lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu Mar 30 10:59:25 2006
From: fd at ben.iagu.net (fd@....iagu.net)
Subject: What is the crap before SEH?

Here's a picture I drew a while ago, showing the post-overflow phase of the
SEH bounce attack - it might help. If you mess with the short jump, you'll
try and execute the SEH pointer as code, which is why it will barf.

Cheers,

ben 

> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk 
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf 
> Of Tauqeer Ahmad
> Sent: Thursday, March 30, 2006 2:36 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] What is the crap before SEH?
> 
> Hello list,
>  
> while disecting the Bluecoat winproxy long header 
> vulnerability and the HD Moor exploit for that, i found in 
> the stack dump a pointer just before SEH. this pointer is 
> said to be the "the pointer ot next SEH structure". But when 
> i change the single byte of that pointer the exploit didnt 
> work, Although in my knowlege it should have worked since 
> it's SEH which points to POP POP RET and the control 
> transfers to our shellcode lying after SEH. I will appreciate 
> a reply clearing the fact that where that pointer before SEH 
> points to? is that pointer overwritten with the same address 
> that was there before the overflow?
>  
> It will sound navie for those who already know this concept 
> yet i will appreciate a help from those guys by clearifying. 
> I also know some guys will come up with the flame as its the 
> Hacking culture to flame others who knows less then them. but 
> i can remember the day when i used to wonder how they break 
> into the system and i often got flamed for asking a question. 
> yet i have come along this far by not heeding an ear to their 
> flame and by keeping learning. so a flame will not work ofcourse :P
>  
> Thanks in advance,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SEHattackII.png
Type: image/png
Size: 180977 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060330/54e99ba5/SEHattackII-0001.png

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ