[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Win32 Heap Exploits

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Win32 Heap Exploits
From: Stefan Lochbihler <steve01@xxxxxxxxx>
Date: Thu, 29 Dec 2005 01:51:51 +0100

Hi there

during collecting of  some knowlegde about heap overflows
i get a few problems. Please take a look below to help me
with them.

i write a little daemon with the following code.

HeapCreate(NULL,1000,2000);
when recvdata:
hp1=HeapAlloc(hp,NULL,500);
strcpy(hp1,buffer);
Heapfree(hp,NULL,hp1);

For debugging i opened the server with ollydbg. At the second time when i send my exploit my pointers get copied to the stack and thread information block.

eax=7FFDDFFC  (tib-4)
ecx=0012F358    (add ress 4 bytes before pointer to heap)

Mov [ecx],eax
Mov [eax+4],ecx

->
[7FFDE000] 0012F358

[0012F358] 7FFDDFFC  Pointer to next SEH record
[................] 00390688     SE handler

After this Olldydbg get stopped because of an access violation.

When i pass the exception the shellcode get successfully executed.
(shellcode use some tricks from litchfield to repair the heap)

But if i execute the server without ollydbg there happen nothing.
Have anybody an idea what i make wrong. Test on a winxp sp1 system.

cheers
Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Spy Agency Mined Vast Data Trove
Next by Date: Re: [Full-disclosure] Someone wasted a nice bug on spyware...
Previous by thread: Re: [Full-disclosure] Re: [MailServer Notification]To recipient:Message matched eManager setting and action was taken.
Next by thread: [Full-disclosure] Re: Someone wasted a nice bug on spyware...
Index(es):
- Date
- Thread