Hi
This is a known exploit up to XP (overwriting PEB FastPebLockRoutine / FastPebUnlockRoutine) i.e.
Windows Heap Overflows using the Process Environment Block (PEB)
http://milw0rm.com/papers/66
Generic Anti-Exploitation Technology for Windows
http://research.eeye.com/html/papers/download/Generic%20Anti%20Exploitation%20Technology%20for%20Windows.pdf
Quote:
Overwriting Critical Pointers
Some newer exploits are specifically targeting interesting pointers within the PEB itself for example the
recent public release of an exploit for an ASN.1 bitstring vulnerability uses a hardcoded address of
0x7ffdf020 for the pointer to FastPEBLockRoutine(). The FastPEBLockRoutine is called when code wants
to lock the PEB so that it can be modified and it happens to be called during exception handling. In
other words this exploitation trick is another variation of abusing code that is run after memory corruption
has occurred.
Interestingly, Microsoft have removed some of the interesting pointers from the PEB under Windows
2003, so many exploits that use these methods are not effective for Windows 2003 systems. Specifically,
the pointers FastPEBLockRoutine() and FastPEBUnlockRoutine()at PEB offset 0x020 and 0x024 have
been removed.
Running Shellcode in the PEB
One last reason the PEB is interesting to attackers is because the memory pages where the PEB resides
are both Writeable and eXecutable. Since the PEB has always been in a fixed location, attackers have
the option of copying their shellcode to a known address in the PEB and then transferring execution to
that location. This technique can be useful when an arbitrary memory overwrite is possible but the
payload is difficult to locate such as for heap overflows. For this reason, copying shellcode into the PEB
and then using an overwritten pointer which is called during exit is the currently preferred method for
universal and reliable heap exploitation on Windows 2000 and Windows XPSP1. PEB randomization
can complicate this technique slightly, but since the address change is only very slight, an attacker can
still "guess" a safe location to copy the payload with high reliability. |
From the above, there are a few clues as to what actually triggers the exploit - whenever the PEB is locked so it can be modified, possibly during exception handling.
There is also the mention of the overwritten pointer being "called during exit" and references the article
Reliable Windows Heap Exploits
http://cybertech.net/~sh0ksh0k/projects/winheap/CSW04%20-%20Reliable%20Heap%20Exploitation.ppt
though I can't quite see what they mean by the phrase "called during exit".
I can't find any specific code in ntoskrnl which accesses FastPEBLockRoutine. SwitchToThread leads to NtYieldExecution and SwapContext, it may occur there on the context switch. Or it might occur during the call to _PspExitThread.
What is the actual address written to FastPebLockRoutine? Is it contained within a separate thread? Or is it within the same thread, indicating it will execute as the current thread is exiting?
