lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4486D3DE.7000005@heapoverflow.com>
Date: Wed Jun  7 14:26:21 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: Exploiting stack-overflows in Unicode/XPSP2
	-	Further questions

because the offset referring to your pop pop ret is probably breaking 
the processus when the execution goes back to it. you might try the 
first easiest method wich is to grab several pop pop ret at different 
offset locations, and test then if the processus goes fine inside or is 
broke again. I bet you could find at least one wich will let you execute 
the shellcode fine right after.

Ivan Stroks wrote:
> Hi list,
>
> I am trying to exploit a stack overflow in an
> application under Windows XP SP2.
> The problem is that the content of the buffer I can
> overflow is converted to Unicode, so I just can
> control 2 of 4 bytes of the overwritten SEH handler
> pointer.
> I have read all papers related to Unicode shellcoding
> (Venetian method, etc) and understand them fully.
>
> My problem is that I am having some issues regarding
> the way to bring execution back to my code, which is
> the previous instance.
>
>   Supposing I can find a pop,pop,ret (or equivalent)
> "unicode addressable" and I am able to return to my
> EXCEPTION_REGISTRATION structure, just before my SEH
> handler. There, I should do a short JMP/CALL to jump
> over this record, falling in my shellcode. The problem
> is that, as this value is also encoded in Unicode, I
> won't be able to specify a JMP/CALL instruction.
> So...how will I land in my code? I am missing
> something here?
>
> Thanks,
>
> IvaN!
>
> Send instant messages to your online friends http://au.messenger.yahoo.com 
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ad.vcf
Type: text/x-vcard
Size: 167 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060607/d62afbb0/ad.vcf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ