Dailydave mailing list archives
Re: Exploit development weirdness
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 27 Dec 2005 10:19:37 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is this part of some effort to find out who responds first, DD or FD?
In any case, this is what I do in such circumstances:
1. Check for \xcc in your shellcode which you left in for debugging
and then forgot about
2. Check again, cause you missed one.
3. If, on the off chance, this is not the problem:
3a. Concurrency threading issues (a tough nut to crack - try a
tiny shellcode that just does a connect() and see if you at least got
that far)
3b. Try a lighter weight debugger and a heavier-weight debugger.
In my case, this would be BinNavi (or Immunity's pyDBG) and SoftIce or
maybe WinDBG.
I'm just going to ASSUME you're using ollydbg, since you're asking
for help. :> Ollydbg runs the CPU hardcore doing polls. Perhaps you
can try setting Ollydbg in automatic trace mode, and seeing what that
does?
3c. Perhaps there is also a heap overflow and you're triggering
that too, but not in debug mode since the heap performs differently in
debug mode. Make sure you unset the debug bit in the PEB for good measure.
One thing: Always ATTACH, never "Load" the file you're trying to debug.
- -dave
RaMatkal wrote:
having one of those days....im about ready to put my foot through my computer.... writing stack overflow on win32 arc... i overflow eip with a pop/pop/ret, jump to my bind shellcode and im away.....all works perfectly but.... when i attach to the process with my debugger and step through the exploit, it works 100% of the time....however, when i try and exploit the server without the debugger attached, the service just seems to crash..... anyone have any idea what could cause this sort of behaviour? (my shellcode doesnt use IsDebuggerPresent hehe) anyone have an idea how i can take a look at what is going wrong? remember, when i attach my debugger it works!!! Thanks in advance, RaMatkal
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDsVuJB8JNm+PA+iURAge3AJ0cxLNq4Mv6+pHodFpPvc5C/FfAXwCgoinj bhS/AjdtGtMh9Av3X571KxI= =DbPQ -----END PGP SIGNATURE-----
Current thread:
- OffensiveComputing val smith (Dec 09)
- Re: OffensiveComputing Dan Moniz (Dec 09)
- Re: OffensiveComputing Dave Aitel (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)
- Re: OffensiveComputing Thorsten Holz (Dec 11)
- Exploit development weirdness RaMatkal (Dec 27)
- Re: Exploit development weirdness Dave Aitel (Dec 27)
- Message not available
- Fwd: OffensiveComputing val smith (Dec 10)
- Message not available
- Re: OffensiveComputing val smith (Dec 10)
- <Possible follow-ups>
- Re: OffensiveComputing Jeffrey Denton (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)
- Message not available
- Re: OffensiveComputing val smith (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)