Dailydave mailing list archives
Re: Exploiting single NUL byte writes in XP SP2 - Is it possible?
From: shadown <shadown () gmail com>
Date: Sun, 18 Nov 2007 02:13:40 +0100
Hi nnp, I don't know what is exactly the situation that you have there but you could influence: sfp (saved frame pointer, EBP of the caller), some function pointer, some handle, some SEH, heap header of some chunk that you know the location and that you control the content (if previous heap massaging if possible), some reference counter that could trigger something you can further exploit, some dynamic DACL, you just have to be a bit creative depending on what you have in front of you. when you say a single NULL byte write anywhere, it's not just an offset withing 255 bytes of an address, it means depending on the BYTE you modify from a given address 0xAABBCCDD (if you overwrite an address of course), if you modify the less significant byte, then yes is withing the 255 otherwise it is not, the resulting address MAY fall within a range of memory that you can control the contents. Depending what you can influence it may be possible to exploit remotely, if you have a memory leak, if you can do heap massaging, if the exception after writing is handled helps a lot, etc. My 2 cents. Cheers, Sergio nnp wrote:
Well this seemed like as good a place as any to ask this, so here goes. Is it possible to exploit a single NUL byte write in XP SP2? I can write the NUL byte anywhere but for the life of me I can't think of any way to get code execution from this. As far as I can tell to exploit this I would need to be able to get data I control within 255 bytes of an address that's called and then zero out the LSB and that just doesn't seem possible in Windows. Anyone have a better (and by better I mean even remotely possible ;) ) way to exploit this? Cheers, nnp
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Exploiting single NUL byte writes in XP SP2 - Is it possible? nnp (Nov 17)
- Re: Exploiting single NUL byte writes in XP SP2 - Is it possible? shadown (Nov 18)