Well, Halvar uses the PEB technique to find kernel32.dll and related infoz. Check out http://packetstormsecurity.nl/0209-exploits/aspcode.c for an exploit in typical Chinese style using the SEH technique. Note how the exploit's shellcode is about three pages of C code, which gets compiled by Visual Studio into shellcode. I'm still trying to figure out what these two lines really do... k=0x7ffdf020; *(int *)k=RtlEnterCriticalSectionadd; Something to do with thread locking, obviously, but what? Dave Aitel Immunity, Inc. Hack like a pro, without all the Mountain Dew: http://www.immunitysec.com/CANVAS/ > > ----- Original Message ----- > From: <daveat_private> > To: "Nobody Mind" <cod3po3tat_private> > Cc: <vuln-devat_private> > Sent: Wednesday, June 25, 2003 10:28 PM > Subject: Re: Getting Base Address using the Structured Exception Handler > > [snip] > >> If you're looking for links to shellcode that does this, look for a >> chunked asp heap overflow exploit written by the chinese...a lot of >> chinese shellcode does (and has done for years) this trick. Most likely > [snip] > > A [shellcode only] example of this can be seen here: > http://www.darklab.org/archive/msg00183.html > > A couple of useful links that give an overview of the SEH itself: > http://www.jorgon.freeserve.co.uk/ExceptFrame.htm > http://www.microsoft.com/msj/0197/Exception/Exception.aspx > > FWIW, you may want to hunt around some VX source as the VX folks have been > doing this for ummmm... ages ;-) > http://29a.host.sk/ezine.html is probably a good start. > > Cheers, > JJ > >
This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 08:44:52 PDT