From: pbb (pbb65535.com)
Date: Tue Oct 04 2005 - 11:23:52 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That's why I was trying to get it to work on XP sp 1, I will try win2k
sp4 though. If I can go on the course I will, but I am on holiday at the
time. :)

Paul.

Dave Aitel wrote:

> Well, don't learn heap overflows on SP2 before you're good at win2k
> sp4, is one important note. :> Another good note is that Nico and
> Sinan are teaching a 1 day class:
> http://www.pacsec.jp/dojoheap.html
>
> This should overcome your problems with this sort of thing.
>
> -dave
>
> pbb wrote:
>
>> If you remember from Blackhats, the one I showed you, was a
>> management app (also had 7 threads) and had a 4byte overwrite but I
>> couldn't get it consistantly to where I wanted (there seemed to be
>> many pointer fix ups in the heap that made it crash before a control
>> structure overwrite).
>>
>> With the example given, I couldn't get it to do anything, no 4 byte
>> overwrite. I seem not to be able to step through a overwrite of the
>> UEF in visual studio, I read somewhere it was because the debugger
>> overwrites the Exception handler already so the original pointer
>> isn't called thus the overflow overwrites the wrong address.
>>
>> I was able to get the SP2 one to work out of visual studio but not
>> within, does anyone have a way around this issue.
>>
>> Paul.
>>
>> halvargmx.de wrote:
>>
>>> hey paul,
>>>
>>> have you gotten to the point of being able to write arbitrary data ?
>>>
>>> ----- Original Message ----- From: "pbb" <pbb65535.com>
>>> To: <dailydavelists.immunitysec.com>
>>> Sent: Tuesday, October 04, 2005 2:04 AM
>>> Subject: [Dailydave] Understanding Windows Heap Overflows
>>>
>>>
>>>> Hi everyone,
>>>>
>>>> I've been a long time lurker but never posted. I know Dave
>>>> suggested to me to post about Buffy ;) but I really would like to
>>>> get to grips with Heap overflows. I have been trying to understand
>>>> the Heap Overflow in windows and have been fumbling with IDAPro and
>>>> Visual Studio to try and understand the concept for a while now (in
>>>> between real life). I have been reading as many papers as I could
>>>> and have read the following and assumed I had some understanding of
>>>> them(I listed them at the bottom). I have managed to get the
>>>> example code from Defeating Microsoft Windows XP SP2 Heap
>>>> protection and DEP bypass by Alexander Anisimov to work but not in
>>>> Visual Studio. I read somewhere (long time ago) that the debugger
>>>> can ruin the overflow as it intercepts or re-writes the exception
>>>> handler which you are trying to overflow. I tried to get David
>>>> Litchfields example code from his blackhats presentation in 2004 to
>>>> work (on a sp1 XP box, so no heap protection) but inisde or outside
>>>> a debugger it wouldn't work.
>>>>
>>>> I thought I understood the theory of the overwrite of the heap
>>>> control structure but struggle to be able to see it in practice. Is
>>>> there a way to step through the overflow in a debugger, can anyone
>>>> give me example code and a suggested platform to help me see it in
>>>> action. I realise there are a couple of different ways to gain the
>>>> EIP whether it's through the UEF or PEB or SEH but how do I know
>>>> which one to use. I also realise that with a 4 byte overwrite you
>>>> may need to somewhere that calls or jmps to a register that points
>>>> to your heap but I haven't managed to step through it with a
>>>> debugger. As it's abusing the heap management of the OS is it
>>>> possible to step through in a debugger.
>>>>
>>>> I have been on Halvar's "Analyzing Software for Security
>>>> Vulnerabilities" blackhat course (not that I've had time to put
>>>> much of that in practice.
>>>>
>>>> Need more time :)) And would like to start reversing some
>>>> applications that I think have heap overflows in them and attempt
>>>> to write an overflow but I'm not confident enough that I know what
>>>> I'm doing.
>>>>
>>>> I've Read these papers, can anyone suggest any others? (probably
>>>> need to re-read them again though.)
>>>> blackhats-win-04-litchfield-code.rtf
>>>> blackhats-win-04-litchfield.ppt
>>>> phrack 61-6 Advanced Doug lea malloc exploits
>>>> Managing Heap Memory in Win32 -MSDN
>>>> defeating-xpsp2-heap-protection - Alexander Anisimov
>>>> Practical-SEH-exploitation.pdf - Johnny Cyberpunk
>>>> msrpcheap.pdf - Of course Dave Aitel
>>>> msrpcheap2.pdf - Of course Dave Aitel
>>>> Practical Win32 and Unicode exploitation - Phenoelit
>>>>
>>>> If I had a simple program like below could I overflow it and learn
>>>> the theory? (stolen from I think the shellcoder's handbook) What am
>>>> I looking for and how can I see this somewhere else.
>>>>
>>>> Thanks Guys for your time and hope this newbie questions doesn't
>>>> anony anyone.
>>>>
>>>> Paul.
>>>>
>>>> Here's one I was trying to step through in a debugger.
>>>>
>>>> #include <stdio.h>
>>>> #include <windows.h>
>>>>
>>>> DWORD MyExceptionHandler(void);
>>>> int foo(char *buf);
>>>>
>>>> int main(int argc, char *argv[])
>>>> {
>>>> char *filename = NULL; // filename of the data to overflow with.
>>>> HMODULE l; // library handle
>>>> FILE *fp_overflowFile = NULL; // pointer to datafile
>>>> char *buffer = NULL;
>>>> int count = 0;
>>>> int check = 0;
>>>>
>>>> l = LoadLibrary("mscvrt.dll");
>>>> l = LoadLibrary("netapi32.dll");
>>>>
>>>> printf("\n\nHeap overflow program.\n");
>>>> if( argc != 2)
>>>> {
>>>> return printf("ARGS!");
>>>> }
>>>>
>>>> foo(argv[1]);
>>>> return 0;
>>>> }
>>>>
>>>> DWORD MyExceptionHandler(void)
>>>> {
>>>> printf("In exception handler ...");
>>>> ExitProcess(1);
>>>> return 0;
>>>> }
>>>>
>>>> int foo(char *buf)
>>>> {
>>>> HLOCAL h1 =0, h2 = 0;
>>>> HANDLE hp;
>>>>
>>>> __try{
>>>> hp = HeapCreate(0,0x1000,0x10000);
>>>> if(!hp)
>>>> return printf("Failed to create heap.\n");
>>>> h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>>>> printf("HEAP: %.8x %.8x\n", h1, &h1);
>>>> // Heap overflow occurs here:
>>>> strcpy(h1, buf);
>>>> // The second call to HeapAlloc() is when we
>>>> gain control
>>>> h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>>>> }
>>>> __except(MyExceptionHandler()){
>>>> printf("Exception occured...");
>>>> }
>>>> return 0;
>>>> }
>>>>
>>>
>>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]