Re: Understanding Windows Heap Overflows

[Nicolas Waisman <nicolas () immunitysec com>]

The best way to learn, is going real. I will recommend you to try
exploiting MS05_021 (the X-LINK2STATE bug) with that bug you will 
be able to play pretty easy with the heap layout (which  is the real 
challenge on Heap exploit, to get whatever primitive you need).

Peace,
Nico


On Fri, Oct 07, 2005 at 10:01:27AM +0100, pbb wrote:
> Thanks guys for all the responses,
>
> I've actually had an app I was playing with (that I suspected had a 
> heap overflow that I was trying to exploit.) get an overflow with 
> control of the eax and ecx registers so thought I had it but couldn't 
> move from here to executing code. I haven't looked at it for a while as 
> I knew I didn't understand the technique as well as I thought. I hope 
> that I can step through the examples you guys have given me and 
> progress ever so slightly in my knowledge of these types of 
> exploitation.
>
> I've been stepping through Brett's link and hope this will get me over 
> the issue I was having. I'm not sure if it's because the app I was 
> looking at was multithreaded and the overflows are not simple like a 
> stack one were at the end of the function overflowed it executes.
>
> I try and look at Matt's example over the weekend. Thanks for the help.
>
> Paul.