[Dailydave] A 3 a.m. Riddle

Dave Aitel dave.aitel at gmail.com
Wed May 30 20:29:30 EDT 2007 

And for those of you who can make it, Nico will be presenting on heapy
things at SyScan '07 in Singapore shortly. :>

Does anyone else really like the idea of the Palm Foleo? It runs Linux, has
instant-on, is 2.5 pounds, and has a five hour battery life. Sounds awesome
to me. :> I'm still too much of a T-Mobile sidekick fan to think about a
Treo or Windows Mobile device though. (After sidekick, those interfaces
HURT)

-dave


On 5/30/07, Nicolas Waisman <nicolas.waisman at immunitysec.com> wrote:
>
> Sweet! You got it. Theoretically you have only one inc [edi], and the
> idea was to make it:
>   o generic (works on every server)
>   o and non addy dependant (not based on any SP)
> At least the used technique.
>
> So my approach was to point edi to the FreeListInUse Bitmask on the
> Heap.
> The FreeListInUse bitmask is a 4 dword bitmask which every bit
> correspond to an entry of the FreeList double linked list array. So if
> the bit 4 is setted , that means that at that entry of the
> FreeList[4] there would be at least, one Free Chunk.
> The trick then is to inc one of the bytes of the FreeListInUse which is
> always at a fixed offset from the begging of the heap (So, if we use
> the Default Heap, the begging of the bitmask would start at: 0x70158).
> The bit we are overwriting need to be 0, so we can turn it on.
> The next time we try to allocate with a size smaller than the one we
> theoretically set on the bitmask, it will try to pop a chunk from the
> double linked list (But since it doesn't have any Chunk, the FLINK/BLINK
> should point to the FreeList Entry itself).
> When the magic is finally done, RtlAllocateHeap will end up returning
> the address of the FreeList entry. And the exciment continues, at a
> fixed offset from the returned address, there should be a the Heap
> Function pointer CommitRoutine. voila!
>
> I bet there is probably better others ways to do it, but thats how i
> did it back in the time. (It obviously sounds much easier than there is,
> but the primitive works).
>
> Also, if you think about it (and we discuss it with Oded), there is
> another trick with a similar primitive, when you Overwrite the Size
> header of a "Lonely" Free Chunk. (Note, this technique theoretically
> might work on XP SP2)
>
> Nico
>
>
>
>
> On Wed, May 30, 2007 at 10:30:05AM -0700, Matt Conover wrote:
> > Can you do any many "inc" as you want? I think there are a lot of
> options if
> > you use this against the heap. For example, change
> > Heap->Lookaside[x].ListHead.Flink to point into middle of existing chunk
> > (since heap base is reliable except for Vista), increment the ListHead
> > enough to point into the middle of chunk data, so that you can setup a
> fake
> > chunk and wait until it's allocated, then it will cause a 4-byte
> overwrite
> > without safe unlink check (lookaside has no safe unlink issues). You
> could
> > also use "inc" to change heap flags, that may also be interesting
> >
> > On 5/30/07, Nicolas Waisman <nicolas.waisman at immunitysec.com> wrote:
> > >
> > >You can only do it one time.
> > >Note: The riddle is taken from an old silenty patched bug on WINS.
> > >
> > >Nico
> > >
> > >
> > >On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:
> > >> On 30 May 2007 07:13, Nicolas Waisman wrote:
> > >>
> > >> > Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its
> all
> > >> > night insomnia.)
> > >> >
> > >> >  The riddle: Let said you are trying to exploit a remote service on
> an
> > >> > old Windows 2000 (whatever SP you want) and the primitive is the
> > >following
> > >> >     inc [edi]   // you control edi
> > >> >
> > >> >  What would be the best option for edi?
> > >>
> > >>   Depends what else you control apart from edi, and whether you can
> do
> > >it more
> > >> than once.  If you can overwrite an SEH handler, point edi at an
> illegal
> > >> address to invoke your code.  If you can do it multiple times,
> perhaps
> > >you can
> > >> point edi somewhere on the stack and increment a stored ebp to point
> at
> > >data
> > >> you control.  Don't forget the possibility of pointing it at a
> > >> non-word-aligned address to e.g increment just the high byte of a
> stored
> > >> pointer.
> > >>
> > >>     cheers,
> > >>       DaveK
> > >> --
> > >> Can't think of a witty .sigline today....
> > >>
> > >_______________________________________________
> > >Dailydave mailing list
> > >Dailydave at lists.immunitysec.com
> > >http://lists.immunitysec.com/mailman/listinfo/dailydave
> > >
>
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070530/fec01f32/attachment.htm

More information about the Dailydave mailing list