The answer to "Why" is always "Because." But you can use SEH to search through all of memory in search of anything really. This is a valuable technique often simply because searching for a 64 bit tag via SEH is a lot smaller than almost any other kind of robust Win32 shellcode (CANVAS's is 127 bytes, unencoded). Once you've found your shellcode somewhere else in memory, you can then execute it. (I use a Shellcode: <tag><shellcode> header with IIS exploits just to get it into memory somewhere, for example). If you're looking for links to shellcode that does this, look for a chunked asp heap overflow exploit written by the chinese...a lot of chinese shellcode does (and has done for years) this trick. Most likely people chose to do this since they didn't know about the fs:(0x30) trick...or didn't want to bother with it. They like to write their shellcode as a C subroutine inside their exploit too, which is somewhat neat, although I don't recommend it personally. Dave Aitel Immunity, Inc. Hack Like a Movie Star: http://www.immunitysec.com/CANVAS/ > I basically am wondering if anyone has links or can > post a short explanation of why (not how) using the > SEH method works for getting the base > address of kernel32.dll and others? > Thanks > > > __________________________________ > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! > http://sbc.yahoo.com >
This archive was generated by hypermail 2b30 : Wed Jun 25 2003 - 15:44:54 PDT