Vulnerability Development mailing list archives
Re: Getting Base Address using the Structured Exception Handler
From: dave () immunitysec com
Date: Wed, 25 Jun 2003 17:28:06 -0400 (EDT)
The answer to "Why" is always "Because." But you can use SEH to search through all of memory in search of anything really. This is a valuable technique often simply because searching for a 64 bit tag via SEH is a lot smaller than almost any other kind of robust Win32 shellcode (CANVAS's is 127 bytes, unencoded). Once you've found your shellcode somewhere else in memory, you can then execute it. (I use a Shellcode: <tag><shellcode> header with IIS exploits just to get it into memory somewhere, for example). If you're looking for links to shellcode that does this, look for a chunked asp heap overflow exploit written by the chinese...a lot of chinese shellcode does (and has done for years) this trick. Most likely people chose to do this since they didn't know about the fs:(0x30) trick...or didn't want to bother with it. They like to write their shellcode as a C subroutine inside their exploit too, which is somewhat neat, although I don't recommend it personally. Dave Aitel Immunity, Inc. Hack Like a Movie Star: http://www.immunitysec.com/CANVAS/
I basically am wondering if anyone has links or can post a short explanation of why (not how) using the SEH method works for getting the base address of kernel32.dll and others? Thanks __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
Current thread:
- Getting Base Address using the Structured Exception Handler Nobody Mind (Jun 25)
- Re: Getting Base Address using the Structured Exception Handler dave (Jun 25)
- Re: Getting Base Address using the Structured Exception Handler Costin Ionescu (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler sk (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)