lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060607131205.54926.qmail@web55204.mail.re4.yahoo.com>
Date: Wed Jun  7 14:12:23 2006
From: ivanstroks at yahoo.co.nz (Ivan Stroks)
Subject: Exploiting stack-overflows in Unicode/XPSP2 -
	Further questions

Hi list,

I am trying to exploit a stack overflow in an
application under Windows XP SP2.
The problem is that the content of the buffer I can
overflow is converted to Unicode, so I just can
control 2 of 4 bytes of the overwritten SEH handler
pointer.
I have read all papers related to Unicode shellcoding
(Venetian method, etc) and understand them fully.

My problem is that I am having some issues regarding
the way to bring execution back to my code, which is
the previous instance.

  Supposing I can find a pop,pop,ret (or equivalent)
"unicode addressable" and I am able to return to my
EXCEPTION_REGISTRATION structure, just before my SEH
handler. There, I should do a short JMP/CALL to jump
over this record, falling in my shellcode. The problem
is that, as this value is also encoded in Unicode, I
won't be able to specify a JMP/CALL instruction.
So...how will I land in my code? I am missing
something here?

Thanks,

IvaN!

Send instant messages to your online friends http://au.messenger.yahoo.com 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ