Vulnerability Development mailing list archives
Re: debugging seh overwrite
From: Felix Lindner <fx () sabre-labs com>
Date: Mon, 20 Mar 2006 19:55:53 +0100
Hi, On 20 Mar 2006 02:19:57 -0000 laphoo () gmail com wrote:
Hello, I would like to know a way to debugging a vulnerable program, where I am overwriting the se handler with my address. I have OllyDbg as just in time debugger. If my exploit-buffer reaches the pointer to the next seh record, nothing happens. Now I was trying to put breakpoint instructions 0xcc) as fake pointer but OllyDbg ignored them, or I did something wrong. How is it possible to debug my vulnerable program with OllyDbg, to see where and with which data I overwrote something?
instead of the C code you showed, run the program with it's 84 char argument directly in Olly (file->open). When you overwrite the SEH handler address, you should cause an exception as well, otherwise it's not going to walk the linked list of SEHs. In most cases, the exception comes for free. When the exception happens, Olly will stop and let you decide what to do. By pressing SHIFT-F7, you can follow ntdll during the process it determines where to find the next handler and calling it. HIHAL. cheers FX -- SABRE Labs | Felix 'FX' Lindner <fx () sabre-labs com> http://www.sabre-labs.com | +49 171 7402062 | A740 DE51 9891 19DF 0D05 | 13B3 1759 C388 C92D 6BBB
Current thread:
- debugging seh overwrite laphoo (Mar 20)
- Re: debugging seh overwrite The Jabberwock (Mar 20)
- Re: debugging seh overwrite Felix Lindner (Mar 20)
- Re: debugging seh overwrite Karma (Mar 22)