lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <43B33327.1070407@chello.at>
Date: Thu Dec 29 00:52:00 2005
From: steve01 at chello.at (Stefan Lochbihler)
Subject: Win32 Heap Exploits

Hi there

during collecting of  some knowlegde about heap overflows
i get a few problems. Please take a look below to help me
with them.

i write a little daemon with the following code.

HeapCreate(NULL,1000,2000);
when recvdata:
hp1=HeapAlloc(hp,NULL,500);
strcpy(hp1,buffer);
Heapfree(hp,NULL,hp1);


For debugging i opened the server with ollydbg.
At the second time when i send my exploit my pointers get copied to the 
stack and thread information block.

eax=7FFDDFFC  (tib-4)
ecx=0012F358    (add ress 4 bytes before pointer to heap)

Mov [ecx],eax
Mov [eax+4],ecx

->
[7FFDE000] 0012F358

[0012F358] 7FFDDFFC  Pointer to next SEH record
[................] 00390688     SE handler

After this Olldydbg get stopped because of an access violation.

When i pass the exception the shellcode get successfully executed.
(shellcode use some tricks from litchfield to repair the heap)

But if i execute the server without ollydbg there happen nothing.
Have anybody an idea what i make wrong. Test on a winxp sp1 system.

cheers
Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ