Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Win32 Heap Exploits

from [Stefan Lochbihler] Network Security [Permanent Link]
Subject: [Full-disclosure] Win32 Heap Exploits
Date: Thu, 29 Dec 2005 01:51:51 +0100 
Hi there

during collecting of  some knowlegde about heap overflows
i get a few problems. Please take a look below to help me
with them.

i write a little daemon with the following code.

HeapCreate(NULL,1000,2000);
when recvdata:
hp1=HeapAlloc(hp,NULL,500);
strcpy(hp1,buffer);
Heapfree(hp,NULL,hp1);


For debugging i opened the server with ollydbg.
At the second time when i send my exploit my pointers get copied to the stack and thread information block.

eax=7FFDDFFC  (tib-4)
ecx=0012F358    (add ress 4 bytes before pointer to heap)

Mov [ecx],eax
Mov [eax+4],ecx

->
[7FFDE000] 0012F358

[0012F358] 7FFDDFFC  Pointer to next SEH record
[................] 00390688     SE handler

After this Olldydbg get stopped because of an access violation.

When i pass the exception the shellcode get successfully executed.
(shellcode use some tricks from litchfield to repair the heap)

But if i execute the server without ollydbg there happen nothing.
Have anybody an idea what i make wrong. Test on a winxp sp1 system.

cheers
Steve



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Win32 Heap Exploits, Stefan Lochbihler <=
Previous by Date:  Re: [Full-disclosure] Spy Agency Mined Vast Data Trove, Steve Kudlak
Next by Date:  Re: [Full-disclosure] Someone wasted a nice bug on spyware..., Nick FitzGerald
Previous by Thread:  [Full-disclosure] Re: [MailServer Notification]To recipient: Message matched eManager setting and action was taken., Leif Ericksen
Next by Thread:  [Full-disclosure] Re: Someone wasted a nice bug on spyware..., Patrick Dickey
Indexes:  [Date] [Thread] [Top] [All Lists]