odd exploitation question

[Jeremy Kelley <jeremy () austin ibm com>]

I'm a little stumped writing an exploit for an ActiveX object and so I
figured I'd pester this list for a bit of help.

My exploit works flawlessy when attached to the process in the
debugger.  Doesn't exec calc.exe when run w/o a debugger.

I'm overwriting an SEH func pointer, doing the pop/pop/ret back into
my shellcode, and everything runs fine.  The payload is a simple
_execv call that pops up calc.exe.  Platform at this point is
Win2k/IE6.

Questions:

1) The heap is different when run under a debugger (thx HD for the
tip), but, I'm attaching the process with Olly _after_ it's already
running.  Windows doesn't do some whacked-out mojo and start using the
debug-heap on any heap allocations following, right?  I can't fathom
how that would work.

2) What could cause the shellcode to execute flawlessly under a
debugger but not other times.  It's an exec - so I can't imagine the
process is dying before it's kickstarted calc.exe.. exec doesn't work
that way.

Any help is greatly appreciated.  If I've left out necessary details,
I'll be glad to share.

thanks for reading this far,
jeremy

-- 
Jeremy Kelley <jeremy () austin ibm com>        Threat Assessment Analyst
gpg  1024D/E0DF8B2D  4BC3 B8B5 5B42 CC8E B6A9 2E85 32D3 C51C E0DF 8B2D
That's the problem with science.  You've got a bunch of empiricists
trying to describe things of unimaginable wonder.      -Bill Watterson
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave