From: pbb (pbb65535.com)
Date: Tue Oct 04 2005 - 10:38:16 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you remember from Blackhats, the one I showed you, was a management
app (also had 7 threads) and had a 4byte overwrite but I couldn't get it
consistantly to where I wanted (there seemed to be many pointer fix ups
in the heap that made it crash before a control structure overwrite).

With the example given, I couldn't get it to do anything, no 4 byte
overwrite. I seem not to be able to step through a overwrite of the UEF
in visual studio, I read somewhere it was because the debugger
overwrites the Exception handler already so the original pointer isn't
called thus the overflow overwrites the wrong address.

I was able to get the SP2 one to work out of visual studio but not
within, does anyone have a way around this issue.

Paul.

halvargmx.de wrote:

> hey paul,
>
> have you gotten to the point of being able to write arbitrary data ?
>
> ----- Original Message ----- From: "pbb" <pbb65535.com>
> To: <dailydavelists.immunitysec.com>
> Sent: Tuesday, October 04, 2005 2:04 AM
> Subject: [Dailydave] Understanding Windows Heap Overflows
>
>
>> Hi everyone,
>>
>> I've been a long time lurker but never posted. I know Dave suggested
>> to me to post about Buffy ;) but I really would like to get to grips
>> with Heap overflows. I have been trying to understand the Heap
>> Overflow in windows and have been fumbling with IDAPro and Visual
>> Studio to try and understand the concept for a while now (in between
>> real life). I have been reading as many papers as I could and have
>> read the following and assumed I had some understanding of them(I
>> listed them at the bottom). I have managed to get the example code
>> from Defeating Microsoft Windows XP SP2 Heap protection and DEP
>> bypass by Alexander Anisimov to work but not in Visual Studio. I read
>> somewhere (long time ago) that the debugger can ruin the overflow as
>> it intercepts or re-writes the exception handler which you are trying
>> to overflow. I tried to get David Litchfields example code from his
>> blackhats presentation in 2004 to work (on a sp1 XP box, so no heap
>> protection) but inisde or outside a debugger it wouldn't work.
>>
>> I thought I understood the theory of the overwrite of the heap
>> control structure but struggle to be able to see it in practice. Is
>> there a way to step through the overflow in a debugger, can anyone
>> give me example code and a suggested platform to help me see it in
>> action. I realise there are a couple of different ways to gain the
>> EIP whether it's through the UEF or PEB or SEH but how do I know
>> which one to use. I also realise that with a 4 byte overwrite you may
>> need to somewhere that calls or jmps to a register that points to
>> your heap but I haven't managed to step through it with a debugger.
>> As it's abusing the heap management of the OS is it possible to step
>> through in a debugger.
>>
>> I have been on Halvar's "Analyzing Software for Security
>> Vulnerabilities" blackhat course (not that I've had time to put much
>> of that in practice.
>>
>> Need more time :)) And would like to start reversing some
>> applications that I think have heap overflows in them and attempt to
>> write an overflow but I'm not confident enough that I know what I'm
>> doing.
>>
>> I've Read these papers, can anyone suggest any others? (probably need
>> to re-read them again though.)
>> blackhats-win-04-litchfield-code.rtf
>> blackhats-win-04-litchfield.ppt
>> phrack 61-6 Advanced Doug lea malloc exploits
>> Managing Heap Memory in Win32 -MSDN
>> defeating-xpsp2-heap-protection - Alexander Anisimov
>> Practical-SEH-exploitation.pdf - Johnny Cyberpunk
>> msrpcheap.pdf - Of course Dave Aitel
>> msrpcheap2.pdf - Of course Dave Aitel
>> Practical Win32 and Unicode exploitation - Phenoelit
>>
>> If I had a simple program like below could I overflow it and learn
>> the theory? (stolen from I think the shellcoder's handbook) What am I
>> looking for and how can I see this somewhere else.
>>
>> Thanks Guys for your time and hope this newbie questions doesn't
>> anony anyone.
>>
>> Paul.
>>
>> Here's one I was trying to step through in a debugger.
>>
>> #include <stdio.h>
>> #include <windows.h>
>>
>> DWORD MyExceptionHandler(void);
>> int foo(char *buf);
>>
>> int main(int argc, char *argv[])
>> {
>> char *filename = NULL; // filename of the data to overflow with.
>> HMODULE l; // library handle
>> FILE *fp_overflowFile = NULL; // pointer to datafile
>> char *buffer = NULL;
>> int count = 0;
>> int check = 0;
>>
>> l = LoadLibrary("mscvrt.dll");
>> l = LoadLibrary("netapi32.dll");
>>
>> printf("\n\nHeap overflow program.\n");
>> if( argc != 2)
>> {
>> return printf("ARGS!");
>> }
>>
>> foo(argv[1]);
>> return 0;
>> }
>>
>> DWORD MyExceptionHandler(void)
>> {
>> printf("In exception handler ...");
>> ExitProcess(1);
>> return 0;
>> }
>>
>> int foo(char *buf)
>> {
>> HLOCAL h1 =0, h2 = 0;
>> HANDLE hp;
>>
>> __try{
>> hp = HeapCreate(0,0x1000,0x10000);
>> if(!hp)
>> return printf("Failed to create heap.\n");
>> h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>> printf("HEAP: %.8x %.8x\n", h1, &h1);
>> // Heap overflow occurs here:
>> strcpy(h1, buf);
>> // The second call to HeapAlloc() is when we gain
>> control
>> h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>> }
>> __except(MyExceptionHandler()){
>> printf("Exception occured...");
>> }
>> return 0;
>> }
>>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]