Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: debugging seh overwrite

Re: debugging seh overwrite

From: Felix Lindner <fx_at_sabre-labs.com>
Date: Mon, 20 Mar 2006 19:55:53 +0100

Hi,

On 20 Mar 2006 02:19:57 -0000
laphoo_at_gmail.com wrote:
> Hello, I would like to know a way to debugging a vulnerable program, where I
> am overwriting the se handler with my address. I have OllyDbg as just in
> time debugger. If my exploit-buffer reaches the pointer to the next seh
> record, nothing happens. Now I was trying to put breakpoint instructions
> 0xcc) as fake pointer but OllyDbg ignored them, or I did something wrong.
> How is it possible to debug my vulnerable program with OllyDbg, to see where
> and with which data I overwrote something?

instead of the C code you showed, run the program with it's 84 char
argument directly in Olly (file->open). When you overwrite the SEH handler
address, you should cause an exception as well, otherwise it's not going to
walk the linked list of SEHs. In most cases, the exception comes for free.

When the exception happens, Olly will stop and let you decide what to do. By
pressing SHIFT-F7, you can follow ntdll during the process it determines where
to find the next handler and calling it.

HIHAL.
cheers
FX 

-- 
SABRE Labs                 | Felix 'FX' Lindner <fx_at_sabre-labs.com> 
http://www.sabre-labs.com  | +49 171 7402062
                           | A740 DE51 9891 19DF 0D05  
                           | 13B3 1759 C388 C92D 6BBB
Received on Mar 20 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos