is a must-read.

Finally, in your code, I'm not sure it's a good test proggie, is it? For
Conover's coalesce on free 4-byte you need h1 to get freed, and for a
busy-block overwrite like Halvar's virtualalloc 4-byte then you need your
faked (next to h1) block to get freed. Well, anyway, you usually want
_something_ to be freed.

The exception are the "maybe there happens to be a free block that happens
to be next to my buffer, and the second alloc will provoke a list deletion"
style attacks which you shouldn't need for < SP2 (plus they require the heap
layout to be just so).

If you want to follow that up with a 4-to-n-byte overwrite via the lookaside
lists then you'll need your test program to do some realistic pointer
copies, because it needs to copy badstuff --> my sekrit location at some
point.

--- code reprint ---
                h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);

          printf("HEAP: %.8x %.8x\n", h1, &h1);

          // Heap overflow occurs here:
          strcpy(h1, buf);

          // The second call to HeapAlloc() is when we gain control

          h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
--- end code ---

So, my suggestion would be that you code something that does "loop: get a
packet from client, allocate heap space, copy the packet data unsafely, free
the block when done". Have a play with that and you might have more fun.

Anyway, good luck.

Cheers,

ben

-----Original Message-----
From: Brett Moore [mailto:brett.moore () security-assessment com]

[...]

As for the heap stuff.... The heap is a fical place...
a) Try longer / shorter bursts of data
b) Try data of different chars (ie: X or A or Y) etc... I used to find
0x48  a good heap manipulator (H).

Good luck

[...]

-----Original Message-----
From: pbb [mailto:pbb () 65535 com]

[...]

With the example given, I couldn't get it to do anything, no 4 byte
overwrite.

[...]

----- Original Message ----- From: "pbb" <pbb () 65535 com>

[...]

I really would like to

get to grips

with Heap overflows. [...]

Current thread:

Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows Mårten Cassel (Oct 04)
- Message not available
  - Re: Understanding Windows Heap Overflows pbb (Oct 04)
    - Re: Understanding Windows Heap Overflows Dave Aitel (Oct 04)
    - Re: Understanding Windows Heap Overflows pbb (Oct 04)
    - RE: Understanding Windows Heap Overflows Brett Moore (Oct 04)
    - RE: Understanding Windows Heap Overflows Ben Nagy (Oct 04)
    - Re: Understanding Windows Heap Overflows pbb (Oct 05)
    - RE: Understanding Windows Heap Overflows Brett Moore (Oct 05)
    - RE: Understanding Windows Heap Overflows Dave Korn (Oct 19)
    - Re: Understanding Windows Heap Overflows Matt Conover (Oct 19)
    - RE: Understanding Windows Heap Overflows Dave Korn (Oct 20)
- <Possible follow-ups>
- Understanding Windows Heap Overflows Matt Conover (Oct 06)
  - Re: Understanding Windows Heap Overflows pbb (Oct 07)
    - Re: Understanding Windows Heap Overflows Matt Conover (Oct 07)
    - Re: Understanding Windows Heap Overflows Nicolas Waisman (Oct 07)
  - Re: Understanding Windows Heap Overflows Dave Aitel (Oct 07)
- Understanding Windows Heap Overflows Matt Conover (Oct 07)

(Thread continues...)