Monday, February 23, 2009

[ Amaya 11 Stack Overflow Exploits ]

I've been doing a lot of learning in the past few months. I felt pretty comfortable with my skills attacking web apps, but I was severely lacking in memory corruption issues. I knew the basics, but was absolutely lost when it came to dealing with memory protections. So I decided to start from the beginning with stack overflows and /GS. I worked my way up from Windows XP SP0 through SP3 and eventually Vista SP1, through /GS, SafeSEH, DEP and ASLR. I am very happy with the results. Unfortunately, free time is at a premium these days and I don't have enough of it to describe my exploits as I should. So if there are any questions, ask.

I wrote a couple exploits for an Amaya 11 bdo tag stack overflow PoC. Amaya is a web editor/browser that was written by W3C. Doesn't seem to have much of a following, but never the less, it was an interesting exploit to write. When the payload reaches the stack, where it overflows the saved ebp, return address and SEH, no part of it can be outside of the ASCII range (0x01 - 0x7f). This made it somewhat challenging to a neophyte like myself. My exploits, which can be seen here and here, were written with that consideration in mind. One of them is a universal exploit for all service packs of XP and the other is an exploit for Windows Vista SP1. Haven't had a chance to test it on SP0 and probably won't.

I hope to write a more detailed explanation of these exploits in the future, but realistically, it may not happen.

Labels: , , ,