[Full-disclosure] Win32 Heap Exploits
steve01 at chello.at
Thu Dec 29 00:51:51 GMT 2005
during collecting of some knowlegde about heap overflows
i get a few problems. Please take a look below to help me
i write a little daemon with the following code.
For debugging i opened the server with ollydbg.
At the second time when i send my exploit my pointers get copied to the
stack and thread information block.
ecx=0012F358 (add ress 4 bytes before pointer to heap)
[0012F358] 7FFDDFFC Pointer to next SEH record
[................] 00390688 SE handler
After this Olldydbg get stopped because of an access violation.
When i pass the exception the shellcode get successfully executed.
(shellcode use some tricks from litchfield to repair the heap)
But if i execute the server without ollydbg there happen nothing.
Have anybody an idea what i make wrong. Test on a winxp sp1 system.
Full-Disclosure is hosted and sponsored by Secunia.