Heap Overflow (UnHandledExceptionFilter) question

["class 101" <class101 () hat-squad com>]

Hello the list,

Sorry firstly for my crap english , I will try to do quick and clear..
I'm currently learning Heap Overflows with some examples and a recent windows hole found by an excellent team :>

I resume quickly the exploitation via the UEF (UnHandledExceptionFilter)  for thos who forgot:

if we are able to overwrite the pointer of  EAX and ECX in that case :
                mov dword [ecx], eax
                mov dword [eax+4],ecx

We succesfully exploits the hole pointing ECX to my UEF address, and pointing EAX to an address with this 
content:(assuming that I'm on win2k)

                call dword [esi+4c]

the esi+4c, wich is pushed when the unhandled exception occurs, point to my buffer and then read my shellcode...

Ok the question is now,  if Im able to overwrite the pointer of ECX and EDX in that case :
                
                mov dword [ecx], edx

I tried to apply the UEF method on this hole without success because I think EAX is no more pointing to a call 
instruction wich is needed. Maybe someone can confirm me that I can use only EAX and ECX via this method and is there 
another way to exploit it , maybe via the PEB method?

Anyway thanx for your time dude.


-------------------------------------------------------------
class101
Hat-Squad.com
-------------------------------------------------------------
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave