<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Bugtraq: Windows LoadImage API Heapoverflow exploit

Windows LoadImage API Heapoverflow exploit

From: Berend-Jan Wever <skylined_at_edup.tudelft.nl>
Date: Sat, 1 Jan 2005 19:57:32 +0100 (CET)

Has anybody else tested flashsky's exploit ?
I've tried to exploit this vuln on win2ksp4 MSIE 6.0sp1 but in my findings
it is very unreliable: The different threads running in IE make it allmost
impossible to determine what Heap API call will first run into an
overwritting heap header block (HeapAlloc, HeapReAlloc, HeapFree,
RtlHeapAlloc, etc.., etc..) or which block it will run into. Most calls
will simply crash IE, I've only had one successfull attempt in what must
have been at least 50 tries.

Finding a way to make sure one specific heap API call will be called after
overwriting the heap would solve this problem, so far my attempts at this
have been unsuccessfull.

Cheers,
SkyLined
Received on Jan 01 2005

This message: [ Message body ]
Next message: Albert Puigsech Galicia: "7a69Adv#17 - Internet Explorer FTP download path disclosure"
Previous message: Berend-Jan Wever: "Windows Media files allow opening any url in Internet Explorer"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]