Home page logo

Vulnerability Development mailing list archives

Re: debugging seh overwrite
From: "Karma" <karma () frij com au>
Date: Tue, 21 Mar 2006 19:22:18 +1100

Hey, my english isnt great either...

I am not an Ollydbg user but STEP OVER until your CALL STRCPY is reached, then STEP INTO the strcpy function one level. Then you keep STEP OVER until you see the RETN call from that function. You should see how your buffer overwrite, in this case 41414141h overwrite EIP and possibly ESP too. If you want to see the pointer be overwritten actually, you need to step into function which possible has a rep mov in strcpy, I dont know where. But you can see if you monitor destination of rep mov

Also in your case, I havent tried but you simply set EIP to 41414141h which

a. is not the stack address, likely causes segfault
b. is invalid opcode, no valid slide

Find offset of EIP using the crash, and use 90h as padding to try  :)

Your code - memset(payload, 0x41, 80);  \\  try 0x90
Your code - memcpy(payload+80, &ret, sizeof (int)); \\ yeah you need &ret and you need to check offset at eip

Sorry if I misunderstand your question....



----- Original Message ----- From: <laphoo () gmail com>
To: <vuln-dev () securityfocus com>
Sent: Monday, March 20, 2006 1:19 PM
Subject: debugging seh overwrite

Hello, I would like to know a way to debugging a vulnerable program, where I am overwriting the se handler with my address. I have OllyDbg as just in time debugger. If my exploit-buffer reaches the pointer to the next seh record, nothing happens. Now I was trying to put breakpoint instructions 0xcc) as fake pointer but OllyDbg ignored them, or I did something wrong. How is it possible to debug my vulnerable program with OllyDbg, to see where and with which data I overwrote something?

/* cl expl.c (Visual C++ 6.0) */
#include <stdio.h>
#include <string.h>
int main (void)
   char *app[3];
   char payload[84];
   unsigned int ptr = 0xcccccccc;
   memset(payload, 0x00, sizeof payload);
   memset(payload, 0x41, 80);
   memcpy(payload+80, &ret, sizeof (int));
   app[0] = "vuln.exe";
   app[1] = payload;
   app[2] = NULL;
   execve(app[0], app, NULL);
   return 0;

/*vuln.c /
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[])
   char string[32];
   if (argc > 2)
       printf("Usage: %s <string>\n", argv[0]);
       return 0;
   strcpy(string, argv[1]);
   printf("%s", string);
   return 0;

Environment is Windows.XP.SP.2

I am sorry for my bad english.

-- Laphoo

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]