Vulnerability Development mailing list archives
Re: Getting Base Address using the Structured Exception Handler
From: dave () immunitysec com
Date: Thu, 26 Jun 2003 07:04:32 -0400 (EDT)
Well, Halvar uses the PEB technique to find kernel32.dll and related infoz. Check out http://packetstormsecurity.nl/0209-exploits/aspcode.c for an exploit in typical Chinese style using the SEH technique. Note how the exploit's shellcode is about three pages of C code, which gets compiled by Visual Studio into shellcode. I'm still trying to figure out what these two lines really do... k=0x7ffdf020; *(int *)k=RtlEnterCriticalSectionadd; Something to do with thread locking, obviously, but what? Dave Aitel Immunity, Inc. Hack like a pro, without all the Mountain Dew: http://www.immunitysec.com/CANVAS/
----- Original Message ----- From: <dave () immunitysec com> To: "Nobody Mind" <cod3po3t () yahoo com> Cc: <vuln-dev () securityfocus com> Sent: Wednesday, June 25, 2003 10:28 PM Subject: Re: Getting Base Address using the Structured Exception Handler [snip]If you're looking for links to shellcode that does this, look for a chunked asp heap overflow exploit written by the chinese...a lot of chinese shellcode does (and has done for years) this trick. Most likely[snip] A [shellcode only] example of this can be seen here: http://www.darklab.org/archive/msg00183.html A couple of useful links that give an overview of the SEH itself: http://www.jorgon.freeserve.co.uk/ExceptFrame.htm http://www.microsoft.com/msj/0197/Exception/Exception.aspx FWIW, you may want to hunt around some VX source as the VX folks have been doing this for ummmm... ages ;-) http://29a.host.sk/ezine.html is probably a good start. Cheers, JJ
Current thread:
- Getting Base Address using the Structured Exception Handler Nobody Mind (Jun 25)
- Re: Getting Base Address using the Structured Exception Handler dave (Jun 25)
- Re: Getting Base Address using the Structured Exception Handler Nexus (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler dave (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Nexus (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Costin Ionescu (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler sk (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler dave (Jun 25)