Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 02 > 120070.html (Request Expert securityfocus.com Support)

RE: Windows Heap Overflows In General

From: Brett Moore <brett(at)softwarecreations.co.nz>
Date: Mon Dec 02 2002 - 16:56:57 EST


Dave wrote:
> e.g.
> call dword ptr [ecx + 14H]

Yup thats true, playing with different sizes and differents hex codes to overflow can land you in many different spots such as

call [ecx + ??]
mov [ecx],[eax]
movsb
cmp al,?? -> mov something.

The main point I was trying to press is that we can use the routines to write our egg into a known writable address. Albiet a tricky and time consuming way, so the trick is to write a small jumper to known memory and call the jumper. The jumper can then locate out main shell code and run it.

With the 4 bytes you are limited to something like [reg +/- 80] or so... But can do stuff like add esp,?? ret or prepend our jumper to known fixed hex codes so as we can leave a byte or two out giving us 6 bytes.

>From the recent CFMX6 overflow. The exploit lands on the normal mov
[ecx],eax carries on checks a byte to see if there is more, and then uses another byte to calculate the offset to where the next structure is. Even if only chunk structure has been overwritten we now have control of where the routine will look for the next structure. Massive amounts of repeated code allows for a good chance to hit the spot.

Brett

> -----Original Message-----
> From: David Litchfield [mailto:david@ngssoftware.com]
> Sent: Monday, 2 December 2002 22:29
> To: pen-test@securityfocus.com; vuln-dev@securityfocus.com
> Subject: Re: Windows Heap Overflows In General
>
>
> > *) Remember with heap based overflows you can write multiple sets of 4
Received on Mon Dec 2 19:23:34 2002

Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library