Dailydave mailing list archives

Re: odd exploitation question

From: "RaMatkal" <RaMatkal () hotmail com>
Date: Sun, 27 Aug 2006 15:44:47 +0200

On 24 August 2006 16:11, Jeremy Kelley wrote:

I'm a little stumped writing an exploit for an ActiveX object and so I
figured I'd pester this list for a bit of help.

My exploit works flawlessy when attached to the process in the
debugger.  Doesn't exec calc.exe when run w/o a debugger.


 Different heap behaviour is invoked when you run a process under the
debugger.  See earlier posts on this list...

1) The heap is different when run under a debugger (thx HD for the
tip), but, I'm attaching the process with Olly _after_ it's already
running.


 Ah.  That's different.

Windows doesn't do some whacked-out mojo and start using the
debug-heap on any heap allocations following, right?  I can't fathom
how that would work.


 Nope, it doesn't do that.

2) What could cause the shellcode to execute flawlessly under a
debugger but not other times.  It's an exec - so I can't imagine the
process is dying before it's kickstarted calc.exe.. exec doesn't work
that way.


 Debugger having a first-chance exception filter?

Any help is greatly appreciated.  If I've left out necessary details,
I'll be glad to share.


 Name and GUID of the AX ob?


   cheers,
     DaveK
--


As already mentioned this topic has been covered quite abit on this list...

I ran into a similar problem about a year ago when developing a win32 
exploit.... when i attached a debugger to a vulnerable process and ran my 
exploit the exploit worked perfectly, but when no debugger was attached to 
the process nothing seemed to happen at all....

Without a debugger attached, try running your exploit but overflowing the 
SEH with something bad.... does your process crash? I suspect that the 
overflow only occurs when the debugger is attached to the process, though i 
could be very wrong...

As for trying to fix the situation
(i) try using different debuggers (try a lightweight debugger)
(ii) try switching off IsBeingDebuged in PEB

Good luck, keep me posted on your progress..

RaMatkal
ramatkal () hotmail com 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

odd exploitation question Jeremy Kelley (Aug 24)
- Re: odd exploitation question Alexander Sotirov (Aug 24)
- Re: odd exploitation question Dave Korn (Aug 24)
  - Re: odd exploitation question RaMatkal (Aug 27)
- Re: odd exploitation question mikeiscool (Aug 25)
- reply summary (was: odd exploitation question) Jeremy Kelley (Sep 02)
  - Re: reply summary Jared DeMott (Sep 03)