[38039] in bugtraq
Windows LoadImage API Heapoverflow exploit
daemon@ATHENA.MIT.EDU (Berend-Jan Wever)
Sat Jan 1 14:52:12 2005
Message-ID: <13162.213.148.227.187.1104605852.squirrel@www.edup.tudelft.nl>
Date: Sat, 1 Jan 2005 19:57:32 +0100 (CET)
From: "Berend-Jan Wever" <skylined@edup.tudelft.nl>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.org
Reply-To: skylined@edup.tudelft.nl
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Has anybody else tested flashsky's exploit ?
I've tried to exploit this vuln on win2ksp4 MSIE 6.0sp1 but in my findings
it is very unreliable: The different threads running in IE make it allmost
impossible to determine what Heap API call will first run into an
overwritting heap header block (HeapAlloc, HeapReAlloc, HeapFree,
RtlHeapAlloc, etc.., etc..) or which block it will run into. Most calls
will simply crash IE, I've only had one successfull attempt in what must
have been at least 50 tries.
Finding a way to make sure one specific heap API call will be called after
overwriting the heap would solve this problem, so far my attempts at this
have been unsuccessfull.
Cheers,
SkyLined
