Dailydave mailing list archives

Re: Exploiting single NUL byte writes in XP SP2 - Is it possible?

From: shadown <shadown () gmail com>
Date: Sun, 18 Nov 2007 02:13:40 +0100

Hi nnp,

I don't know what is exactly the situation that you have there but you
could influence: sfp (saved frame pointer, EBP of the caller), some
function pointer, some handle, some SEH, heap header of some chunk that
you know the location and that you control the content (if previous heap
massaging if possible), some reference counter that could trigger
something you can further exploit, some dynamic DACL, you just have to
be a bit creative depending on what you have in front of you.
when you say a single NULL byte write anywhere, it's not just an offset
withing 255 bytes of an address, it means depending on the BYTE you
modify from a given address 0xAABBCCDD (if you overwrite an address of
course), if you modify the less significant byte, then yes is withing
the 255 otherwise it is not, the resulting address MAY fall within a
range of memory that you can control the contents.
Depending what you can influence it may be possible to exploit remotely,
if you have a memory leak, if you can do heap massaging, if the
exception after writing is handled helps a lot, etc.
My 2 cents.

Cheers,
  Sergio

nnp wrote:

Well this seemed like as good a place as any to ask this, so here
goes. Is it possible to exploit a single NUL byte write in XP SP2? I
can write the NUL byte anywhere but for the life of me I can't think
of any way to get code execution from this. As far as I can tell to
exploit this I would need to be able to get data I control within 255
bytes of an address that's called and then zero out the LSB and that
just doesn't seem possible in Windows.

Anyone have a better (and by better I mean even remotely possible ;) )
way to exploit this?

Cheers,
nnp

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Exploiting single NUL byte writes in XP SP2 - Is it possible? nnp (Nov 17)
- Re: Exploiting single NUL byte writes in XP SP2 - Is it possible? shadown (Nov 18)