[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4486D3DE.7000005@heapoverflow.com>
Date: Wed Jun 7 14:26:21 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: Exploiting stack-overflows in Unicode/XPSP2
- Further questions
because the offset referring to your pop pop ret is probably breaking
the processus when the execution goes back to it. you might try the
first easiest method wich is to grab several pop pop ret at different
offset locations, and test then if the processus goes fine inside or is
broke again. I bet you could find at least one wich will let you execute
the shellcode fine right after.
Ivan Stroks wrote:
> Hi list,
>
> I am trying to exploit a stack overflow in an
> application under Windows XP SP2.
> The problem is that the content of the buffer I can
> overflow is converted to Unicode, so I just can
> control 2 of 4 bytes of the overwritten SEH handler
> pointer.
> I have read all papers related to Unicode shellcoding
> (Venetian method, etc) and understand them fully.
>
> My problem is that I am having some issues regarding
> the way to bring execution back to my code, which is
> the previous instance.
>
> Supposing I can find a pop,pop,ret (or equivalent)
> "unicode addressable" and I am able to return to my
> EXCEPTION_REGISTRATION structure, just before my SEH
> handler. There, I should do a short JMP/CALL to jump
> over this record, falling in my shellcode. The problem
> is that, as this value is also encoded in Unicode, I
> won't be able to specify a JMP/CALL instruction.
> So...how will I land in my code? I am missing
> something here?
>
> Thanks,
>
> IvaN!
>
> Send instant messages to your online friends http://au.messenger.yahoo.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ad.vcf
Type: text/x-vcard
Size: 167 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060607/d62afbb0/ad.vcf
Powered by blists - more mailing lists