The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows Heap Based Overflow Exploiting
------------------------------------------------------------------------
SUMMARY
Presented in this article are several documents discussing Heap based
exploitation in Microsoft Windows. The documents present the challenges in
heap exploitation and ways to create exploitation more stable.
DETAILS
Matt Conover & Oded Horovitz released several documents explaining heap
based overflow exploitation in the Microsoft Windows platforms.
Heap Based Overflow Exploitation Before Windows XP Service Pack2:
Introduction:
Heap vulnerabilities become mainstream DCOM (seems to be the inflection
point), Messenger, MSMQ, Script Engine.
Even experts use some voodoo magic as main ingredient of exploits:
* Making a 4-byte overwrite (discussed more later) is a guess work
* Failures are not well understood
* Available exploits are service pack dependent
* Shellcode address is not known,
* SEH address varies between service packs
* During exception handling, pointer to buffer can be found on the stack
(in exception record)
* Address of instruction that access the stack is needed, which is SP
dependent
Findings:
* Found several techniques at each stage of a heap overflow that greatly
improve reliability
* Much greater understanding of the Windows heap internals and its
processes.
* Determined why existing techniques are unreliable
* XP SP2 will greatly improve protection and stop all currently used
techniques
The full presentation can be found at:
<http://www.cybertech.net/~sh0ksh0k/heap/CSW04%20-%20Reliable%20Windows%20Heap%20Exploits.ppt>
http://www.cybertech.net/~sh0ksh0k/heap/CSW04 - Reliable Windows Heap
Exploits.ppt
Source code accompanying the presentation can be found at:
<http://www.cybertech.net/~sh0ksh0k/heap/pre_xpsp2.zip>
http://www.cybertech.net/~sh0ksh0k/heap/pre_xpsp2.zip
Heap Based Overflow Exploitation After Windows XP Service Pack2:
Agenda:
* Practical Windows heap internals
* How to exploit Win2K WinXP SP1 heap overflows
* Assessment of WinXP SP2 improvements
* How to exploit WinXP SP2 heap overflows
The full presentation can be found at:
<http://www.cybertech.net/~sh0ksh0k/heap/XPSP2%20Heap%20Exploitation.ppt>
http://www.cybertech.net/~sh0ksh0k/heap/XPSP2 Heap Exploitation.ppt
Source code accompanying the presentation can be found at:
<http://www.cybertech.net/~sh0ksh0k/heap/xpsp2.zip>
http://www.cybertech.net/~sh0ksh0k/heap/xpsp2.zip
Commented Example:
A fully documented example on exploiting a heap overflow can be found at:
<http://www.cybertech.net/~sh0ksh0k/heap.txt>
http://www.cybertech.net/~sh0ksh0k/heap.txt
It was originally written for the CanSecWest 2004 presentation. The code
will work unchanged on Win2K SP0-SP4 and WinXP SP0-SP1.
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.cybertech.net/~sh0ksh0k/heap/>
http://www.cybertech.net/~sh0ksh0k/heap/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
