-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You have to breakpoint right before an instance in ntdll.dll which
looks like this:
cmp dword [ebp-20],esi
jne adress
mov eax,[UEF]
cmp eax,esi
je address
call eax
if I remember dword [ebp-20] points to 0x00000000 and esi to
0xFFFFFFFF (it should be equal)
you just have then to null out esi (0x00000000)
hope that help :)
RaMatkal a écrit :
Hi,
I am working on a Win heap overflow that gives me control of eax
and ecx and hence allows me to write a double word of memory to an
arbitrary location...
I overwrite the SetUnhandledException filter with an address that
will bounce me back to my shellcode.
the only problem is, that the unhandledexception filter does not
get called while the vulnerable process is being debugged, say with
ollydbg.
I think i remember reading somewhere that it is possible to make
the UnhandledException filter get called from within a standard
debugger such as ollydbg and was wandering if anyone knows how to
do this...
(Kernel level debugger is not an option ie SoftIce)
Thanks very much
RaMatkal
----------------------------------------------------------------------
_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
iD8DBQFCuAlHLyZ8K9aT7rARAuM5AJ9HaxpZNko7txzgGO6zU3UCrtqMWQCff6c9
eq3EEG0y0TgCPwr9/k3R+68=
=Ha74
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
