Vulnerability Development mailing list archives
win32 heap overflow exploitation
From: Adik <netninja () hotmail kg>
Date: Sun, 26 Oct 2003 16:29:19 +0500 (KGT)
Hi there folks, I'm havin a problem exploiting an application vulnerable to heap overflow. i can write 4 bytes to any place in the memory. mov dword ptr[eax], ecx mov dword ptr[ecx+4], eax I control ecx and eax. I tried overwriting unhandledexceptionfilter pointer (located at address 77ee044c) with a pointer to call [ebp-28] this is where a pointer to my shellcode is located. eax=77ee044c <--- unhandledexceptionfilter pointer of my version of Windows ecx=77f8ce83 <--- .text unwritable address points to -> call [ebp-28] The second line mov dword ptr[ecx+4], eax suppouse to trigger access violation on write , because ecx is unwritable address thus invokin exception handler. Because exception handler address is overwritten with pointer to call [ebp-28], it should theoretically execute call [ebp-28] then my shellcode. But its not doin so. Maybe i'm doin somethin wrong. A little help on that would b great. What else can i overwrite with my 4 bytes except exception pointers? eEye mentioned overwriting PEB lockin pointers. Could anyone please clarify it? I couldn't find info on that. Any tips/tricks/methods/techniques/links/papers on exploiting windows based heap overflows would b greatly appreciated. thanx Adik
Current thread:
- win32 heap overflow exploitation Adik (Oct 26)
- RE: win32 heap overflow exploitation Brett Moore (Oct 26)
- <Possible follow-ups>
- Re: win32 heap overflow exploitation Barnaby Jack (Oct 26)
- Re: win32 heap overflow exploitation Dave Korn (Oct 27)