Re: Exploiting stack-overflows in Unicode/XPSP2 - Further questions

["ad () heapoverflow com" <ad () heapoverflow com>]

because the offset referring to your pop pop ret is probably breaking 
the processus when the execution goes back to it. you might try the 
first easiest method wich is to grab several pop pop ret at different 
offset locations, and test then if the processus goes fine inside or is 
broke again. I bet you could find at least one wich will let you execute 
the shellcode fine right after.

Ivan Stroks wrote:
> Hi list,
>
> I am trying to exploit a stack overflow in an
> application under Windows XP SP2.
> The problem is that the content of the buffer I can
> overflow is converted to Unicode, so I just can
> control 2 of 4 bytes of the overwritten SEH handler
> pointer.
> I have read all papers related to Unicode shellcoding
> (Venetian method, etc) and understand them fully.
>
> My problem is that I am having some issues regarding
> the way to bring execution back to my code, which is
> the previous instance.
>
>   Supposing I can find a pop,pop,ret (or equivalent)
> "unicode addressable" and I am able to return to my
> EXCEPTION_REGISTRATION structure, just before my SEH
> handler. There, I should do a short JMP/CALL to jump
> over this record, falling in my shellcode. The problem
> is that, as this value is also encoded in Unicode, I
> won't be able to specify a JMP/CALL instruction.
> So...how will I land in my code? I am missing
> something here?
>
> Thanks,
>
> IvaN!
>
> Send instant messages to your online friends http://au.messenger.yahoo.com 
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Attachment: ad.vcf
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/