| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Jun 7 14:12:23 2006 From: ivanstroks at yahoo.co.nz (Ivan Stroks) Subject: Exploiting stack-overflows in Unicode/XPSP2 - Further questions Hi list, I am trying to exploit a stack overflow in an application under Windows XP SP2. The problem is that the content of the buffer I can overflow is converted to Unicode, so I just can control 2 of 4 bytes of the overwritten SEH handler pointer. I have read all papers related to Unicode shellcoding (Venetian method, etc) and understand them fully. My problem is that I am having some issues regarding the way to bring execution back to my code, which is the previous instance. Supposing I can find a pop,pop,ret (or equivalent) "unicode addressable" and I am able to return to my EXCEPTION_REGISTRATION structure, just before my SEH handler. There, I should do a short JMP/CALL to jump over this record, falling in my shellcode. The problem is that, as this value is also encoded in Unicode, I won't be able to specify a JMP/CALL instruction. So...how will I land in my code? I am missing something here? Thanks, IvaN! Send instant messages to your online friends http://au.messenger.yahoo.com
Powered by blists - more mailing lists