Publish or Perish
Aug. 24th, 2006 02:34 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
foxgrrlNow students, can anyone tell me what happens next?
I think that it'll help if I tell you that the heap structure at 0x00BFA8D8 was a free block, originally 0x005E 0x004D 0x01 0x10 0x00 0x00 with the forward and backwards pointers both set to 0x00230178, and I don't know why the fuck I can remember that without having to look it up, when I can't even remember my own postal address most of the time. (Maybe it's like![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
lurene said, that all the really good reverse engineers/assembly coders are mentally broken in some way.) Anyway, 0x00230178 is the start of the free list (I think), it points back to 0x00BFA8E0.
Anyway, since this is Windows 2K
Maybe.
Either that I'll just have to manipulate the heap list itself in such a way, that I can control where the next buffer will be written (to an address of my choice), write the shellcode there, and then do the overflow again to put this known address in some know location that will jump to it.
So, do you want to know something that really annoys me? When your reading a whitepaper from some security company, about some new exploit and/or exploit technique. And they give you absolutely no details at all about $foo, other than to brag that they did $foo, and that you should buy their product/service. And they spend more column space talking about their product or service, than they spend on the topic which the paper is allegedly about.
Maybe I shouldn't say anything since I work in the computer security industry, but it just seems to sleazy and disingenuous. Maybe marketing just corrupts everything that it touches. I've been wanting to be a bit more preemptive with the marketing department where I'm employed, to make sure that they're not going to put putting out banal fluff. They keep asking me questions, basically of the form: "Can our product do _______?", and I'm like: "Uh, yes", or "No". So I know they've got to be writing something. [The blank is usually filled with whatever the latest big computer security thing is in the news.]
Oh, so in keeping with this tradition, I'm not going to tell you about the vulnerability in that screendump above.
[Gotta sleep, ZZzzz...]
I think that it'll help if I tell you that the heap structure at 0x00BFA8D8 was a free block, originally 0x005E 0x004D 0x01 0x10 0x00 0x00 with the forward and backwards pointers both set to 0x00230178, and I don't know why the fuck I can remember that without having to look it up, when I can't even remember my own postal address most of the time. (Maybe it's like
lurene said, that all the really good reverse engineers/assembly coders are mentally broken in some way.) Anyway, 0x00230178 is the start of the free list (I think), it points back to 0x00BFA8E0.Anyway, since this is Windows 2K
AdvancedServer SP0, I could just overwrite one of the function pointers in the PEB, or the TEB... or the SEH, wheee! [I'll explain later...] Although this particular buffer tends to move around a bit in memory, and I've been up all night trying to make the exploit [no you can't have a copy] more reliable. So I've been thinking of using Halvar's trick of building a VirtAlloc structure in the buffer underneath the free block, to get an extra DWORD copy. And with two writes, I think that would be enough to make this reliable, because the pointer to the free block exists in the segment table at 0x00B70027 (I think it was), which I know the address of. And worst case I could leave the original Forward pointer intact, because that does point to the FreeTable entry for itself. (In other words, if I can take the DWORD located at 0x00B70027 -- which points to data from the overflowed buffer, and write it to your favorite function pointer, then the shellcode will be jumped to exactly.)
Maybe.
Either that I'll just have to manipulate the heap list itself in such a way, that I can control where the next buffer will be written (to an address of my choice), write the shellcode there, and then do the overflow again to put this known address in some know location that will jump to it.
So, do you want to know something that really annoys me? When your reading a whitepaper from some security company, about some new exploit and/or exploit technique. And they give you absolutely no details at all about $foo, other than to brag that they did $foo, and that you should buy their product/service. And they spend more column space talking about their product or service, than they spend on the topic which the paper is allegedly about.
Exploiting Windows Vista Device Drivers
Amazing New Thing
By: YoYoDyNe Laboratories
Researchers [written about to make them seem independent] have discovered and new vulnerability with mumble mumble. There is aneologismproduct called YoYoGaurd, which will protect you from the vague an menacing threat. Neglecting to mention that YoYoDyNe makes this product. Customers who already own our product, were already safe before we had alerted the world to this threat; You could have been like them, tsk-tsk.
Maybe I shouldn't say anything since I work in the computer security industry, but it just seems to sleazy and disingenuous. Maybe marketing just corrupts everything that it touches. I've been wanting to be a bit more preemptive with the marketing department where I'm employed, to make sure that they're not going to put putting out banal fluff. They keep asking me questions, basically of the form: "Can our product do _______?", and I'm like: "Uh, yes", or "No". So I know they've got to be writing something. [The blank is usually filled with whatever the latest big computer security thing is in the news.]
Oh, so in keeping with this tradition, I'm not going to tell you about the vulnerability in that screendump above.
[Gotta sleep, ZZzzz...]
