Question: Heap Overflows on 2k3/SP2

["class101 () HAT-SQUAD com" <class101 () hat-squad com>]

Do you know a reliable way to bypass the heap protection present in w2k3 ?
I have troubles to understand why my heap overflows exploit (own discovery)
isnt working fine on 2k3.

If you are familiar exploiting them, explain me how to...
look at the bottom to show what the check looks like:

> on 2k3: (on SP2 its quite same I think with the check register EDI
replaced
> by EDX)
>
> 77F370ED   8B02                     MOV EAX,DWORD PTR DS:[EDX]
> 77F370EF   8985 F0FEFFFF   MOV DWORD PTR SS:[EBP-110],EAX
> 77F370F5   8B4A 04                MOV ECX,DWORD PTR DS:[EDX+4]
> 77F370F8   898D 68FEFFFF   MOV DWORD PTR SS:[EBP-198],ECX
> 77F370FE   8B39                     MOV EDI,DWORD PTR DS:[ECX]
> 77F37100   3B78 04                CMP EDI,DWORD PTR DS:[EAX+4] <=
protection
> 77F37103   0F85 F4FCFFFF  JNZ ntdll.77F36DFD
> 77F37109   3BFA                    CMP EDI,EDX  <= protection
> 77F3710B   0F85 ECFCFFFF JNZ ntdll.77F36DFD
> 77F37111   8901                      MOV DWORD PTR DS:[ECX],EAX
> 77F37113   8948 04                 MOV DWORD PTR DS:[EAX+4],ECX
As you can see , It's not possible to use EAX as a what and ECX as a where
pointing to UEF because of the previous check.
I think I have read somewhere a method about the lookaside table, If you
are familiar with it , thanx to explain it to me ;)
> -------------------------------------------------------------
> class101
> Jr. Researcher
> Hat-Squad.com
> -------------------------------------------------------------


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/