Well, don't learn heap overflows on SP2 before you're good at win2k sp4,
is one important note. :> Another good note is that Nico and Sinan are
teaching a 1 day class:
http://www.pacsec.jp/dojoheap.html
This should overcome your problems with this sort of thing.
-dave
pbb wrote:
> If you remember from Blackhats, the one I showed you, was a management
> app (also had 7 threads) and had a 4byte overwrite but I couldn't get
> it consistantly to where I wanted (there seemed to be many pointer fix
> ups in the heap that made it crash before a control structure overwrite).
>
> With the example given, I couldn't get it to do anything, no 4 byte
> overwrite. I seem not to be able to step through a overwrite of the
> UEF in visual studio, I read somewhere it was because the debugger
> overwrites the Exception handler already so the original pointer isn't
> called thus the overflow overwrites the wrong address.
>
> I was able to get the SP2 one to work out of visual studio but not
> within, does anyone have a way around this issue.
>
> Paul.
>
> halvar_at_gmx.de wrote:
>
>> hey paul,
>>
>> have you gotten to the point of being able to write arbitrary data ?
>>
>> ----- Original Message ----- From: "pbb" <pbb_at_65535.com>
>> To: <dailydave_at_lists.immunitysec.com>
>> Sent: Tuesday, October 04, 2005 2:04 AM
>> Subject: [Dailydave] Understanding Windows Heap Overflows
>>
>>
>>> Hi everyone,
>>>
>>> I've been a long time lurker but never posted. I know Dave suggested
>>> to me to post about Buffy ;) but I really would like to get to grips
>>> with Heap overflows. I have been trying to understand the Heap
>>> Overflow in windows and have been fumbling with IDAPro and Visual
>>> Studio to try and understand the concept for a while now (in between
>>> real life). I have been reading as many papers as I could and have
>>> read the following and assumed I had some understanding of them(I
>>> listed them at the bottom). I have managed to get the example code
>>> from Defeating Microsoft Windows XP SP2 Heap protection and DEP
>>> bypass by Alexander Anisimov to work but not in Visual Studio. I
>>> read somewhere (long time ago) that the debugger can ruin the
>>> overflow as it intercepts or re-writes the exception handler which
>>> you are trying to overflow. I tried to get David Litchfields example
>>> code from his blackhats presentation in 2004 to work (on a sp1 XP
>>> box, so no heap protection) but inisde or outside a debugger it
>>> wouldn't work.
>>>
>>> I thought I understood the theory of the overwrite of the heap
>>> control structure but struggle to be able to see it in practice. Is
>>> there a way to step through the overflow in a debugger, can anyone
>>> give me example code and a suggested platform to help me see it in
>>> action. I realise there are a couple of different ways to gain the
>>> EIP whether it's through the UEF or PEB or SEH but how do I know
>>> which one to use. I also realise that with a 4 byte overwrite you
>>> may need to somewhere that calls or jmps to a register that points
>>> to your heap but I haven't managed to step through it with a
>>> debugger. As it's abusing the heap management of the OS is it
>>> possible to step through in a debugger.
>>>
>>> I have been on Halvar's "Analyzing Software for Security
>>> Vulnerabilities" blackhat course (not that I've had time to put much
>>> of that in practice.
>>>
>>> Need more time :)) And would like to start reversing some
>>> applications that I think have heap overflows in them and attempt to
>>> write an overflow but I'm not confident enough that I know what I'm
>>> doing.
>>>
>>> I've Read these papers, can anyone suggest any others? (probably
>>> need to re-read them again though.)
>>> blackhats-win-04-litchfield-code.rtf
>>> blackhats-win-04-litchfield.ppt
>>> phrack 61-6 Advanced Doug lea malloc exploits
>>> Managing Heap Memory in Win32 -MSDN
>>> defeating-xpsp2-heap-protection - Alexander Anisimov
>>> Practical-SEH-exploitation.pdf - Johnny Cyberpunk
>>> msrpcheap.pdf - Of course Dave Aitel
>>> msrpcheap2.pdf - Of course Dave Aitel
>>> Practical Win32 and Unicode exploitation - Phenoelit
>>>
>>> If I had a simple program like below could I overflow it and learn
>>> the theory? (stolen from I think the shellcoder's handbook) What am
>>> I looking for and how can I see this somewhere else.
>>>
>>> Thanks Guys for your time and hope this newbie questions doesn't
>>> anony anyone.
>>>
>>> Paul.
>>>
>>> Here's one I was trying to step through in a debugger.
>>>
>>> #include <stdio.h>
>>> #include <windows.h>
>>>
>>> DWORD MyExceptionHandler(void);
>>> int foo(char *buf);
>>>
>>> int main(int argc, char *argv[])
>>> {
>>> char *filename = NULL; // filename of the data to overflow with.
>>> HMODULE l; // library handle
>>> FILE *fp_overflowFile = NULL; // pointer to datafile
>>> char *buffer = NULL;
>>> int count = 0;
>>> int check = 0;
>>>
>>> l = LoadLibrary("mscvrt.dll");
>>> l = LoadLibrary("netapi32.dll");
>>>
>>> printf("\n\nHeap overflow program.\n");
>>> if( argc != 2)
>>> {
>>> return printf("ARGS!");
>>> }
>>>
>>> foo(argv[1]);
>>> return 0;
>>> }
>>>
>>> DWORD MyExceptionHandler(void)
>>> {
>>> printf("In exception handler ...");
>>> ExitProcess(1);
>>> return 0;
>>> }
>>>
>>> int foo(char *buf)
>>> {
>>> HLOCAL h1 =0, h2 = 0;
>>> HANDLE hp;
>>>
>>> __try{
>>> hp = HeapCreate(0,0x1000,0x10000);
>>> if(!hp)
>>> return printf("Failed to create heap.\n");
>>> h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>>> printf("HEAP: %.8x %.8x\n", h1, &h1);
>>> // Heap overflow occurs here:
>>> strcpy(h1, buf);
>>> // The second call to HeapAlloc() is when we gain
>>> control
>>> h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
>>> }
>>> __except(MyExceptionHandler()){
>>> printf("Exception occured...");
>>> }
>>> return 0;
>>> }
>>>
>>
>
Received on Oct 04 2005
Intro
