Windows Heap Overflows In General

["Brett Moore" <brett () softwarecreations co nz>]

Merry Christmas all, tis the month for knowledge sharing.

Some tips and tricks when working with windows heap based overflows to
stimulate your mind.

*) The more the merrier - If it lets you stuff it in there, stuff it.
Different sizes, different characters can give different results.
*) Running the exploit Local vs Remote can sometimes matter.
*) The only state you can be sure of, is that your request is not the first.
But the only way to ensure this is by sending valid requests before the
exploit. Numbers vary, find a minumum and it can help in the stability of
overflows.
*) Remember with heap based overflows you can write multiple sets of 4
bytes. It's not the registers you are overflowing, but a structure. What do
the other structure bytes control? Size does matter!
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html
* Wheres our code at? It's not just esp that holds important variable
locations. Where do all those other numbers point?

The first 3 allow you to write code that 99-100% of the time hits the spot.
The last two allow you to write any relative jump instruction you need and
set the seh handler to your relative jump, thus 99-100% giving execution to
your shellcode.

Heyas to all who know.