Full Disclosure mailing list archives
Re: exploiting/debugging the UnhandledExceptionFilter
From: class <ad () class101 org>
Date: Tue, 21 Jun 2005 14:34:17 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You have to breakpoint right before an instance in ntdll.dll which looks like this: cmp dword [ebp-20],esi jne adress mov eax,[UEF] cmp eax,esi je address call eax if I remember dword [ebp-20] points to 0x00000000 and esi to 0xFFFFFFFF (it should be equal) you just have then to null out esi (0x00000000) hope that help :) RaMatkal a écrit :
Hi, I am working on a Win heap overflow that gives me control of eax and ecx and hence allows me to write a double word of memory to an arbitrary location... I overwrite the SetUnhandledException filter with an address that will bounce me back to my shellcode. the only problem is, that the unhandledexception filter does not get called while the vulnerable process is being debugged, say with ollydbg. I think i remember reading somewhere that it is possible to make the UnhandledException filter get called from within a standard debugger such as ollydbg and was wandering if anyone knows how to do this... (Kernel level debugger is not an option ie SoftIce) Thanks very much RaMatkal ---------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCuAlHLyZ8K9aT7rARAuM5AJ9HaxpZNko7txzgGO6zU3UCrtqMWQCff6c9 eq3EEG0y0TgCPwr9/k3R+68= =Ha74 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- exploiting/debugging the UnhandledExceptionFilter RaMatkal (Jun 21)
- Re: exploiting/debugging the UnhandledExceptionFilter class (Jun 21)