Dailydave mailing list archives
odd exploitation question
From: Jeremy Kelley <jeremy () austin ibm com>
Date: Thu, 24 Aug 2006 10:10:59 -0500
I'm a little stumped writing an exploit for an ActiveX object and so I figured I'd pester this list for a bit of help. My exploit works flawlessy when attached to the process in the debugger. Doesn't exec calc.exe when run w/o a debugger. I'm overwriting an SEH func pointer, doing the pop/pop/ret back into my shellcode, and everything runs fine. The payload is a simple _execv call that pops up calc.exe. Platform at this point is Win2k/IE6. Questions: 1) The heap is different when run under a debugger (thx HD for the tip), but, I'm attaching the process with Olly _after_ it's already running. Windows doesn't do some whacked-out mojo and start using the debug-heap on any heap allocations following, right? I can't fathom how that would work. 2) What could cause the shellcode to execute flawlessly under a debugger but not other times. It's an exec - so I can't imagine the process is dying before it's kickstarted calc.exe.. exec doesn't work that way. Any help is greatly appreciated. If I've left out necessary details, I'll be glad to share. thanks for reading this far, jeremy -- Jeremy Kelley <jeremy () austin ibm com> Threat Assessment Analyst gpg 1024D/E0DF8B2D 4BC3 B8B5 5B42 CC8E B6A9 2E85 32D3 C51C E0DF 8B2D That's the problem with science. You've got a bunch of empiricists trying to describe things of unimaginable wonder. -Bill Watterson _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- odd exploitation question Jeremy Kelley (Aug 24)
- Re: odd exploitation question Alexander Sotirov (Aug 24)
- Re: odd exploitation question Dave Korn (Aug 24)
- Re: odd exploitation question RaMatkal (Aug 27)
- Re: odd exploitation question mikeiscool (Aug 25)
- reply summary (was: odd exploitation question) Jeremy Kelley (Sep 02)
- Re: reply summary Jared DeMott (Sep 03)