[Dailydave] Exploiting single NUL byte writes in XP SP2 - Is it possible?
shadown
shadown at gmail.com
Sat Nov 17 20:13:40 EST 2007
Hi nnp,
I don't know what is exactly the situation that you have there but you
could influence: sfp (saved frame pointer, EBP of the caller), some
function pointer, some handle, some SEH, heap header of some chunk that
you know the location and that you control the content (if previous heap
massaging if possible), some reference counter that could trigger
something you can further exploit, some dynamic DACL, you just have to
be a bit creative depending on what you have in front of you.
when you say a single NULL byte write anywhere, it's not just an offset
withing 255 bytes of an address, it means depending on the BYTE you
modify from a given address 0xAABBCCDD (if you overwrite an address of
course), if you modify the less significant byte, then yes is withing
the 255 otherwise it is not, the resulting address MAY fall within a
range of memory that you can control the contents.
Depending what you can influence it may be possible to exploit remotely,
if you have a memory leak, if you can do heap massaging, if the
exception after writing is handled helps a lot, etc.
My 2 cents.
Cheers,
Sergio
nnp wrote:
> Well this seemed like as good a place as any to ask this, so here
> goes. Is it possible to exploit a single NUL byte write in XP SP2? I
> can write the NUL byte anywhere but for the life of me I can't think
> of any way to get code execution from this. As far as I can tell to
> exploit this I would need to be able to get data I control within 255
> bytes of an address that's called and then zero out the LSB and that
> just doesn't seem possible in Windows.
>
> Anyone have a better (and by better I mean even remotely possible ;) )
> way to exploit this?
>
> Cheers,
> nnp
>
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
More information about the Dailydave
mailing list