[Dailydave] A 3 a.m. Riddle

jf jf at danglingpointers.net
Thu May 31 00:25:20 EDT 2007 

It would probably be worthwhile, I'd think anyways, to walk backwards
through your stackframes and see if there are any local variables that you
can increment to modify/alter execution flow, specifically maybe a counter
in a loop or even a saved frame pointer (emulate off-by-one?), et cetera.


On Wed, 30 May 2007, Matt Conover wrote:

> Date: Wed, 30 May 2007 10:30:05 -0700
> From: Matt Conover <mconover at gmail.com>
> To: dailydave at lists.immunitysec.com
> Subject: Re: [Dailydave] A 3 a.m. Riddle
>
> Can you do any many "inc" as you want? I think there are a lot of options if
> you use this against the heap. For example, change
> Heap->Lookaside[x].ListHead.Flink to point into middle of existing chunk
> (since heap base is reliable except for Vista), increment the ListHead
> enough to point into the middle of chunk data, so that you can setup a fake
> chunk and wait until it's allocated, then it will cause a 4-byte overwrite
> without safe unlink check (lookaside has no safe unlink issues). You could
> also use "inc" to change heap flags, that may also be interesting
>
> On 5/30/07, Nicolas Waisman <nicolas.waisman at immunitysec.com> wrote:
> >
> > You can only do it one time.
> > Note: The riddle is taken from an old silenty patched bug on WINS.
> >
> > Nico
> >
> >
> > On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:
> > > On 30 May 2007 07:13, Nicolas Waisman wrote:
> > >
> > > > Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its all
> > > > night insomnia.)
> > > >
> > > > The riddle: Let said you are trying to exploit a remote service on an
> > > > old Windows 2000 (whatever SP you want) and the primitive is the
> > following
> > > >     inc [edi]   // you control edi
> > > >
> > > >  What would be the best option for edi?
> > >
> > >   Depends what else you control apart from edi, and whether you can do
> > it more
> > > than once.  If you can overwrite an SEH handler, point edi at an illegal
> > > address to invoke your code.  If you can do it multiple times, perhaps
> > you can
> > > point edi somewhere on the stack and increment a stored ebp to point at
> > data
> > > you control.  Don't forget the possibility of pointing it at a
> > > non-word-aligned address to e.g increment just the high byte of a stored
> > > pointer.
> > >
> > >     cheers,
> > >       DaveK
> > > --
> > > Can't think of a witty .sigline today....
> > >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
>

More information about the Dailydave mailing list