Penetration Testing mailing list archives
win32 heap overflow exploitation
From: Adik <netninja () hotmail kg>
Date: Sun, 26 Oct 2003 16:29:19 +0500 (KGT)
Hi there folks, I'm havin a problem exploiting an application vulnerable to heap overflow. i can write 4 bytes to any place in the memory. mov dword ptr[eax], ecx mov dword ptr[ecx+4], eax I control ecx and eax. I tried overwriting unhandledexceptionfilter pointer (located at address 77ee044c) with a pointer to call [ebp-28] this is where a pointer to my shellcode is located. eax=77ee044c <--- unhandledexceptionfilter pointer of my version of Windows ecx=77f8ce83 <--- .text unwritable address points to -> call [ebp-28] The second line mov dword ptr[ecx+4], eax suppouse to trigger access violation on write , because ecx is unwritable address thus invokin exception handler. Because exception handler address is overwritten with pointer to call [ebp-28], it should theoretically execute call [ebp-28] then my shellcode. But its not doin so. Maybe i'm doin somethin wrong. A little help on that would b great. What else can i overwrite with my 4 bytes except exception pointers? eEye mentioned overwriting PEB lockin pointers. Could anyone please clarify it? I couldn't find info on that. Any tips/tricks/methods/techniques/links/papers on exploiting windows based heap overflows would b greatly appreciated. thanx Adik --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- win32 heap overflow exploitation Adik (Oct 26)
- <Possible follow-ups>
- Re: win32 heap overflow exploitation Dave Korn (Oct 27)
- Re: win32 heap overflow exploitation Barnaby Jack (Oct 27)