[Full-disclosure] Exploiting stack-overflows in Unicode/XPSP2 - Further questions
ivanstroks at yahoo.co.nz
Wed Jun 7 14:12:05 BST 2006
I am trying to exploit a stack overflow in an
application under Windows XP SP2.
The problem is that the content of the buffer I can
overflow is converted to Unicode, so I just can
control 2 of 4 bytes of the overwritten SEH handler
I have read all papers related to Unicode shellcoding
(Venetian method, etc) and understand them fully.
My problem is that I am having some issues regarding
the way to bring execution back to my code, which is
the previous instance.
Supposing I can find a pop,pop,ret (or equivalent)
"unicode addressable" and I am able to return to my
EXCEPTION_REGISTRATION structure, just before my SEH
handler. There, I should do a short JMP/CALL to jump
over this record, falling in my shellcode. The problem
is that, as this value is also encoded in Unicode, I
won't be able to specify a JMP/CALL instruction.
So...how will I land in my code? I am missing
Send instant messages to your online friends http://au.messenger.yahoo.com
Full-Disclosure is hosted and sponsored by Secunia.