Vulnerability Development mailing list archives
Re: Exploiting in Unicode and XP SP2
From: H D Moore <sflist () digitaloffense net>
Date: Tue, 6 Jun 2006 17:53:48 -0500
On Tuesday 06 June 2006 10:30, Ivan Stroks wrote:
The problem I am facing is that the buffer that I can overflow, is converted to Unicode before the overrun, therefore I can only write an address for the SEH handler in the format 00XX00XX, where XX is controlled by me.
[snip]
. Which is the best tool to search for this addresses? OllyUni? msfpescan? other? Apparently, using this tools I cannot look for, for example a call [ebp+30]...I am missing something?
Try using memdump.exe (in framework-2.6/tools/) to dump all process memory, then run msfpescan with the -d option pointing to the memdump output directory, and -x to specify the call [ebp+0x30] opcode: $ msfpescan -d [dir] -x "\xff\x55\x30" Good luck! -HD
Current thread:
- Exploiting in Unicode and XP SP2 Ivan Stroks (Jun 06)
- Re: Exploiting in Unicode and XP SP2 H D Moore (Jun 06)
- RE: Exploiting in Unicode and XP SP2 Ben Nagy (Jun 07)