Dailydave mailing list archives
Re: Understanding Windows Heap Overflows
From: Dave Aitel <dave () immunitysec com>
Date: Tue, 04 Oct 2005 11:43:14 -0400
Well, don't learn heap overflows on SP2 before you're good at win2k sp4, is one important note. :> Another good note is that Nico and Sinan are teaching a 1 day class:
http://www.pacsec.jp/dojoheap.html This should overcome your problems with this sort of thing. -dave pbb wrote:
If you remember from Blackhats, the one I showed you, was a management app (also had 7 threads) and had a 4byte overwrite but I couldn't get it consistantly to where I wanted (there seemed to be many pointer fix ups in the heap that made it crash before a control structure overwrite).With the example given, I couldn't get it to do anything, no 4 byte overwrite. I seem not to be able to step through a overwrite of the UEF in visual studio, I read somewhere it was because the debugger overwrites the Exception handler already so the original pointer isn't called thus the overflow overwrites the wrong address.I was able to get the SP2 one to work out of visual studio but not within, does anyone have a way around this issue.Paul. halvar () gmx de wrote:hey paul, have you gotten to the point of being able to write arbitrary data ? ----- Original Message ----- From: "pbb" <pbb () 65535 com> To: <dailydave () lists immunitysec com> Sent: Tuesday, October 04, 2005 2:04 AM Subject: [Dailydave] Understanding Windows Heap OverflowsHi everyone,I've been a long time lurker but never posted. I know Dave suggested to me to post about Buffy ;) but I really would like to get to grips with Heap overflows. I have been trying to understand the Heap Overflow in windows and have been fumbling with IDAPro and Visual Studio to try and understand the concept for a while now (in between real life). I have been reading as many papers as I could and have read the following and assumed I had some understanding of them(I listed them at the bottom). I have managed to get the example code from Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov to work but not in Visual Studio. I read somewhere (long time ago) that the debugger can ruin the overflow as it intercepts or re-writes the exception handler which you are trying to overflow. I tried to get David Litchfields example code from his blackhats presentation in 2004 to work (on a sp1 XP box, so no heap protection) but inisde or outside a debugger it wouldn't work.I thought I understood the theory of the overwrite of the heap control structure but struggle to be able to see it in practice. Is there a way to step through the overflow in a debugger, can anyone give me example code and a suggested platform to help me see it in action. I realise there are a couple of different ways to gain the EIP whether it's through the UEF or PEB or SEH but how do I know which one to use. I also realise that with a 4 byte overwrite you may need to somewhere that calls or jmps to a register that points to your heap but I haven't managed to step through it with a debugger. As it's abusing the heap management of the OS is it possible to step through in a debugger.I have been on Halvar's "Analyzing Software for Security Vulnerabilities" blackhat course (not that I've had time to put much of that in practice.Need more time :)) And would like to start reversing some applications that I think have heap overflows in them and attempt to write an overflow but I'm not confident enough that I know what I'm doing.I've Read these papers, can anyone suggest any others? (probably need to re-read them again though.)blackhats-win-04-litchfield-code.rtf blackhats-win-04-litchfield.ppt phrack 61-6 Advanced Doug lea malloc exploits Managing Heap Memory in Win32 -MSDN defeating-xpsp2-heap-protection - Alexander Anisimov Practical-SEH-exploitation.pdf - Johnny Cyberpunk msrpcheap.pdf - Of course Dave Aitel msrpcheap2.pdf - Of course Dave Aitel Practical Win32 and Unicode exploitation - PhenoelitIf I had a simple program like below could I overflow it and learn the theory? (stolen from I think the shellcoder's handbook) What am I looking for and how can I see this somewhere else.Thanks Guys for your time and hope this newbie questions doesn't anony anyone.Paul. Here's one I was trying to step through in a debugger. #include <stdio.h> #include <windows.h> DWORD MyExceptionHandler(void); int foo(char *buf); int main(int argc, char *argv[]) { char *filename = NULL; // filename of the data to overflow with. HMODULE l; // library handle FILE *fp_overflowFile = NULL; // pointer to datafile char *buffer = NULL; int count = 0; int check = 0; l = LoadLibrary("mscvrt.dll"); l = LoadLibrary("netapi32.dll"); printf("\n\nHeap overflow program.\n"); if( argc != 2) { return printf("ARGS!"); } foo(argv[1]); return 0; } DWORD MyExceptionHandler(void) { printf("In exception handler ..."); ExitProcess(1); return 0; } int foo(char *buf) { HLOCAL h1 =0, h2 = 0; HANDLE hp;__try{hp = HeapCreate(0,0x1000,0x10000); if(!hp) return printf("Failed to create heap.\n"); h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26); printf("HEAP: %.8x %.8x\n", h1, &h1); // Heap overflow occurs here: strcpy(h1, buf);// The second call to HeapAlloc() is when we gain controlh2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,26); } __except(MyExceptionHandler()){ printf("Exception occured..."); } return 0; }
Current thread:
- Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows MÃ¥rten Cassel (Oct 04)
- Message not available
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- Re: Understanding Windows Heap Overflows Dave Aitel (Oct 04)
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 04)
- RE: Understanding Windows Heap Overflows Ben Nagy (Oct 04)
- Re: Understanding Windows Heap Overflows pbb (Oct 05)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 05)
- Re: Understanding Windows Heap Overflows pbb (Oct 04)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 19)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 19)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 20)
- <Possible follow-ups>
- Understanding Windows Heap Overflows Matt Conover (Oct 06)
- Re: Understanding Windows Heap Overflows pbb (Oct 07)