Full Disclosure mailing list archives
Re: Exploiting stack-overflows in Unicode/XPSP2 - Further questions
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Wed, 07 Jun 2006 15:25:50 +0200
because the offset referring to your pop pop ret is probably breaking the processus when the execution goes back to it. you might try the first easiest method wich is to grab several pop pop ret at different offset locations, and test then if the processus goes fine inside or is broke again. I bet you could find at least one wich will let you execute the shellcode fine right after.
Ivan Stroks wrote:
Hi list, I am trying to exploit a stack overflow in an application under Windows XP SP2. The problem is that the content of the buffer I can overflow is converted to Unicode, so I just can control 2 of 4 bytes of the overwritten SEH handler pointer. I have read all papers related to Unicode shellcoding (Venetian method, etc) and understand them fully. My problem is that I am having some issues regarding the way to bring execution back to my code, which is the previous instance. Supposing I can find a pop,pop,ret (or equivalent) "unicode addressable" and I am able to return to my EXCEPTION_REGISTRATION structure, just before my SEH handler. There, I should do a short JMP/CALL to jump over this record, falling in my shellcode. The problem is that, as this value is also encoded in Unicode, I won't be able to specify a JMP/CALL instruction. So...how will I land in my code? I am missing something here? Thanks, IvaN!Send instant messages to your online friends http://au.messenger.yahoo.com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
ad.vcf
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting stack-overflows in Unicode/XPSP2 - Further questions Ivan Stroks (Jun 07)
- Re: Exploiting stack-overflows in Unicode/XPSP2 - Further questions ad () heapoverflow com (Jun 07)