What vulnerability are you trying to exploit? This one?
http://www.securityfocus.com/bid/21322
In your document, you say
"I look for POP/POP/RET ws2_32.dll (to avoid SafeSEH restrictions?)"
are you telling or asking? Can you please provide a little more info.
Otherwise it is hard to help here. If you try to exploit the
vulnerability mentioned above, send the following request (perl style):
$buffer="\x00\x01";
$buffer .=("\x41\x00");
$buffer .=("A"x480);
That should give you control over eip. By selecting the right return
address, you end up in a reliable exploit.
Quoting jeremy.junginger_at_gmail.com:
> I'm attempting to exploit an already known bug in 3COM TFTPD server,
> and execute "calc.exe" with my shellcode. I have control of
> ECX/EIP, and can overwrite both SEH and pointer to next SEH
> successfully, and have used:
>
> Pointer to next SEH: \xeb\x10\x90\x90
> SEH: \x69\x12\xab\x71 (POP/POP/RET in ws2_32.dll)
>
> A full writeup with screenshots is available at:
> http://filebin.ca/pmuwqm/SEHOverwrite.rtf
>
> I'm getting "Debugged program was unable to process exception", so I
> hit shift+f9 (in olly) and it terminates with some strange exit
> code. Could you take a peek and see what I'm missing here?
>
> Thanks guys!
>
> -jj
>
Received on Feb 04 2008
Intro
