Home page logo

Vulnerability Development mailing list archives

Re: debugging seh overwrite
From: The Jabberwock <dj () ethericmist net>
Date: Mon, 20 Mar 2006 13:50:37 -0500

I've never seen anyone use this method for filling a buffer, but:

I don't see the variable "ret" declared anywhere in your code. I just see it used in the call to memcpy. sizeof(payload) might not be the best way to get the string length of the payload. It may be safer to use strlnlen. There is no guarantee that sizeof(char[84]) will return the length of the string as opposed to sizeof(char).

You also seem to be misusing your `ptr` variable.

I recommend you read "Smashing the Stack for Fun and Profit":

The Jabberwock

laphoo () gmail com wrote:
Hello, I would like to know a way to debugging a vulnerable program, where I am overwriting the se handler with my 
address. I have OllyDbg as just in time debugger. If my exploit-buffer reaches the pointer to the next seh record, 
nothing happens. Now I was trying to put breakpoint instructions 0xcc) as fake pointer but OllyDbg ignored them, or I 
did something wrong. How is it possible to debug my vulnerable program with OllyDbg, to see where and with which data I 
overwrote something?

/* cl expl.c (Visual C++ 6.0) */
#include <stdio.h>
#include <string.h>
int main (void)
    char *app[3];
    char payload[84];
    unsigned int ptr = 0xcccccccc;
    memset(payload, 0x00, sizeof payload);
    memset(payload, 0x41, 80);
    memcpy(payload+80, &ret, sizeof (int));
    app[0] = "vuln.exe";
    app[1] = payload;
    app[2] = NULL;
    execve(app[0], app, NULL);
    return 0;

/*vuln.c /
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[])
    char string[32];
    if (argc > 2)
        printf("Usage: %s <string>\n", argv[0]);
        return 0;
    strcpy(string, argv[1]);
    printf("%s", string);
    return 0;

Environment is Windows.XP.SP.2

I am sorry for my bad english.

-- Laphoo

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]