The presentation material was never formally released, but it was presented at SyScan in Dec 2004


this basic presentations will helps you to understand how is working the heap protection on the recent windows os and will spot out some tricks to bypass it.

Content:


~/sample_exploit.w2k_to_xpsp1/
Chunk_On_Lookaside_Overwrite.txt
Cookie_Check_Disassembly.txt
Defeat_Safe_Unlink.c
Defeat_Safe_Unlinking.txt
Heap_Corruption_Disassembly.txt
LowFragHeap_Key_Disassembly.txt
Safe_Unlink_Check.txt
Windows Heap Exploitation.ppt
XPSP2_ChunkOnLookaside_Overwrite.c

ANYONE who wants to learn heap management and heap overflows should read this.
ESPECIALLY if they want technique's on getting past XP2 protection.

This here sounds interesting, I'll have a look at the docs, thanks for sharing this.

thx class sonds good will read it :)

Those are really hot pack ;)
we need read those Many thanks and awesome as always class101 !!

thanx firstly to matthew conover for posting this on fulldisclosure when it was required ;)

tnx,i download this ..very nice

Now this is stuff ANYONE smart sho9uld be bloodywell reading!
Thankyou for providing this package, awesome stuff, although alot is familiar to me, it may show newcomers to security exploitatin/pen testing, that is not always about "hacking and getting shells", its sometimes about securing your OWN SH*T!
When people realise this, maybe they wont find themselves having silly dcom135 port attacks etc.. hehe.. silly silly people who dont secure.. read this stuff, understand why.. this site has many good ones, but sofar 2 standout, and i think your coework is FINE and i will not even speak of coompiling, i saw one nonsense post on that and wouldnt dare ! ha.
I suggest, if your here and asking stuff like what headers etc you need,sdk etc... go home, buy a book, or restart and leave.. as your useless, and no one will respect you for asking craps like this.. these guys are suppling GREAT materials to learn from, go break others balls on compiling.. and anyhow, its not hard if your a TRUE coder and have experience..
i hope some new people like me, will look at the BBS as i do, with respect,these guys are going outta theyre way, and for me, its to secure ME :)
thanks again class101/hats for quality work!

hehe no pb, welcome on the forum anyway :)

The presentation is great, however I plan to create a more complete essay on the subject whenever time allows. Watch out for it! ;)

I think i can also contribute to some shellcode encoding perhaps info on how it is now done, ie- demonstrated with your Ipswitch.code (great stuff mind you, and GREALY related to this topic) for any coders looking at the source etc.
thankyou for the kind welcome, and i am unsure if any of my attachments/downs would be 'infected', as they are mainly linux coded or unix/bsd, and do show as inffected to win32 users i *think*, however,i will do my best to upload tested with avg etc or whatever ,and explanations of what and why the files are bad if any.. but i can contribute alot to this if its all knowledge about LAN stuff/networking and preveting people from gaining entry,tehen i reckon you guys are the BEST place to be online, and i like your guidlines,think that is great,as blocks the wankers asking "HoW CoMe i GeT erRoRs wheN i ComPiLe usiNG VS C++" etc.. ;)
Thanks guys, i look forward o helping asmuch i can, and also please look @ http://hxdef.czweb.org/ for other help on this topic, ill put it in links now,k enjoy (the topic is hotly discussed on that forum also,and MUCH work also into it, and NO i am NOT Holyfather,yet i know him,and think he is GREAT input for this stuff so hence the link),
cheers,
hx

The presentation is great, however I plan to create a more complete essay on the subject whenever time allows. Watch out for it! Wink

Definately my man! thats sofar a GREAT read, although i REALLY must readup more on your good work on the shellcode encoding and in general with Windows SEH checks/bypassing, indeed the SP2 has caused some interesting "developments" with current pen testing , id like to also pointout my no.2 link www.whoppix.net (http://www.whoppix.net) , great work on that,have supported the site for now on 2years and watched it develop into a GREAT O/S,good work whitehats!
hx

The presentation material was never formally released, but it was presented at SyScan in Dec 2004


this basic presentations will helps you to understand how is working the heap protection on the recent windows os and will spot out some tricks to bypass it.

Content:


~/sample_exploit.w2k_to_xpsp1/[/*:m:99936]
Chunk_On_Lookaside_Overwrite.txt[/*:m:99936]
Cookie_Check_Disassembly.txt[/*:m:99936]
Defeat_Safe_Unlink.c[/*:m:99936]
Defeat_Safe_Unlinking.txt[/*:m:99936]
Heap_Corruption_Disassembly.txt[/*:m:99936]
LowFragHeap_Key_Disassembly.txt[/*:m:99936]
Safe_Unlink_Check.txt[/*:m:99936]
Windows Heap Exploitation.ppt[/*:m:99936]
XPSP2_ChunkOnLookaside_Overwrite.c[/*:m:99936]

can't compile the testbof.c without heap.h
could you offer this file?

http://hxdef.czweb.org/knowhow/hookingen.txt

^^
This is a VERY good paper for API Hooking,
Was brought to my attention by another member that this should have been in english, so it was madeso, enjoy!
Windows API Hooking papers by Holy_Father@phreaker.net
EN Translation. (Paper needs an update i think, however if you use forum public even will get minor updates there to).

As for the missing headerfile, that is something perhaps issed by c101?? notsure if it was missed or intentional ;> so cannot answr that, im only a new member.. but if it is an extern header,not supplied by any compiler, then yes, it should have been included with package (atleast a scaled-down version).
Regards,
hx

definately true, that hf's work on windows and api hooking is superb. I've read all the articles in his knowhow area, and They've definately advanced my knowledge on windows internals.

Yes there has been MUCH research in this area, and AOT mor is being developed , as we seak, for specifically windows with sp2 , i cannot say much more at this time, but there will be some further api hooking doc presentations, possible some conversion table work for win2k3 server also, some advice and knowhow for it, as it is an extremly powerful and fun tool.
any followups on api hooking, well make your presentation and upload, i will be happy to read/compare notes :) . and ofcourse, hf's site , is the main#1 for this stuff trust me, his research is very very useful, and yes, it will help ALOT with gaining the knowledge on the hookng.
regards,
hx