Vulnerability Development mailing list archives
Exploiting in Unicode and XP SP2
From: Ivan Stroks <ivanstroks () yahoo co nz>
Date: Wed, 7 Jun 2006 03:30:18 +1200 (NZST)
I am trying to exploit a stack buffer overflow in a Windows Application running in XP SP2. I 'm able to overrun the buffer and modify SEH. The problem I am facing is that the buffer that I can overflow, is converted to Unicode before the overrun, therefore I can only write an address for the SEH handler in the format 00XX00XX, where XX is controlled by me. I have already read the papers for writting shellcode in Unicode, using the Venetian method and understand them completely. What I need is a way to return to my shellcode, which should be achieved by using some "fixed" address where a call/jmp/pop pop ret instruction can be found. So here are the questions: . Which is the best tool to search for this addresses? OllyUni? msfpescan? other? Apparently, using this tools I cannot look for, for example a call [ebp+30]...I am missing something? . I have found an address with a call [ebp+30] in Unicode.nls. In Windows 2000, I can execute the instruction located in that memory space, where as in XP, I cannot. Does XP prevent the execution of intructions, if the memory hasn't Execute access? Because I can execute in W2K, but not in XP. Any help would be really appreciated. Thanks, IvaN! Send instant messages to your online friends http://au.messenger.yahoo.com
Current thread:
- Exploiting in Unicode and XP SP2 Ivan Stroks (Jun 06)
- Re: Exploiting in Unicode and XP SP2 H D Moore (Jun 06)
- RE: Exploiting in Unicode and XP SP2 Ben Nagy (Jun 07)