Re: Understanding Windows Heap Overflows

[Mårten Cassel <mcassel () kth se>]

Hi,

It seems for a security newbie like me  with two years experience of
reversing c++ apps, that doing Windows Heap overflows is quite a advance
reverse engineering exercise. Mayby that where the problem is for you?
 My advice would be to not get lost in the technical details and approach
the attack from a top down perspective... it can happen really easy when 
reversing complex software.

A good introduction essay on Memory Attacks can be found at:

http://www.kernelthread.com/publications/security/dmemory.html

Marten

> Hi everyone,
>
> I've been a long time lurker but never posted. I know Dave suggested to
> me to post about Buffy ;) but I really would like to get to grips with
> Heap overflows. I have been trying to understand the Heap Overflow in
> windows and have been fumbling with IDAPro and Visual Studio to try and
> understand the concept for a while now (in between real life). I have
> been reading as many papers as I could and have read the following and
> assumed I had some understanding of them(I listed them at the bottom). I
> have managed to get the example code from Defeating Microsoft Windows XP
> SP2 Heap protection and DEP bypass by Alexander Anisimov to work but not
> in Visual Studio. I read somewhere (long time ago) that the debugger can
> ruin the overflow as it intercepts or re-writes the exception handler
> which you are trying to overflow. I tried to get David Litchfields
> example code from his blackhats presentation in 2004 to work (on a sp1
> XP box, so no heap protection) but inisde or outside a debugger it
> wouldn't work.
>
> I thought I understood the theory of the overwrite of the heap control
> structure but struggle to be able to see it in practice. Is there a way
> to step through the overflow in a debugger, can anyone give me example
> code and a suggested platform to help me see it in action. I realise
> there are a couple of different ways to gain the EIP whether it's
> through the UEF or PEB or SEH but how do I know which one to use. I also
> realise that with a 4 byte overwrite you may need to somewhere that
> calls or jmps to a register that points to your heap but I haven't
> managed to step through it with a debugger. As it's abusing the heap
> management of the OS is it possible to step through in a debugger.
>
> I have been on Halvar's "Analyzing Software for Security
> Vulnerabilities" blackhat course (not that I've had time to put much of
> that in practice.
>
> Need more time :)) And would like to start reversing some applications
> that I think have heap overflows in them and attempt to write an
> overflow but I'm not confident enough that I know what I'm doing.
>
> I've Read these papers, can anyone suggest any others? (probably need to
> re-read them again though.)
> blackhats-win-04-litchfield-code.rtf
> blackhats-win-04-litchfield.ppt
> phrack 61-6 Advanced Doug lea malloc exploits
> Managing Heap Memory in Win32 -MSDN
> defeating-xpsp2-heap-protection - Alexander Anisimov
> Practical-SEH-exploitation.pdf - Johnny Cyberpunk
> msrpcheap.pdf - Of course Dave Aitel
> msrpcheap2.pdf - Of course Dave Aitel
> Practical Win32 and Unicode exploitation - Phenoelit
>
> If I had a simple program like below could I overflow it and learn the
> theory? (stolen from I think the shellcoder's handbook) What am I
> looking for and how can I see this somewhere else.
>
> Thanks Guys for your time and hope this newbie questions doesn't anony
> anyone.
>
> Paul.
>
> Here's one I was trying to step through in a debugger.
>
> #include <stdio.h>
> #include <windows.h>
>
> DWORD MyExceptionHandler(void);
> int foo(char *buf);
>
> int main(int argc, char *argv[])
> {
>    char *filename = NULL; // filename of the data to overflow with.
>    HMODULE l; // library handle
>    FILE *fp_overflowFile = NULL; // pointer to datafile
>    char *buffer = NULL;
>    int count = 0;
>    int check = 0;
>
>    l = LoadLibrary("mscvrt.dll");
>    l = LoadLibrary("netapi32.dll");
>
>    printf("\n\nHeap overflow program.\n");
>    if( argc != 2)
>    {
>        return printf("ARGS!");
>    }
>
>    foo(argv[1]);
>    return 0;
> }
>
> DWORD MyExceptionHandler(void)
> {
>    printf("In exception handler ...");
>    ExitProcess(1);
>    return 0;
> }
>
> int foo(char *buf)
> {
>    HLOCAL h1 =0, h2 = 0;
>    HANDLE hp;
>
>    __try{
>            hp = HeapCreate(0,0x1000,0x10000);
>            if(!hp)
>                return printf("Failed to create heap.\n");
>
>            h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>
>            printf("HEAP: %.8x %.8x\n", h1, &h1);
>
>            // Heap overflow occurs here:
>            strcpy(h1, buf);
>
>            // The second call to HeapAlloc() is when we gain control
>
>            h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>    }
>    __except(MyExceptionHandler()){
>            printf("Exception occured...");
>    }
>    return 0;
> }