If you can move 4 bytes of choice to any location in your virtual environment you can overwrite any stored 32 bit address. Loaded Image data sections ands and loader environment data have reliable addresses due the support of basing by the operating system and loader. If you want immediate execution overwrite a hook address. Many API's suites have hooks you can overwrite. The hook you choose depends on the situation of the vulnerability you are dealing with. In this situation you may throw a fault after the following 'mov' instruction attempts to access a memory address of the data you supplied. If the 4 bytes you overwrote data with do not signify a valid address, a fault will be issued. So use the fault-handling system in place. On win* this is structured exception handling. When a fault is generated in a thread an exception list taken from the threads TIB. This list is cycled twice and then the default exeception handler is called. This default exception handler is in charge of generated a window so that the interface user can see the application had a fatal error. To allow the configurability of this default behavior developers introduced a hook so that another developer in the future could create his or her own default handler. This hook is loaded into an address that can be modified at runtime, it's also loaded in data with write privilege. Overwrite it with a relative address of a call or jmp that references a stack offset. This stack offset is where the address of your payload buffer will be. Keep in mind that if you can't find a sufficient byte sequence for your relative call, any data on the stack is seen as code to the processor during execution. Use any value you can control on the stack for your benefit. Every 32 bit function variable is an instruction up to 4 bytes in length if you can control it. Data sizes, id's ,index's, port numbers.... Turn your stack into a big buffer of your code :) -R Riley Hassell Security Research Associate eEye Digital Security ----- Original Message ----- From: "Gary O'leary-Steele" <garyo@sec-1.com> To: <pen-testat_private>; <vuln-devat_private> Sent: Friday, November 15, 2002 9:26 AM Subject: ColdFusion Heap Overflow -continued > Hi all, > > I am attempting to write exploit code for the coldfusion heap overflow > (still). > > On advice from various on the secfocus list i have installed softice and > located the exception handler in question. > > The handler code starts at > > 0x77f82b95 > > The code I am trying to manipulate is at > > 0x77f8e43b Mov ecx, [ebp+0x18] > 0x77f8e43e call ecx > > where ebp changes each time the exception is called > > I can control the following values within the following instruction, > > mov [ecx] , eax > > > where ecx and eax can be any value I specify. The problem (or my lack of > understanding) is that the stack frame is set-up when the exception is > handled and i can't seem to write to [ebp+0x18] due to the fact it changes > etc (stop me if i'm wrong) > > attempting to overwrite the instruction (sorry if this is a basic can't do) > with mov [ecx],eax where ecx = 0x77f8e43b and eax =0x41414141 doesn't seem > to do anything ? > > > Any help or pointers are greatly appreciated. > > > > > Thanks in advance. > > Kind Regards > Gary > Sec-1 > >
This archive was generated by hypermail 2b30 : Sun Nov 17 2002 - 11:14:53 PST