Here's a picture I drew a while ago, showing the post-overflow phase of the
SEH bounce attack - it might help. If you mess with the short jump, you'll
try and execute the SEH pointer as code, which is why it will barf.
Cheers,
ben
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf
Of Tauqeer Ahmad
Sent: Thursday, March 30, 2006 2:36 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] What is the crap before SEH?
Hello list,
while disecting the Bluecoat winproxy long header
vulnerability and the HD Moor exploit for that, i found in
the stack dump a pointer just before SEH. this pointer is
said to be the "the pointer ot next SEH structure". But when
i change the single byte of that pointer the exploit didnt
work, Although in my knowlege it should have worked since
it's SEH which points to POP POP RET and the control
transfers to our shellcode lying after SEH. I will appreciate
a reply clearing the fact that where that pointer before SEH
points to? is that pointer overwritten with the same address
that was there before the overflow?
It will sound navie for those who already know this concept
yet i will appreciate a help from those guys by clearifying.
I also know some guys will come up with the flame as its the
Hacking culture to flame others who knows less then them. but
i can remember the day when i used to wonder how they break
into the system and i often got flamed for asking a question.
yet i have come along this far by not heeding an ear to their
flame and by keeping learning. so a flame will not work ofcourse :P
Thanks in advance,
SEHattackII.png
Description: PNG image
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
