Vulnerability Development mailing list archives
Windows Heap Overflows In General
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Mon, 2 Dec 2002 15:03:04 +1300
Merry Christmas all, tis the month for knowledge sharing. Some tips and tricks when working with windows heap based overflows to stimulate your mind. *) The more the merrier - If it lets you stuff it in there, stuff it. Different sizes, different characters can give different results. *) Running the exploit Local vs Remote can sometimes matter. *) The only state you can be sure of, is that your request is not the first. But the only way to ensure this is by sending valid requests before the exploit. Numbers vary, find a minumum and it can help in the stability of overflows. *) Remember with heap based overflows you can write multiple sets of 4 bytes. It's not the registers you are overflowing, but a structure. What do the other structure bytes control? Size does matter! http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html * Wheres our code at? It's not just esp that holds important variable locations. Where do all those other numbers point? The first 3 allow you to write code that 99-100% of the time hits the spot. The last two allow you to write any relative jump instruction you need and set the seh handler to your relative jump, thus 99-100% giving execution to your shellcode. Heyas to all who know.
Current thread:
- Windows Heap Overflows In General Brett Moore (Dec 02)
- Re: Windows Heap Overflows In General David Litchfield (Dec 02)
- RE: Windows Heap Overflows In General Brett Moore (Dec 02)
- Re: Windows Heap Overflows In General Vizzy (Dec 02)
- Re: Windows Heap Overflows In General David Litchfield (Dec 02)