Re: Exploiting in Unicode and XP SP2

[H D Moore <sflist () digitaloffense net>]

On Tuesday 06 June 2006 10:30, Ivan Stroks wrote:
> The problem I am facing is that the buffer that I can
> overflow, is converted to Unicode before the overrun,
> therefore I can only write an address for the SEH
> handler in the format 00XX00XX, where XX is controlled
> by me.
[snip]
>     . Which is the best tool to search for this
> addresses? OllyUni? msfpescan? other?
>     Apparently, using this tools I cannot look for,
> for example a call [ebp+30]...I am missing something?

Try using memdump.exe (in framework-2.6/tools/) to dump all process 
memory, then run msfpescan with the -d option pointing to the memdump 
output directory, and -x to specify the call [ebp+0x30] opcode:

$ msfpescan -d [dir] -x "\xff\x55\x30"

Good luck!

-HD