How to exploit unhandled exception

[thomas.werth at vahle.de (Thomas Werth)]

i send this data to app

$attackstring = "A" ;
$attackstring .= "\x0a";
$attackstring .= "\x11\x12\x20\x25\x05" x 5;
$attackstring .= "A" x 5000;#320;

sometimes it is needed to send data twice.

When debugger stops adress 0x727F1FC2 is given with unhandled exception.

Here is register information

EAX 007EA58C
--->
Stack[00000A04]:007EA58C db  63h ; c
Stack[00000A04]:007EA58D db  73h ; s
Stack[00000A04]:007EA58E db  6Dh ; m
Stack[00000A04]:007EA58F db 0E0h ; ?
Stack[00000A04]:007EA590 db    1
Stack[00000A04]:007EA591 db    0
Stack[00000A04]:007EA592 db    0
Stack[00000A04]:007EA593 db    0
Stack[00000A04]:007EA594 db    0
Stack[00000A04]:007EA595 db    0
Stack[00000A04]:007EA596 db    0
Stack[00000A04]:007EA597 db    0
Stack[00000A04]:007EA598 db  5Bh ; [
Stack[00000A04]:007EA599 db  2Ah ; *
Stack[00000A04]:007EA59A db  81h ; ?

<---
EBX 727F8E5B  -> mfc42u.dll:727F8E5B call    near ptr mfc42u_1258

ECX 0
EDC 0000003
ESI 0
EDI 77BFC407 -> msvcrt.dll:77BFC407 msvcrt_malloc db  8Bh
EBP 007EA630
--------->
Stack[00000A04]:007EA630 db  12h
Stack[00000A04]:007EA631 db  11h
Stack[00000A04]:007EA632 db  0Ah
Stack[00000A04]:007EA633 db  41h ; A
Stack[00000A04]:007EA634 db  60h ; `
Stack[00000A04]:007EA635 db  8Eh ; ?
Stack[00000A04]:007EA636 db  7Fh ; 
Stack[00000A04]:007EA637 db  72h ; r
Stack[00000A04]:007EA638 db  41h ; A
Stack[00000A04]:007EA639 db  43h ; C
Stack[00000A04]:007EA63A db  7Ah ; z
Stack[00000A04]:007EA63B db  72h ; r
Stack[00000A04]:007EA63C db  12h
Stack[00000A04]:007EA63D db  11h
<-------------------------
ESP 007EA62C
---------->
Stack[00000A04]:007EA630 db  12h
Stack[00000A04]:007EA631 db  11h
Stack[00000A04]:007EA632 db  0Ah
Stack[00000A04]:007EA633 db  41h ; A
Stack[00000A04]:007EA634 db  60h ; `
Stack[00000A04]:007EA635 db  8Eh ; ?
Stack[00000A04]:007EA636 db  7Fh ; 
Stack[00000A04]:007EA637 db  72h ; r
Stack[00000A04]:007EA638 db  41h ; A
Stack[00000A04]:007EA639 db  43h ; C
Stack[00000A04]:007EA63A db  7Ah ; z
Stack[00000A04]:007EA63B db  72h ; r
<-----------

EIP 727F1FC3 -> mfc42u.dll:727F1FC3 db 0CCh //above and behind even more
0cch

Let me know what more information is needed .

Waiting for your hints ;)

mmiller at hick.org schrieb:
> Can you paste some of the information from the debugger about the
> unhandled exception?  It's hard to answer the question generically as it
> really depends on what type of exception you're triggering and how the
> data you're sending relates to the exception that is generated.
>
> On Mon, Feb 12, 2007 at 08:11:45AM +0100, Thomas Werth wrote:
> > Hello,
> >
> > i poked around a bit with a daemon service on xp.
> > When sending special chars the attached debugger stops and reports an
> > unhandled exception.
> > As i'm new to exploit writing ( well i manage to write exploits for
> > buffer overflows ) , i don't know how to get control of daemon app using
> > unhandled exception.
> >
> > How to do this ?
> > Where can i find examples for exploiting this kind of exception ?
> >
> > thx
> > Thomas