Dailydave mailing list archives
RE: Understanding Windows Heap Overflows
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Wed, 5 Oct 2005 10:36:34 +1300
Paul, Not sure if this is of any use. But with Visual Studio ensure you are breaking on all exceptions. Go into the debug->exception menu, select all (except C++ exceptions) and change them to 'stop always' As for the heap stuff.... The heap is a fical place... a) Try longer / shorter bursts of data b) Try data of different chars (ie: X or A or Y) etc... I used to find 0x48 a good heap manipulator (H). Good luck Brett -----Original Message----- From: pbb [mailto:pbb () 65535 com] Sent: Wednesday, 5 October 2005 4:38 a.m. To: halvar () gmx de Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] Understanding Windows Heap Overflows If you remember from Blackhats, the one I showed you, was a management app (also had 7 threads) and had a 4byte overwrite but I couldn't get it consistantly to where I wanted (there seemed to be many pointer fix ups in the heap that made it crash before a control structure overwrite). With the example given, I couldn't get it to do anything, no 4 byte overwrite. I seem not to be able to step through a overwrite of the UEF in visual studio, I read somewhere it was because the debugger overwrites the Exception handler already so the original pointer isn't called thus the overflow overwrites the wrong address. I was able to get the SP2 one to work out of visual studio but not within, does anyone have a way around this issue. Paul. halvar () gmx de wrote:
hey paul, have you gotten to the point of being able to write arbitrary data ? ----- Original Message ----- From: "pbb" <pbb () 65535 com> To: <dailydave () lists immunitysec com> Sent: Tuesday, October 04, 2005 2:04 AM Subject: [Dailydave] Understanding Windows Heap OverflowsHi everyone, I've been a long time lurker but never posted. I know Dave suggested to me to post about Buffy ;) but I really would like to get to grips with Heap overflows. I have been trying to understand the Heap Overflow in windows and have been fumbling with IDAPro and Visual Studio to try and understand the concept for a while now (in between real life). I have been reading as many papers as I could and have read the following and assumed I had some understanding of them(I listed them at the bottom). I have managed to get the example code from Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov to work but not in Visual Studio. I read somewhere (long time ago) that the debugger can ruin the overflow as it intercepts or re-writes the exception handler which you are trying to overflow. I tried to get David Litchfields example code from his blackhats presentation in 2004 to work (on a sp1 XP box, so no heap protection) but inisde or outside a debugger it wouldn't work. I thought I understood the theory of the overwrite of the heap control structure but struggle to be able to see it in practice. Is there a way to step through the overflow in a debugger, can anyone give me example code and a suggested platform to help me see it in action. I realise there are a couple of different ways to gain the EIP whether it's through the UEF or PEB or SEH but how do I know which one to use. I also realise that with a 4 byte overwrite you may need to somewhere that calls or jmps to a register that points to your heap but I haven't managed to step through it with a debugger. As it's abusing the heap management of the OS is it possible to step through in a debugger. I have been on Halvar's "Analyzing Software for Security Vulnerabilities" blackhat course (not that I've had time to put much of that in practice. Need more time :)) And would like to start reversing some applications that I think have heap overflows in them and attempt to write an overflow but I'm not confident enough that I know what I'm doing. I've Read these papers, can anyone suggest any others? (probably need to re-read them again though.) blackhats-win-04-litchfield-code.rtf blackhats-win-04-litchfield.ppt phrack 61-6 Advanced Doug lea malloc exploits Managing Heap Memory in Win32 -MSDN defeating-xpsp2-heap-protection - Alexander Anisimov Practical-SEH-exploitation.pdf - Johnny Cyberpunk msrpcheap.pdf - Of course Dave Aitel msrpcheap2.pdf - Of course Dave Aitel Practical Win32 and Unicode exploitation - Phenoelit If I had a simple program like below could I overflow it and learn the theory? (stolen from I think the shellcoder's handbook) What am I looking for and how can I see this somewhere else. Thanks Guys for your time and hope this newbie questions doesn't anony anyone. Paul. Here's one I was trying to step through in a debugger. #include <stdio.h> #include <windows.h> DWORD MyExceptionHandler(void); int foo(char *buf); int main(int argc, char *argv[]) { char *filename = NULL; // filename of the data to overflow with. HMODULE l; // library handle FILE *fp_overflowFile = NULL; // pointer to datafile char *buffer = NULL; int count = 0; int check = 0; l = LoadLibrary("mscvrt.dll"); l = LoadLibrary("netapi32.dll"); printf("\n\nHeap overflow program.\n"); if( argc != 2) { return printf("ARGS!"); } foo(argv[1]); return 0; } DWORD MyExceptionHandler(void) { printf("In exception handler ..."); ExitProcess(1); return 0; } int foo(char *buf) { HLOCAL h1 =0, h2 = 0; HANDLE hp; __try{ hp = HeapCreate(0,0x1000,0x10000); if(!hp) return printf("Failed to create heap.\n"); h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26); printf("HEAP: %.8x %.8x\n", h1, &h1); // Heap overflow occurs here: strcpy(h1, buf); // The second call to HeapAlloc() is when we gain control h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26); } __except(MyExceptionHandler()){ printf("Exception occured..."); } return 0; }
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
Current thread:
- Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows MÃ¥rten Cassel (Oct 04)
- Message not available
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows Dave Aitel (Oct 04)
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 04)
- RE: Understanding Windows Heap Overflows Ben Nagy (Oct 04)
- Re: Understanding Windows Heap Overflows pbb (Oct 05)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 05)
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 19)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 19)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 20)
- <Possible follow-ups>
- Understanding Windows Heap Overflows Matt Conover (Oct 06)
- Re: Understanding Windows Heap Overflows pbb (Oct 07)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 07)
- Re: Understanding Windows Heap Overflows Nicolas Waisman (Oct 07)
- Re: Understanding Windows Heap Overflows pbb (Oct 07)