Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Exploiting Heap Overflows in W2K
From: Ivan Stroks (ivanstroksyahoo.co.nz)
Date: Tue Aug 01 2006 - 08:39:10 CDT
I am trying to exploit a Heap buffer overflow
vulnerability and facing some problems, hope you could
I run the vulnerable program in a VMWare, attached
These are my problems:
1. I control both EAX and ESI, when the program goes
mov [esi], eax
mov [eax + 4], esi
First of all, I tried gainig control of execution
through PEB but, according to Halvar's presentation,
there are some restrictions to what you can write in
the header of the overflowed buffer.
" Properties our block must have:
Bit 0 of Flags must be set
Bit 3 of Flags must be set
Field_4 must be smaller than 0x40
The first field (own size) must be larger than
The block ‘XXXX99XX’ meets all requirements"
So, supposing PEB pointer to overwrite is
0x7FFDF020 I would need to specify for example:
XXXX20f0fd7f, but this is not matching required
properties and so RtlFreeHeap exits.
I am sure I must be missing something here, but
can't find it.
2. An aditional problem I am facing, due to the fact
that this is my first heap overflowing session, is
that when I trigger the vulnerability as soon as the
programs comes back from "revert snapshot" then I get
to rtlHeapFree ok, but if some other request are
performed to the program before, then I cannot
reproduce that behaviour again and different
behaviours and situation arise.
It is obvious that my exploit won't be the first
request the program receives so, how can I manage
Hope you could help!
Send instant messages to your online friends http://au.messenger.yahoo.com