Dailydave mailing list archives
Re: odd exploitation question
From: "RaMatkal" <RaMatkal () hotmail com>
Date: Sun, 27 Aug 2006 15:44:47 +0200
On 24 August 2006 16:11, Jeremy Kelley wrote:I'm a little stumped writing an exploit for an ActiveX object and so I figured I'd pester this list for a bit of help. My exploit works flawlessy when attached to the process in the debugger. Doesn't exec calc.exe when run w/o a debugger.Different heap behaviour is invoked when you run a process under the debugger. See earlier posts on this list...1) The heap is different when run under a debugger (thx HD for the tip), but, I'm attaching the process with Olly _after_ it's already running.Ah. That's different.Windows doesn't do some whacked-out mojo and start using the debug-heap on any heap allocations following, right? I can't fathom how that would work.Nope, it doesn't do that.2) What could cause the shellcode to execute flawlessly under a debugger but not other times. It's an exec - so I can't imagine the process is dying before it's kickstarted calc.exe.. exec doesn't work that way.Debugger having a first-chance exception filter?Any help is greatly appreciated. If I've left out necessary details, I'll be glad to share.Name and GUID of the AX ob? cheers, DaveK --
As already mentioned this topic has been covered quite abit on this list... I ran into a similar problem about a year ago when developing a win32 exploit.... when i attached a debugger to a vulnerable process and ran my exploit the exploit worked perfectly, but when no debugger was attached to the process nothing seemed to happen at all.... Without a debugger attached, try running your exploit but overflowing the SEH with something bad.... does your process crash? I suspect that the overflow only occurs when the debugger is attached to the process, though i could be very wrong... As for trying to fix the situation (i) try using different debuggers (try a lightweight debugger) (ii) try switching off IsBeingDebuged in PEB Good luck, keep me posted on your progress.. RaMatkal ramatkal () hotmail com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- odd exploitation question Jeremy Kelley (Aug 24)
- Re: odd exploitation question Alexander Sotirov (Aug 24)
- Re: odd exploitation question Dave Korn (Aug 24)
- Re: odd exploitation question RaMatkal (Aug 27)
- Re: odd exploitation question mikeiscool (Aug 25)
- reply summary (was: odd exploitation question) Jeremy Kelley (Sep 02)
- Re: reply summary Jared DeMott (Sep 03)