Home page logo
/

metasploit logo Metasploit mailing list archives

How to exploit unhandled exception
From: thomas.werth at vahle.de (Thomas Werth)
Date: Mon, 12 Feb 2007 11:46:52 +0100

i send this data to app

$attackstring = "A" ;
$attackstring .= "\x0a";
$attackstring .= "\x11\x12\x20\x25\x05" x 5;
$attackstring .= "A" x 5000;#320;

sometimes it is needed to send data twice.

When debugger stops adress 0x727F1FC2 is given with unhandled exception.

Here is register information

EAX 007EA58C
--->
Stack[00000A04]:007EA58C db  63h ; c
Stack[00000A04]:007EA58D db  73h ; s
Stack[00000A04]:007EA58E db  6Dh ; m
Stack[00000A04]:007EA58F db 0E0h ; ?
Stack[00000A04]:007EA590 db    1
Stack[00000A04]:007EA591 db    0
Stack[00000A04]:007EA592 db    0
Stack[00000A04]:007EA593 db    0
Stack[00000A04]:007EA594 db    0
Stack[00000A04]:007EA595 db    0
Stack[00000A04]:007EA596 db    0
Stack[00000A04]:007EA597 db    0
Stack[00000A04]:007EA598 db  5Bh ; [
Stack[00000A04]:007EA599 db  2Ah ; *
Stack[00000A04]:007EA59A db  81h ; ?

<---
EBX 727F8E5B  -> mfc42u.dll:727F8E5B call    near ptr mfc42u_1258

ECX 0
EDC 0000003
ESI 0
EDI 77BFC407 -> msvcrt.dll:77BFC407 msvcrt_malloc db  8Bh
EBP 007EA630
--------->
Stack[00000A04]:007EA630 db  12h
Stack[00000A04]:007EA631 db  11h
Stack[00000A04]:007EA632 db  0Ah
Stack[00000A04]:007EA633 db  41h ; A
Stack[00000A04]:007EA634 db  60h ; `
Stack[00000A04]:007EA635 db  8Eh ; ?
Stack[00000A04]:007EA636 db  7Fh ; 
Stack[00000A04]:007EA637 db  72h ; r
Stack[00000A04]:007EA638 db  41h ; A
Stack[00000A04]:007EA639 db  43h ; C
Stack[00000A04]:007EA63A db  7Ah ; z
Stack[00000A04]:007EA63B db  72h ; r
Stack[00000A04]:007EA63C db  12h
Stack[00000A04]:007EA63D db  11h
<-------------------------
ESP 007EA62C
---------->
Stack[00000A04]:007EA630 db  12h
Stack[00000A04]:007EA631 db  11h
Stack[00000A04]:007EA632 db  0Ah
Stack[00000A04]:007EA633 db  41h ; A
Stack[00000A04]:007EA634 db  60h ; `
Stack[00000A04]:007EA635 db  8Eh ; ?
Stack[00000A04]:007EA636 db  7Fh ; 
Stack[00000A04]:007EA637 db  72h ; r
Stack[00000A04]:007EA638 db  41h ; A
Stack[00000A04]:007EA639 db  43h ; C
Stack[00000A04]:007EA63A db  7Ah ; z
Stack[00000A04]:007EA63B db  72h ; r
<-----------

EIP 727F1FC3 -> mfc42u.dll:727F1FC3 db 0CCh //above and behind even more
0cch

Let me know what more information is needed .

Waiting for your hints ;)

mmiller at hick.org schrieb:
Can you paste some of the information from the debugger about the
unhandled exception?  It's hard to answer the question generically as it
really depends on what type of exception you're triggering and how the
data you're sending relates to the exception that is generated.

On Mon, Feb 12, 2007 at 08:11:45AM +0100, Thomas Werth wrote:
Hello,

i poked around a bit with a daemon service on xp.
When sending special chars the attached debugger stops and reports an
unhandled exception.
As i'm new to exploit writing ( well i manage to write exploits for
buffer overflows ) , i don't know how to get control of daemon app using
unhandled exception.

How to do this ?
Where can i find examples for exploiting this kind of exception ?

thx
Thomas




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault