|
Dailydave
mailing list archives
RE: Understanding Windows Heap Overflows
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Wed, 5 Oct 2005 10:36:34 +1300
Paul,
Not sure if this is of any use. But with Visual Studio ensure you
are breaking on all exceptions. Go into the debug->exception menu,
select all (except C++ exceptions) and change them to 'stop always'
As for the heap stuff.... The heap is a fical place...
a) Try longer / shorter bursts of data
b) Try data of different chars (ie: X or A or Y) etc... I used to find
0x48 a good heap manipulator (H).
Good luck
Brett
-----Original Message-----
From: pbb [mailto:pbb () 65535 com]
Sent: Wednesday, 5 October 2005 4:38 a.m.
To: halvar () gmx de
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Understanding Windows Heap Overflows
If you remember from Blackhats, the one I showed you, was a management
app (also had 7 threads) and had a 4byte overwrite but I couldn't get it
consistantly to where I wanted (there seemed to be many pointer fix ups
in the heap that made it crash before a control structure overwrite).
With the example given, I couldn't get it to do anything, no 4 byte
overwrite. I seem not to be able to step through a overwrite of the UEF
in visual studio, I read somewhere it was because the debugger
overwrites the Exception handler already so the original pointer isn't
called thus the overflow overwrites the wrong address.
I was able to get the SP2 one to work out of visual studio but not
within, does anyone have a way around this issue.
Paul.
halvar () gmx de wrote:
hey paul,
have you gotten to the point of being able to write arbitrary data ?
----- Original Message ----- From: "pbb" <pbb () 65535 com>
To: <dailydave () lists immunitysec com>
Sent: Tuesday, October 04, 2005 2:04 AM
Subject: [Dailydave] Understanding Windows Heap Overflows
Hi everyone,
I've been a long time lurker but never posted. I know Dave suggested
to me to post about Buffy ;) but I really would like to get to grips
with Heap overflows. I have been trying to understand the Heap
Overflow in windows and have been fumbling with IDAPro and Visual
Studio to try and understand the concept for a while now (in between
real life). I have been reading as many papers as I could and have
read the following and assumed I had some understanding of them(I
listed them at the bottom). I have managed to get the example code
from Defeating Microsoft Windows XP SP2 Heap protection and DEP
bypass by Alexander Anisimov to work but not in Visual Studio. I read
somewhere (long time ago) that the debugger can ruin the overflow as
it intercepts or re-writes the exception handler which you are trying
to overflow. I tried to get David Litchfields example code from his
blackhats presentation in 2004 to work (on a sp1 XP box, so no heap
protection) but inisde or outside a debugger it wouldn't work.
I thought I understood the theory of the overwrite of the heap
control structure but struggle to be able to see it in practice. Is
there a way to step through the overflow in a debugger, can anyone
give me example code and a suggested platform to help me see it in
action. I realise there are a couple of different ways to gain the
EIP whether it's through the UEF or PEB or SEH but how do I know
which one to use. I also realise that with a 4 byte overwrite you may
need to somewhere that calls or jmps to a register that points to
your heap but I haven't managed to step through it with a debugger.
As it's abusing the heap management of the OS is it possible to step
through in a debugger.
I have been on Halvar's "Analyzing Software for Security
Vulnerabilities" blackhat course (not that I've had time to put much
of that in practice.
Need more time :)) And would like to start reversing some
applications that I think have heap overflows in them and attempt to
write an overflow but I'm not confident enough that I know what I'm
doing.
I've Read these papers, can anyone suggest any others? (probably need
to re-read them again though.)
blackhats-win-04-litchfield-code.rtf
blackhats-win-04-litchfield.ppt
phrack 61-6 Advanced Doug lea malloc exploits
Managing Heap Memory in Win32 -MSDN
defeating-xpsp2-heap-protection - Alexander Anisimov
Practical-SEH-exploitation.pdf - Johnny Cyberpunk
msrpcheap.pdf - Of course Dave Aitel
msrpcheap2.pdf - Of course Dave Aitel
Practical Win32 and Unicode exploitation - Phenoelit
If I had a simple program like below could I overflow it and learn
the theory? (stolen from I think the shellcoder's handbook) What am I
looking for and how can I see this somewhere else.
Thanks Guys for your time and hope this newbie questions doesn't
anony anyone.
Paul.
Here's one I was trying to step through in a debugger.
#include <stdio.h>
#include <windows.h>
DWORD MyExceptionHandler(void);
int foo(char *buf);
int main(int argc, char *argv[])
{
char *filename = NULL; // filename of the data to overflow with.
HMODULE l; // library handle
FILE *fp_overflowFile = NULL; // pointer to datafile
char *buffer = NULL;
int count = 0;
int check = 0;
l = LoadLibrary("mscvrt.dll");
l = LoadLibrary("netapi32.dll");
printf("\n\nHeap overflow program.\n");
if( argc != 2)
{
return printf("ARGS!");
}
foo(argv[1]);
return 0;
}
DWORD MyExceptionHandler(void)
{
printf("In exception handler ...");
ExitProcess(1);
return 0;
}
int foo(char *buf)
{
HLOCAL h1 =0, h2 = 0;
HANDLE hp;
__try{
hp = HeapCreate(0,0x1000,0x10000);
if(!hp)
return printf("Failed to create heap.\n");
h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
printf("HEAP: %.8x %.8x\n", h1, &h1);
// Heap overflow occurs here:
strcpy(h1, buf);
// The second call to HeapAlloc() is when we gain
control
h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
}
__except(MyExceptionHandler()){
printf("Exception occured...");
}
return 0;
}
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
 By Date 
By Thread
Current thread:
|
Intro
