Re: Getting Base Address using the Structured Exception Handler

The answer to "Why" is always "Because." But you can use SEH to search through all of memory in search of anything really. This is a valuable technique often simply because searching for a 64 bit tag via SEH is a lot smaller than almost any other kind of robust Win32 shellcode (CANVAS's is 127 bytes, unencoded). Once you've found your shellcode somewhere else in memory, you can then execute it. (I use a Shellcode: <tag><shellcode> header with IIS exploits just to get it into memory somewhere, for example).

If you're looking for links to shellcode that does this, look for a chunked asp heap overflow exploit written by the chinese...a lot of chinese shellcode does (and has done for years) this trick. Most likely people chose to do this since they didn't know about the fs:(0x30) trick...or didn't want to bother with it. They like to write their shellcode as a C subroutine inside their exploit too, which is somewhat neat, although I don't recommend it personally.

Dave Aitel
Immunity, Inc.
Hack Like a Movie Star: http://www.immunitysec.com/CANVAS/

> I basically am wondering if anyone has links or can
Received on Wed Jun 25 18:57:37 2003