| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun Mar 27 12:46:19 2005 From: class101 at hat-squad.com (class101@...-SQUAD.com) Subject: Question: Heap Overflows on 2k3/SP2 Do you know a reliable way to bypass the heap protection present in w2k3 ? I have troubles to understand why my heap overflows exploit (own discovery) isnt working fine on 2k3. If you are familiar exploiting them, explain me how to... look at the bottom to show what the check looks like: > on 2k3: (on SP2 its quite same I think with the check register EDI replaced > by EDX) > > 77F370ED 8B02 MOV EAX,DWORD PTR DS:[EDX] > 77F370EF 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX > 77F370F5 8B4A 04 MOV ECX,DWORD PTR DS:[EDX+4] > 77F370F8 898D 68FEFFFF MOV DWORD PTR SS:[EBP-198],ECX > 77F370FE 8B39 MOV EDI,DWORD PTR DS:[ECX] > 77F37100 3B78 04 CMP EDI,DWORD PTR DS:[EAX+4] <= protection > 77F37103 0F85 F4FCFFFF JNZ ntdll.77F36DFD > 77F37109 3BFA CMP EDI,EDX <= protection > 77F3710B 0F85 ECFCFFFF JNZ ntdll.77F36DFD > 77F37111 8901 MOV DWORD PTR DS:[ECX],EAX > 77F37113 8948 04 MOV DWORD PTR DS:[EAX+4],ECX > As you can see , It's not possible to use EAX as a what and ECX as a where pointing to UEF because of the previous check. I think I have read somewhere a method about the lookaside table, If you are familiar with it , thanx to explain it to me ;) > > ------------------------------------------------------------- > class101 > Jr. Researcher > Hat-Squad.com > -------------------------------------------------------------
Powered by blists - more mailing lists