lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Jun 7 14:26:21 2006 From: ad at heapoverflow.com (ad@...poverflow.com) Subject: Exploiting stack-overflows in Unicode/XPSP2 - Further questions because the offset referring to your pop pop ret is probably breaking the processus when the execution goes back to it. you might try the first easiest method wich is to grab several pop pop ret at different offset locations, and test then if the processus goes fine inside or is broke again. I bet you could find at least one wich will let you execute the shellcode fine right after. Ivan Stroks wrote: > Hi list, > > I am trying to exploit a stack overflow in an > application under Windows XP SP2. > The problem is that the content of the buffer I can > overflow is converted to Unicode, so I just can > control 2 of 4 bytes of the overwritten SEH handler > pointer. > I have read all papers related to Unicode shellcoding > (Venetian method, etc) and understand them fully. > > My problem is that I am having some issues regarding > the way to bring execution back to my code, which is > the previous instance. > > Supposing I can find a pop,pop,ret (or equivalent) > "unicode addressable" and I am able to return to my > EXCEPTION_REGISTRATION structure, just before my SEH > handler. There, I should do a short JMP/CALL to jump > over this record, falling in my shellcode. The problem > is that, as this value is also encoded in Unicode, I > won't be able to specify a JMP/CALL instruction. > So...how will I land in my code? I am missing > something here? > > Thanks, > > IvaN! > > Send instant messages to your online friends http://au.messenger.yahoo.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: ad.vcf Type: text/x-vcard Size: 167 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060607/d62afbb0/ad.vcf
Powered by blists - more mailing lists