Re: Getting Base Address using the Structured Exception Handler

[dave () immunitysec com]

Well, Halvar uses the PEB technique to find kernel32.dll and related
infoz. Check out http://packetstormsecurity.nl/0209-exploits/aspcode.c for
an exploit in typical Chinese style using the SEH technique. Note how the
exploit's shellcode is about three pages of C code, which gets compiled by
Visual Studio into shellcode.

I'm still trying to figure out what these two lines really do...
 k=0x7ffdf020;
 *(int *)k=RtlEnterCriticalSectionadd;
Something to do with thread locking, obviously, but what?

Dave Aitel
Immunity, Inc.
Hack like a pro, without all the Mountain Dew:
http://www.immunitysec.com/CANVAS/



> ----- Original Message -----
> From: <dave () immunitysec com>
> To: "Nobody Mind" <cod3po3t () yahoo com>
> Cc: <vuln-dev () securityfocus com>
> Sent: Wednesday, June 25, 2003 10:28 PM
> Subject: Re: Getting Base Address using the Structured Exception Handler
>
> [snip]
>
> > If you're looking for links to shellcode that does this, look for a
> > chunked asp heap overflow exploit written by the chinese...a lot of
> > chinese shellcode does (and has done for years) this trick. Most likely
> [snip]
>
> A [shellcode only] example of this can be seen here:
> http://www.darklab.org/archive/msg00183.html
>
> A couple of useful links that give an overview of the SEH itself:
> http://www.jorgon.freeserve.co.uk/ExceptFrame.htm
> http://www.microsoft.com/msj/0197/Exception/Exception.aspx
>
> FWIW, you may want to hunt around some VX source as the VX folks have been
> doing this for ummmm... ages ;-)
> http://29a.host.sk/ezine.html is probably a good start.
>
> Cheers,
>             JJ