What we will explain here is how to obtain a basic 4 bytes write primitive through a heap overflow in… Windows XP SP1.

To do so, I’ll follow this mr_me tutorial, which explains how to abuse the way the heap unlinks memory chunks before XP SP2, and try to expand on anything that I had a hard time grasping.

Keep in mind that my knowledge on heap management was non-existent before starting to write this, so if you see anything that doesn’t seem right, do not hesitate to leave a comment.


Why should I learn about attacks that have been long dead and buried ? How is it going to be useful to me as an attacker ?

I don’t know. I just have faith that the knowledge provided by studying such attacks will end up useful at one point. Especially because different attacks are often, in the end, based on very similar principles. Also, I’m confident the knowledge you gain not about this specific kind attack, but about how Windows manage memory, and also about WinDBG, will be usefull for a lot of Windows related vulnerability.

Why study XP SP 1, and not anything more recent ?

I believe that the skillcap to exploit old operating systems such as XP is lower, making it a smoother learning experience. Plus, attacks targeting XP are going to be useful to understand those against Vista, which will be useful to understand those against Windows 7, repeat until you reach modern operating systems. You can see old OS as levels you unlock the more skilled you get, if you will.

Before starting : understanding this kind of attacks no matter how anachronistic they are in view of modern security mecanisms, won’t be easy without a bit of theorical knowledge.

I encourage anyone that wants to go any further to at least study the first 30 pages of ” Practical Windows XP/2003 Heap Exploitation ” from Black Hat 2009,  by John McDonald and Chris Valasek. Thus, I won’t explain what is a freelist, for example.

And now, let’s get to it.