Exploiting stack-overflows in Unicode/XPSP2 - Further questions

[Ivan Stroks <ivanstroks () yahoo co nz>]

Hi list,

I am trying to exploit a stack overflow in an
application under Windows XP SP2.
The problem is that the content of the buffer I can
overflow is converted to Unicode, so I just can
control 2 of 4 bytes of the overwritten SEH handler
pointer.
I have read all papers related to Unicode shellcoding
(Venetian method, etc) and understand them fully.

My problem is that I am having some issues regarding
the way to bring execution back to my code, which is
the previous instance.

  Supposing I can find a pop,pop,ret (or equivalent)
"unicode addressable" and I am able to return to my
EXCEPTION_REGISTRATION structure, just before my SEH
handler. There, I should do a short JMP/CALL to jump
over this record, falling in my shellcode. The problem
is that, as this value is also encoded in Unicode, I
won't be able to specify a JMP/CALL instruction.
So...how will I land in my code? I am missing
something here?

Thanks,

IvaN!

Send instant messages to your online friends http://au.messenger.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/