Exploiting in Unicode and XP SP2

[Ivan Stroks <ivanstroks () yahoo co nz>]

I am trying to exploit a stack buffer overflow in a
Windows Application running in XP SP2.
I 'm able to overrun the buffer and modify SEH.
The problem I am facing is that the buffer that I can
overflow, is converted to Unicode before the overrun,
therefore I can only write an address for the SEH
handler in the format 00XX00XX, where XX is controlled
by me.

I have already read the papers for writting shellcode
in Unicode, using the Venetian method and understand
them completely.

What I need is a way to return to my shellcode, which
should be achieved by using some "fixed" address where
a call/jmp/pop pop ret instruction can be found.

So here are the questions:

    . Which is the best tool to search for this
addresses? OllyUni? msfpescan? other?
    Apparently, using this tools I cannot look for,
for example a call [ebp+30]...I am missing something?

    . I have found an address with a call [ebp+30] in
Unicode.nls. In Windows 2000, I can execute the
instruction located in that memory space, where as in
XP, I cannot. Does XP prevent the execution of
intructions, if the memory hasn't Execute access?
Because I can execute in W2K, but not in XP.

    Any help would be really appreciated.

    Thanks,

IvaN!

Send instant messages to your online friends http://au.messenger.yahoo.com