lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 1 Jan 2005 19:57:32 +0100 (CET)
From: "Berend-Jan Wever" <skylined@...p.tudelft.nl>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.org
Subject: Windows LoadImage API Heapoverflow exploit


Has anybody else tested flashsky's exploit ?
I've tried to exploit this vuln on win2ksp4 MSIE 6.0sp1 but in my findings
it is very unreliable: The different threads running in IE make it allmost
impossible to determine what Heap API call will first run into an
overwritting heap header block (HeapAlloc, HeapReAlloc, HeapFree,
RtlHeapAlloc, etc.., etc..) or which block it will run into. Most calls
will simply crash IE, I've only had one successfull attempt in what must
have been at least 50 tries.

Finding a way to make sure one specific heap API call will be called after
overwriting the heap would solve this problem, so far my attempts at this
have been unsuccessfull.

Cheers,
SkyLined

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ