Dailydave mailing list archives
Heap Overflow (UnHandledExceptionFilter) question
From: "class 101" <class101 () hat-squad com>
Date: Sun, 5 Dec 2004 05:32:59 +0100
Hello the list, Sorry firstly for my crap english , I will try to do quick and clear.. I'm currently learning Heap Overflows with some examples and a recent windows hole found by an excellent team :> I resume quickly the exploitation via the UEF (UnHandledExceptionFilter) for thos who forgot: if we are able to overwrite the pointer of EAX and ECX in that case : mov dword [ecx], eax mov dword [eax+4],ecx We succesfully exploits the hole pointing ECX to my UEF address, and pointing EAX to an address with this content:(assuming that I'm on win2k) call dword [esi+4c] the esi+4c, wich is pushed when the unhandled exception occurs, point to my buffer and then read my shellcode... Ok the question is now, if Im able to overwrite the pointer of ECX and EDX in that case : mov dword [ecx], edx I tried to apply the UEF method on this hole without success because I think EAX is no more pointing to a call instruction wich is needed. Maybe someone can confirm me that I can use only EAX and ECX via this method and is there another way to exploit it , maybe via the PEB method? Anyway thanx for your time dude. ------------------------------------------------------------- class101 Hat-Squad.com ------------------------------------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Heap Overflow (UnHandledExceptionFilter) question class 101 (Dec 04)
- <Possible follow-ups>
- Re: Heap Overflow (UnHandledExceptionFilter) question class 101 (Dec 04)