[Dailydave] A 3 a.m. Riddle
Matt Conover
mconover at gmail.com
Wed May 30 13:30:05 EDT 2007
Can you do any many "inc" as you want? I think there are a lot of options if
you use this against the heap. For example, change
Heap->Lookaside[x].ListHead.Flink to point into middle of existing chunk
(since heap base is reliable except for Vista), increment the ListHead
enough to point into the middle of chunk data, so that you can setup a fake
chunk and wait until it's allocated, then it will cause a 4-byte overwrite
without safe unlink check (lookaside has no safe unlink issues). You could
also use "inc" to change heap flags, that may also be interesting
On 5/30/07, Nicolas Waisman <nicolas.waisman at immunitysec.com> wrote:
>
> You can only do it one time.
> Note: The riddle is taken from an old silenty patched bug on WINS.
>
> Nico
>
>
> On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:
> > On 30 May 2007 07:13, Nicolas Waisman wrote:
> >
> > > Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its all
> > > night insomnia.)
> > >
> > > The riddle: Let said you are trying to exploit a remote service on an
> > > old Windows 2000 (whatever SP you want) and the primitive is the
> following
> > > inc [edi] // you control edi
> > >
> > > What would be the best option for edi?
> >
> > Depends what else you control apart from edi, and whether you can do
> it more
> > than once. If you can overwrite an SEH handler, point edi at an illegal
> > address to invoke your code. If you can do it multiple times, perhaps
> you can
> > point edi somewhere on the stack and increment a stored ebp to point at
> data
> > you control. Don't forget the possibility of pointing it at a
> > non-word-aligned address to e.g increment just the high byte of a stored
> > pointer.
> >
> > cheers,
> > DaveK
> > --
> > Can't think of a witty .sigline today....
> >
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070530/db741e31/attachment.htm
More information about the Dailydave
mailing list