OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: [Dailydave] Understanding Windows Heap Overflows

From: Brett Moore (brett.mooresecurity-assessment.com)
Date: Wed Oct 05 2005 - 16:45:11 CDT

Hey..

Forgot to mention, if you want some easy samples to work with have
a look at;

Windows Heap Overflow Exploitation
http://marc.theaimsgroup.com/?l=darklab&m=107575262625706&w=2

Windows Stack Overflow Exploitation
http://marc.theaimsgroup.com/?l=darklab&m=107575273225926&w=2

Written last year on a 2kbox... So not sure how much use they
will be to you..

Cheers

Brett
-----Original Message-----
From: pbb [mailto:pbb65535.com]
Sent: Wednesday, 5 October 2005 9:56 p.m.
To: Ben Nagy
Cc: dailydavelists.immunitysec.com
Subject: Re: [Dailydave] Understanding Windows Heap Overflows

Thanks for the suggestions, I thought I'd post the simplest program I
was playing with but I think you are right. That was the example code
from David Litchfield's blackhat 2004 heap talk. I had another one that
allocated 2 heaps then copied on the first then freed.

My fiancee went to Ruxcon and was telling me about Brett Moore's talk,
sounded very interesting. I'll have to have a look at the talks if I can
get my hands on some of them.

If I am going to get my target app to call a register then don't I need
to still do a 4 byte overwrite of something like the exception handler,
isn't using the register so that on the overwrite if you can have say
ebx pointing to your heap then you get it to execute that call to ebx so
your injected code is run. As I said I actually got the SP2 example to
work but couldn't step through it.

I haven't read anything by Matt Conover so I will look into that (btw
does everyone here think Matt Pietrek but I guess he's more File
format's and Dll's).

I like your suggestion so I think I'll make a simple prog that reads
from a socket (which makes input of the overflow easier) and try that.

Thanks everyone for your suggestions.

Paul.

Ben Nagy wrote:

>Hi,
>
>There were a couple of talks at Ruxcon in Australia which might help you. I
>attempted to do one that condensed work by a whole lot of different people
>into something simple (well as simple as it's going to get) and
>understandable - but that will only cover the theory.
>
>The other thing I thought was much cooler was that Brett Moore stood up
>right afterwards and owned some random app with a heap-based long file
>parameter bug, and he did it by stages so you could see what was going on.
>As he said, the heap is wacky - you might not even need to attack the heap
>management routines themselves if you can make your target app eventually
>call a register you control (which is what happened). Given that the 4-byte
>overwrites get crazy under SP2 and a lot of tasty pointers are encoded /
>removed / randomised that kind of approach is (imho) Teh Futur. Hopefully
>his demo files will go up as well as his slides (right Brett? ;).
>
>In terms of references, you didn't mention any Windows papers by Matt
>Conover - I would highly recommend you get anything you can by him, but the
>CSW Conover/Oded presentation in particular is a must-read.
>
>Finally, in your code, I'm not sure it's a good test proggie, is it? For
>Conover's coalesce on free 4-byte you need h1 to get freed, and for a
>busy-block overwrite like Halvar's virtualalloc 4-byte then you need your
>faked (next to h1) block to get freed. Well, anyway, you usually want
>_something_ to be freed.
>
>The exception are the "maybe there happens to be a free block that happens
>to be next to my buffer, and the second alloc will provoke a list deletion"
>style attacks which you shouldn't need for < SP2 (plus they require the
heap
>layout to be just so).
>
>If you want to follow that up with a 4-to-n-byte overwrite via the
lookaside
>lists then you'll need your test program to do some realistic pointer
>copies, because it needs to copy badstuff --> my sekrit location at some
>point.
>
>--- code reprint ---
> h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>
> printf("HEAP: %.8x %.8x\n", h1, &h1);
>
> // Heap overflow occurs here:
> strcpy(h1, buf);
>
> // The second call to HeapAlloc() is when we gain control
>
> h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>--- end code ---
>
>So, my suggestion would be that you code something that does "loop: get a
>packet from client, allocate heap space, copy the packet data unsafely,
free
>the block when done". Have a play with that and you might have more fun.
>
>Anyway, good luck.
>
>Cheers,
>
>ben
>
>
>
>>-----Original Message-----
>>From: Brett Moore [mailto:brett.mooresecurity-assessment.com]
>>
>>
>[...]
>
>
>>As for the heap stuff.... The heap is a fical place...
>>a) Try longer / shorter bursts of data
>>b) Try data of different chars (ie: X or A or Y) etc... I used to find
>>0x48 a good heap manipulator (H).
>>
>>Good luck
>>
>>
>[...]
>
>
>>-----Original Message-----
>>From: pbb [mailto:pbb65535.com]
>>
>>
>[...]
>
>
>>With the example given, I couldn't get it to do anything, no 4 byte
>>overwrite.
>>
>>
>[...]
>
>
>>>----- Original Message ----- From: "pbb" <pbb65535.com>
>>>
>>>
>[...]
>
>
>>>>I really would like to
>>>>
>>>>
>>get to grips
>>
>>
>>>>with Heap overflows. [...]
>>>>
>>>>
>
>
>
>

e-mail protected and scanned by Bizo Email Filter - powered by Advascan