Hi I have a heap overflow problem, who can help me? [Sitemap] - HeapOverflow Computer Security Community & Forums : Heap Overflow.com
PDA

View Full Version : Hi I have a heap overflow problem, who can help me?

paris-ye
17-05-06, 10:34
See below code.
a1 = malloc(32);
a2 = malloc(32);
memset(a2,'A',64);
free(a2);

it can arose an heap overflow, But I can't use it to write 4bytes to anywhere. Does any one have a good way?
class101
17-05-06, 11:36
because that is a stack overflow not a heap overflow.
paris-ye
17-05-06, 12:05
because that is a stack overflow not a heap overflow.


No, It's a heap overflow.

The real program is like that.

a = getprocessheap();
a1 = heapalloc(a, ,XXX);
a2 = heapalloc(a, ,36);
readfile(pfile,a2,60,1,0);
heapfree(a2);

before readfile,the heap manage & date is:
0008D8F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0008D900 00 00 00 00 00 00 00 00 AB AB AB AB AB AB AB AB
0008D910 00 00 00 00 00 00 00 00 DD 02 06 00 00 14 EE FE
0008D920 78 01 07 00 78 01 07 00 EE FE EE FE EE FE EE FE
^-------last heap struct point
after readfile, the heap manage & data is:
0008D8F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0008D900 00 00 00 00 00 00 00 00 00 00 33 33 33 33 33 33
0008D910 33 33 33 33 33 33 33 33 34 34 34 34 35 35 35 35
0008D920 36 36 36 36 37 37 37 37 33 33 33 33 33 33 33 33


heap management struct and two point is overflowd.
class101
17-05-06, 12:13
looks much a heap overflow in this case yes

you can usually control then a function looking like

mov dword [ecx],eax
mov dword [eax+4],ecx

wich allow you to write 4 bytes everywhere.
paris-ye
17-05-06, 12:33
looks much a heap overflow in this case yes

you can usually control then a function looking like

mov dword [ecx],eax
mov dword [eax+4],ecx

wich allow you to write 4 bytes everywhere.


Yep, I am tring for it. So hard! It's a 0day Ms vulnerability, I hope can expolit it =^^=
class101
17-05-06, 14:25
if it's winhlp related , you can forget :)
paris-ye
17-05-06, 15:19
if it's winhlp related , you can forget :)

Not winhlp. It's other one.

But why you said "if it's winhlp related , you can forget ". I know winhlp vulnerability is released. Your meens no one can develp exploit?
class101
17-05-06, 16:22
nah I just mean it has been found already many bugs in it so that's not that hot, if yours anyway is usable remotely, try contacting zerodayinitiative.com, they pay high price for and you are welcome to put me as the referer if it's the first time you are selling to them :> , good luck with it
paris-ye
17-05-06, 16:48
nah I just mean it has been found already many bugs in it so that's not that hot, if yours anyway is usable remotely, try contacting zerodayinitiative.com, they pay high price for and you are welcome to put me as the referer if it's the first time you are selling to them :> , good luck with it


Thx for you:) but it seems very hard to exploit.