In the ???References??? section that follows, we??™ve included a number of real-world
exploits that used InternetExploiter to heap spray. The best way to learn how to turn IE
crashes jumping off into random heap memory into reliable, repeatable exploits via
heap spray is to study these examples and try out the concepts for yourself. You should
try to build an unpatched XPSP1 VPC with the Windows debugger for this purpose.
Remove the heap spray from each exploit and watch as IE crashes with execution pointing
out into random heap memory. Then try the exploit with heap spray and inspect
memory after the heap spray finishes before the vulnerability is triggered. Finally, step
through the assembly when the vulnerability is triggered and watch how the nop slide is
encountered and then the shellcode is run.
References
InternetExploiter homepage (outdated) www.edup.tudelft.nl/~bjwever/menu.html.php
MS04-040 exploit www.milw0rm.com/exploits/612
MS05-002 exploit www.milw0rm.com/exploits/753
MS05-037 exploit www.milw0rm.com/exploits/1079
MS06-013 exploit www.milw0rm.com/exploits/1606
MS06-055 exploit www.milw0rm.com/exploits/2408
Gray Hat Hacking: The Ethical Hacker??™s Handbook
384
Protecting Yourself from Client-Side Exploits
This chapter was not meant to scare you away from browsing the Web or using e-mail.
Pages:
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694