Vulnerability Development mailing list archives

Re: debugging seh overwrite

From: Felix Lindner <fx () sabre-labs com>
Date: Mon, 20 Mar 2006 19:55:53 +0100

Hi,

On 20 Mar 2006 02:19:57 -0000
laphoo () gmail com wrote:

Hello, I would like to know a way to debugging a vulnerable program, where I
am overwriting the se handler with my address. I have OllyDbg as just in
time debugger. If my exploit-buffer reaches the pointer to the next seh
record, nothing happens. Now I was trying to put breakpoint instructions
0xcc) as fake pointer but OllyDbg ignored them, or I did something wrong.
How is it possible to debug my vulnerable program with OllyDbg, to see where
and with which data I overwrote something?


instead of the C code you showed, run the program with it's 84 char
argument directly in Olly (file->open). When you overwrite the SEH handler
address, you should cause an exception as well, otherwise it's not going to
walk the linked list of SEHs. In most cases, the exception comes for free.

When the exception happens, Olly will stop and let you decide what to do. By
pressing SHIFT-F7, you can follow ntdll during the process it determines where
to find the next handler and calling it.

HIHAL.
cheers
FX

-- 
SABRE Labs                 | Felix 'FX' Lindner <fx () sabre-labs com> 
http://www.sabre-labs.com  | +49 171 7402062
                           | A740 DE51 9891 19DF 0D05  
                           | 13B3 1759 C388 C92D 6BBB

Current thread:

debugging seh overwrite laphoo (Mar 20)
- Re: debugging seh overwrite The Jabberwock (Mar 20)
- Re: debugging seh overwrite Felix Lindner (Mar 20)
- Re: debugging seh overwrite Karma (Mar 22)