Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Exploiting stack-overflows in Unicode/XPSP2 - Further questions

Exploiting stack-overflows in Unicode/XPSP2 - Further questions

From: Ivan Stroks <ivanstroks_at_yahoo.co.nz>
Date: Thu, 8 Jun 2006 01:13:18 +1200 (NZST)

Hi list,

I am trying to exploit a stack overflow in an
application under Windows XP SP2.
The problem is that the content of the buffer I can
overflow is converted to Unicode, so I just can
control 2 of 4 bytes of the overwritten SEH handler
pointer.
I have read all papers related to Unicode shellcoding
(Venetian method, etc) and understand them fully.

My problem is that I am having some issues regarding
the way to bring execution back to my code, which is
the previous instance.

  Supposing I can find a pop,pop,ret (or equivalent)
"unicode addressable" and I am able to return to my
EXCEPTION_REGISTRATION structure, just before my SEH
handler. There, I should do a short JMP/CALL to jump
over this record, falling in my shellcode. The problem
is that, as this value is also encoded in Unicode, I
won't be able to specify a JMP/CALL instruction.
So...how will I land in my code? I am missing
something here?

Thanks,

IvaN!

Send instant messages to your online friends http://au.messenger.yahoo.com
Received on Jun 07 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos