Hi list,
I am trying to exploit a Heap buffer overflow vulnerability and facing some
problems, hope you could help.
I run the vulnerable program in a VMWare, attached with Olly.
These are my problems:
1. I control both EAX and ESI, when the program goes to
mov [esi], eax
mov [eax + 4], esi
First of all, I tried gainig control of execution through PEB but,
according to Halvar's presentation, there are some restrictions to what you can
write in the header of the overflowed buffer.
Quoting:
" Properties our block must have:
Bit 0 of Flags must be set
Bit 3 of Flags must be set
Field_4 must be smaller than 0x40
The first field (own size) must be larger than 0x80
The block ?XXXX99XX? meets all requirements"
So, supposing PEB pointer to overwrite is 0x7FFDF020 I would need to
specify for example: XXXX20f0fd7f, but this is not matching required properties
and so RtlFreeHeap exits.
I am sure I must be missing something here, but can't find it.
2. An aditional problem I am facing, due to the fact that this is my first
heap overflowing session, is that when I trigger the vulnerability as soon as
the programs comes back from "revert snapshot" then I get to rtlHeapFree ok,
but if some other request are performed to the program before, then I cannot
reproduce that behaviour again and different behaviours and situation arise.
It is obvious that my exploit won't be the first request the program
receives so, how can I manage this?
Hope you could help!
Regards
IvaN!
Send instant messages to your online friends http://au.messenger.yahoo.com _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
