RE: Windows Heap Overflows In General

["Brett Moore" <brett () softwarecreations co nz>]

Dave wrote:
> e.g.
> call dword ptr [ecx + 14H]
>
> It's important to remember that heap overflows isn't just about
> overflowing
> character arrays that have been malloc()ed.

Yup thats true, playing with different sizes and differents hex codes to
overflow can land you in many different spots such as

call [ecx + ??]
mov [ecx],[eax]
movsb
cmp al,?? -> mov something.

The main point I was trying to press is that we can use the routines to
write our egg into a known writable address. Albiet a tricky and time
consuming way, so the trick is to write a small jumper to known memory and
call the jumper. The jumper can then locate out main shell code and run it.

With the 4 bytes you are limited to something like [reg +/- 80] or so... But
can do stuff like add esp,?? ret or prepend our jumper to known fixed hex
codes so as we can leave a byte or two out giving us 6 bytes.

> From the recent CFMX6 overflow. The exploit lands on the normal mov
[ecx],eax carries on checks a byte to see if there is more, and then uses
another byte to calculate the offset to where the next structure is. Even if
only chunk structure has been overwritten we now have control of where the
routine will look for the next structure. Massive amounts of repeated code
allows for a good chance to hit the spot.

Brett

> -----Original Message-----
> From: David Litchfield [mailto:david () ngssoftware com]
> Sent: Monday, 2 December 2002 22:29
> To: pen-test () securityfocus com; vuln-dev () securityfocus com
> Subject: Re: Windows Heap Overflows In General
>
>
> > *) Remember with heap based overflows you can write multiple sets of 4
> > bytes. It's not the registers you are overflowing, but a structure. What
> do
> > the other structure bytes control? Size does matter!
> > http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html
> > * Wheres our code at? It's not just esp that holds important variable
> > locations. Where do all those other numbers point?
>
> In the case overflowing the data section of one object into the vtable of
> another object you'll be overwriting function pointers and when one is
> called you can redirect program control
>
> e.g.
> call dword ptr [ecx + 14H]
>
> It's important to remember that heap overflows isn't just about
> overflowing
> character arrays that have been malloc()ed.
>
> Cheers,
> David Litchfield
> http://www.ngssoftware.com/