Hosting Provided By

Re: Getting Base Address using the Structured Exception Handler

From: <dave(at)immunitysec.com>
Date: Thu Jun 26 2003 - 07:04:32 EDT

Well, Halvar uses the PEB technique to find kernel32.dll and related infoz. Check out http://packetstormsecurity.nl/0209-exploits/aspcode.c for an exploit in typical Chinese style using the SEH technique. Note how the exploit's shellcode is about three pages of C code, which gets compiled by Visual Studio into shellcode.

I'm still trying to figure out what these two lines really do... k=0x7ffdf020;
*(int *)k=RtlEnterCriticalSectionadd;
Something to do with thread locking, obviously, but what?

Dave Aitel
Immunity, Inc.
Hack like a pro, without all the Mountain Dew: http://www.immunitysec.com/CANVAS/

>
> ----- Original Message -----
> From: <dave@immunitysec.com>
> To: "Nobody Mind" <cod3po3t@yahoo.com>
> Cc: <vuln-dev@securityfocus.com>
Received on Thu Jun 26 11:57:55 2003

This message: [ Message body ]
Next message: Costin Ionescu: "Re: Getting Base Address using the Structured Exception Handler"
Previous message: dave(at)immunitysec.com: "Re: Getting Base Address using the Structured Exception Handler"
In reply to: Nexus: "Re: Getting Base Address using the Structured Exception Handler"
In reply to Mhal: "Re: connect-back win32 shellcode"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT