Re: POC Heap based buffer overflow

On Fri, 11 Apr 2003 15:16:11 -0400, Aaron C. Newman (Application Security, Inc.) wrote:

>The payload is not written directly to ESP or EBP so I can not simply

Sometimes you'll find you can control a dword further down the stack, then you can find an

add esp, 0x100, retn

to get you there, then again find another dword a bit further down that you control, so you end up 'hopping' down the stack. But I doubt it would work in your case, 0x1D00 is a long way to go.

The other thing to look for is a bit of static memory you can control, it need only be a few bytes long.. enough to put an

add esp, 0x1d00
retn

in. Then jump there. If your target app is single threaded (or your overflow is always in the first thread) you may even find a good bit of 'static' memory further down the stack. In my experience the first thread always gets a stack based at the same address (0x00140000) tho it may be OS version specific.

• Blazde

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek