Re: Getting Base Address using the Structured Exception Handler

[dave () immunitysec com]

The answer to "Why" is always "Because." But you can use SEH to search
through all of memory in search of anything really. This is a valuable
technique often simply because searching for a 64 bit tag via SEH is a lot
smaller than almost any other kind of robust Win32 shellcode (CANVAS's is
127 bytes, unencoded). Once you've found your shellcode somewhere else in
memory, you can then execute it. (I use a Shellcode: <tag><shellcode>
header with IIS exploits just to get it into memory somewhere, for
example).

If you're looking for links to shellcode that does this, look for a
chunked asp heap overflow exploit written by the chinese...a lot of
chinese shellcode does (and has done for years) this trick. Most likely
people chose to do this since they didn't know about the fs:(0x30)
trick...or didn't want to bother with it. They like to write their
shellcode as a C subroutine inside their exploit too, which is somewhat
neat, although I don't recommend it personally.

Dave Aitel
Immunity, Inc.
Hack Like a Movie Star: http://www.immunitysec.com/CANVAS/

> I basically am wondering if anyone has links or can
> post a short explanation of why (not how) using the
> SEH method works for getting the base
> address of kernel32.dll and others?
> Thanks
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com