Nmap Security Scanner
 Intro
Ref Guide
Install Guide
Download
Changelog
Book
Docs
Security Lists
Nmap Hackers
Nmap Dev
Bugtraq
Full Disclosure
Pen Test
Basics
More
Security Tools
Pass crackers
Sniffers
Vuln Scanners
Web scanners
Wireless
Exploitation
Packet crafters
More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
|
 |
Dailydave
mailing list archives
Re: Understanding Windows Heap Overflows
From: Dave Aitel <dave () immunitysec com>
Date: Tue, 04 Oct 2005 11:43:14 -0400
Well, don't learn heap overflows on SP2 before you're good at win2k sp4,
is one important note. :> Another good note is that Nico and Sinan are
teaching a 1 day class:
http://www.pacsec.jp/dojoheap.html
This should overcome your problems with this sort of thing.
-dave
pbb wrote:
If you remember from Blackhats, the one I showed you, was a management
app (also had 7 threads) and had a 4byte overwrite but I couldn't get
it consistantly to where I wanted (there seemed to be many pointer fix
ups in the heap that made it crash before a control structure overwrite).
With the example given, I couldn't get it to do anything, no 4 byte
overwrite. I seem not to be able to step through a overwrite of the
UEF in visual studio, I read somewhere it was because the debugger
overwrites the Exception handler already so the original pointer isn't
called thus the overflow overwrites the wrong address.
I was able to get the SP2 one to work out of visual studio but not
within, does anyone have a way around this issue.
Paul.
halvar () gmx de wrote:
hey paul,
have you gotten to the point of being able to write arbitrary data ?
----- Original Message ----- From: "pbb" <pbb () 65535 com>
To: <dailydave () lists immunitysec com>
Sent: Tuesday, October 04, 2005 2:04 AM
Subject: [Dailydave] Understanding Windows Heap Overflows
Hi everyone,
I've been a long time lurker but never posted. I know Dave suggested
to me to post about Buffy ;) but I really would like to get to grips
with Heap overflows. I have been trying to understand the Heap
Overflow in windows and have been fumbling with IDAPro and Visual
Studio to try and understand the concept for a while now (in between
real life). I have been reading as many papers as I could and have
read the following and assumed I had some understanding of them(I
listed them at the bottom). I have managed to get the example code
from Defeating Microsoft Windows XP SP2 Heap protection and DEP
bypass by Alexander Anisimov to work but not in Visual Studio. I
read somewhere (long time ago) that the debugger can ruin the
overflow as it intercepts or re-writes the exception handler which
you are trying to overflow. I tried to get David Litchfields example
code from his blackhats presentation in 2004 to work (on a sp1 XP
box, so no heap protection) but inisde or outside a debugger it
wouldn't work.
I thought I understood the theory of the overwrite of the heap
control structure but struggle to be able to see it in practice. Is
there a way to step through the overflow in a debugger, can anyone
give me example code and a suggested platform to help me see it in
action. I realise there are a couple of different ways to gain the
EIP whether it's through the UEF or PEB or SEH but how do I know
which one to use. I also realise that with a 4 byte overwrite you
may need to somewhere that calls or jmps to a register that points
to your heap but I haven't managed to step through it with a
debugger. As it's abusing the heap management of the OS is it
possible to step through in a debugger.
I have been on Halvar's "Analyzing Software for Security
Vulnerabilities" blackhat course (not that I've had time to put much
of that in practice.
Need more time :)) And would like to start reversing some
applications that I think have heap overflows in them and attempt to
write an overflow but I'm not confident enough that I know what I'm
doing.
I've Read these papers, can anyone suggest any others? (probably
need to re-read them again though.)
blackhats-win-04-litchfield-code.rtf
blackhats-win-04-litchfield.ppt
phrack 61-6 Advanced Doug lea malloc exploits
Managing Heap Memory in Win32 -MSDN
defeating-xpsp2-heap-protection - Alexander Anisimov
Practical-SEH-exploitation.pdf - Johnny Cyberpunk
msrpcheap.pdf - Of course Dave Aitel
msrpcheap2.pdf - Of course Dave Aitel
Practical Win32 and Unicode exploitation - Phenoelit
If I had a simple program like below could I overflow it and learn
the theory? (stolen from I think the shellcoder's handbook) What am
I looking for and how can I see this somewhere else.
Thanks Guys for your time and hope this newbie questions doesn't
anony anyone.
Paul.
Here's one I was trying to step through in a debugger.
#include <stdio.h>
#include <windows.h>
DWORD MyExceptionHandler(void);
int foo(char *buf);
int main(int argc, char *argv[])
{
char *filename = NULL; // filename of the data to overflow with.
HMODULE l; // library handle
FILE *fp_overflowFile = NULL; // pointer to datafile
char *buffer = NULL;
int count = 0;
int check = 0;
l = LoadLibrary("mscvrt.dll");
l = LoadLibrary("netapi32.dll");
printf("\n\nHeap overflow program.\n");
if( argc != 2)
{
return printf("ARGS!");
}
foo(argv[1]);
return 0;
}
DWORD MyExceptionHandler(void)
{
printf("In exception handler ...");
ExitProcess(1);
return 0;
}
int foo(char *buf)
{
HLOCAL h1 =0, h2 = 0;
HANDLE hp;
__try{
hp = HeapCreate(0,0x1000,0x10000);
if(!hp)
return printf("Failed to create heap.\n");
h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
printf("HEAP: %.8x %.8x\n", h1, &h1);
// Heap overflow occurs here:
strcpy(h1, buf);
// The second call to HeapAlloc() is when we gain
control
h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26);
}
__except(MyExceptionHandler()){
printf("Exception occured...");
}
return 0;
}
 By Date 
By Thread
Current thread:
|
|
