|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Exploiting overflow of heap-based buffers
From: typo
inferno.tusculum.eduDate: Tue May 23 2000 - 18:51:37 CDT
- Next message: Chris Evans: "Heap overflows - thanks"
- Previous message: Pavel Kankovsky: "Re: Exploiting overflow of heap-based buffers"
- In reply to: Chris Evans: "Exploiting overflow of heap-based buffers"
- Reply: typoinferno.tusculum.edu: "Re: Exploiting overflow of heap-based buffers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, May 24, 2000 at 12:25:54AM +0100, **Chris Evans wrote:
> Are there any documented cases of exploits of overflows on the heap
> (e.g. overflow of malloc()'d buffer?)
wu-ftpd 2.5.0 has been a nice example for those.
> Has anyone played with this much? It's an interesting topic....
while working on the exploitation of wuftpd, we(edi&me) found many
different methods, of different efficiency, all leading to a shell.
The easiest was putting shellcode in the PASS field which gets written
to the memory in between Argv and LastArgv, and then overwriting those
pointers.
This lead to immediate success, because the pass didn't change in memory
after leaving a (ftp command handling) function, but only worked with
anonymous ftp users.
Next method was to overwrite (ok, memory
is blurry) EIP, while somehow restoring Argv and LastArgv before
returning and/or overwriting it again.
Next was overwriting Argv and LastArgv so you can overwrite a
jmpbuf(used for errorhandling), fix Argv and Lastargv again (same line
in which you overwrite the errcatch jmpbuf), and then provoke an error.
and uh, i haven't seen the best method, requiring only one offset,
for which we started building a bruteforcing exploit, implemented anywhere.
It was like (duh.. memory.. aah), that the variable pathspace, which had an
offset relative to errcatch (our jmpbuf), contained the current pwd, so we
indirectly could put our shellcode there, and then jump there.
sorry for the inacurate descriptions, but it's been a long time...
The basic errcatch exploiting code is available from http://teso.scene.at/
(ifafsomething.c)
> PS. I seem to have a vague memory of a paper regarding this topic. Am I
> dreaming?
w00w00 (www.w00w00.org) seems to have a doc on it, its a
nice summary of known techniques.
-- so much entropy, so little time
- Next message: Chris Evans: "Heap overflows - thanks"
- Previous message: Pavel Kankovsky: "Re: Exploiting overflow of heap-based buffers"
- In reply to: Chris Evans: "Exploiting overflow of heap-based buffers"
- Reply: typoinferno.tusculum.edu: "Re: Exploiting overflow of heap-based buffers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]