Full Disclosure mailing list archives
Question: Heap Overflows on 2k3/SP2
From: "class101 () HAT-SQUAD com" <class101 () hat-squad com>
Date: Sun, 27 Mar 2005 13:44:43 +0200
Do you know a reliable way to bypass the heap protection present in w2k3 ? I have troubles to understand why my heap overflows exploit (own discovery) isnt working fine on 2k3. If you are familiar exploiting them, explain me how to... look at the bottom to show what the check looks like:
on 2k3: (on SP2 its quite same I think with the check register EDI
replaced
by EDX) 77F370ED 8B02 MOV EAX,DWORD PTR DS:[EDX] 77F370EF 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX 77F370F5 8B4A 04 MOV ECX,DWORD PTR DS:[EDX+4] 77F370F8 898D 68FEFFFF MOV DWORD PTR SS:[EBP-198],ECX 77F370FE 8B39 MOV EDI,DWORD PTR DS:[ECX] 77F37100 3B78 04 CMP EDI,DWORD PTR DS:[EAX+4] <=
protection
77F37103 0F85 F4FCFFFF JNZ ntdll.77F36DFD 77F37109 3BFA CMP EDI,EDX <= protection 77F3710B 0F85 ECFCFFFF JNZ ntdll.77F36DFD 77F37111 8901 MOV DWORD PTR DS:[ECX],EAX 77F37113 8948 04 MOV DWORD PTR DS:[EAX+4],ECX
As you can see , It's not possible to use EAX as a what and ECX as a where pointing to UEF because of the previous check. I think I have read somewhere a method about the lookaside table, If you are familiar with it , thanx to explain it to me ;)
------------------------------------------------------------- class101 Jr. Researcher Hat-Squad.com -------------------------------------------------------------
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Question: Heap Overflows on 2k3/SP2 class101 () HAT-SQUAD com (Mar 27)
- <Possible follow-ups>
- Re: Question: Heap Overflows on 2k3/SP2 Nick Eoannidis (Mar 28)
- Re: Question: Heap Overflows on 2k3/SP2 class101 () HAT-SQUAD com (Mar 28)
- Re: Question: Heap Overflows on 2k3/SP2 m conover (Mar 28)
- Re: Re: Question: Heap Overflows on 2k3/SP2 class101 () HAT-SQUAD com (Mar 29)