Nmap Security Scanner
 Intro
Ref Guide
Install Guide
Download
Changelog
Book
Docs
Security Lists
Nmap Hackers
Nmap Dev
Bugtraq
Full Disclosure
Pen Test
Basics
More
Security Tools
Pass crackers
Sniffers
Vuln Scanners
Web scanners
Wireless
Exploitation
Packet crafters
More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
|
 |
Dailydave
mailing list archives
Re: Understanding Windows Heap Overflows
From: pbb <pbb () 65535 com>
Date: Tue, 04 Oct 2005 17:23:52 +0100
That's why I was trying to get it to work on XP sp 1, I will try win2k
sp4 though. If I can go on the course I will, but I am on holiday at the
time. :)
Paul.
Dave Aitel wrote:
Well, don't learn heap overflows on SP2 before you're good at win2k
sp4, is one important note. :> Another good note is that Nico and
Sinan are teaching a 1 day class:
http://www.pacsec.jp/dojoheap.html
This should overcome your problems with this sort of thing.
-dave
pbb wrote:
If you remember from Blackhats, the one I showed you, was a
management app (also had 7 threads) and had a 4byte overwrite but I
couldn't get it consistantly to where I wanted (there seemed to be
many pointer fix ups in the heap that made it crash before a control
structure overwrite).
With the example given, I couldn't get it to do anything, no 4 byte
overwrite. I seem not to be able to step through a overwrite of the
UEF in visual studio, I read somewhere it was because the debugger
overwrites the Exception handler already so the original pointer
isn't called thus the overflow overwrites the wrong address.
I was able to get the SP2 one to work out of visual studio but not
within, does anyone have a way around this issue.
Paul.
halvar () gmx de wrote:
hey paul,
have you gotten to the point of being able to write arbitrary data ?
----- Original Message ----- From: "pbb" <pbb () 65535 com>
To: <dailydave () lists immunitysec com>
Sent: Tuesday, October 04, 2005 2:04 AM
Subject: [Dailydave] Understanding Windows Heap Overflows
Hi everyone,
I've been a long time lurker but never posted. I know Dave
suggested to me to post about Buffy ;) but I really would like to
get to grips with Heap overflows. I have been trying to understand
the Heap Overflow in windows and have been fumbling with IDAPro and
Visual Studio to try and understand the concept for a while now (in
between real life). I have been reading as many papers as I could
and have read the following and assumed I had some understanding of
them(I listed them at the bottom). I have managed to get the
example code from Defeating Microsoft Windows XP SP2 Heap
protection and DEP bypass by Alexander Anisimov to work but not in
Visual Studio. I read somewhere (long time ago) that the debugger
can ruin the overflow as it intercepts or re-writes the exception
handler which you are trying to overflow. I tried to get David
Litchfields example code from his blackhats presentation in 2004 to
work (on a sp1 XP box, so no heap protection) but inisde or outside
a debugger it wouldn't work.
I thought I understood the theory of the overwrite of the heap
control structure but struggle to be able to see it in practice. Is
there a way to step through the overflow in a debugger, can anyone
give me example code and a suggested platform to help me see it in
action. I realise there are a couple of different ways to gain the
EIP whether it's through the UEF or PEB or SEH but how do I know
which one to use. I also realise that with a 4 byte overwrite you
may need to somewhere that calls or jmps to a register that points
to your heap but I haven't managed to step through it with a
debugger. As it's abusing the heap management of the OS is it
possible to step through in a debugger.
I have been on Halvar's "Analyzing Software for Security
Vulnerabilities" blackhat course (not that I've had time to put
much of that in practice.
Need more time :)) And would like to start reversing some
applications that I think have heap overflows in them and attempt
to write an overflow but I'm not confident enough that I know what
I'm doing.
I've Read these papers, can anyone suggest any others? (probably
need to re-read them again though.)
blackhats-win-04-litchfield-code.rtf
blackhats-win-04-litchfield.ppt
phrack 61-6 Advanced Doug lea malloc exploits
Managing Heap Memory in Win32 -MSDN
defeating-xpsp2-heap-protection - Alexander Anisimov
Practical-SEH-exploitation.pdf - Johnny Cyberpunk
msrpcheap.pdf - Of course Dave Aitel
msrpcheap2.pdf - Of course Dave Aitel
Practical Win32 and Unicode exploitation - Phenoelit
If I had a simple program like below could I overflow it and learn
the theory? (stolen from I think the shellcoder's handbook) What am
I looking for and how can I see this somewhere else.
Thanks Guys for your time and hope this newbie questions doesn't
anony anyone.
Paul.
Here's one I was trying to step through in a debugger.
#include <stdio.h>
#include <windows.h>
DWORD MyExceptionHandler(void);
int foo(char *buf);
int main(int argc, char *argv[])
{
char *filename = NULL; // filename of the data to overflow with.
HMODULE l; // library handle
FILE *fp_overflowFile = NULL; // pointer to datafile
char *buffer = NULL;
int count = 0;
int check = 0;
l = LoadLibrary("mscvrt.dll");
l = LoadLibrary("netapi32.dll");
printf("\n\nHeap overflow program.\n");
if( argc != 2)
{
return printf("ARGS!");
}
foo(argv[1]);
return 0;
}
DWORD MyExceptionHandler(void)
{
printf("In exception handler ...");
ExitProcess(1);
return 0;
}
int foo(char *buf)
{
HLOCAL h1 =0, h2 = 0;
HANDLE hp;
__try{
hp = HeapCreate(0,0x1000,0x10000);
if(!hp)
return printf("Failed to create heap.\n");
h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
printf("HEAP: %.8x %.8x\n", h1, &h1);
// Heap overflow occurs here:
strcpy(h1, buf);
// The second call to HeapAlloc() is when we
gain control
h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
}
__except(MyExceptionHandler()){
printf("Exception occured...");
}
return 0;
}
 By Date 
By Thread
Current thread:
|
|
