<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Vulnerability Development: Re: Exploiting in Unicode and XP SP2

Re: Exploiting in Unicode and XP SP2

From: H D Moore <sflist_at_digitaloffense.net>
Date: Tue, 6 Jun 2006 17:53:48 -0500

On Tuesday 06 June 2006 10:30, Ivan Stroks wrote:
> The problem I am facing is that the buffer that I can
> overflow, is converted to Unicode before the overrun,
> therefore I can only write an address for the SEH
> handler in the format 00XX00XX, where XX is controlled
> by me.
[snip]
> . Which is the best tool to search for this
> addresses? OllyUni? msfpescan? other?
> Apparently, using this tools I cannot look for,
> for example a call [ebp+30]...I am missing something?

Try using memdump.exe (in framework-2.6/tools/) to dump all process
memory, then run msfpescan with the -d option pointing to the memdump
output directory, and -x to specify the call [ebp+0x30] opcode:

$ msfpescan -d [dir] -x "\xff\x55\x30"

Good luck!

-HD
Received on Jun 06 2006

This message: [ Message body ]
Next message: Ben Nagy: "RE: Exploiting in Unicode and XP SP2"
Previous message: Ivan Stroks: "Exploiting in Unicode and XP SP2"
In reply to: Ivan Stroks: "Exploiting in Unicode and XP SP2"
Next in thread: Ben Nagy: "RE: Exploiting in Unicode and XP SP2"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos