Here's a picture I drew a while ago, showing the post-overflow phase of the SEH bounce attack - it might help. If you mess with the short jump, you'll try and execute the SEH pointer as code, which is why it will barf. Cheers, ben > -----Original Message----- > From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx > [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf > Of Tauqeer Ahmad > Sent: Thursday, March 30, 2006 2:36 PM > To: full-disclosure@xxxxxxxxxxxxxxxxx > Subject: [Full-disclosure] What is the crap before SEH? > > Hello list, > > while disecting the Bluecoat winproxy long header > vulnerability and the HD Moor exploit for that, i found in > the stack dump a pointer just before SEH. this pointer is > said to be the "the pointer ot next SEH structure". But when > i change the single byte of that pointer the exploit didnt > work, Although in my knowlege it should have worked since > it's SEH which points to POP POP RET and the control > transfers to our shellcode lying after SEH. I will appreciate > a reply clearing the fact that where that pointer before SEH > points to? is that pointer overwritten with the same address > that was there before the overflow? > > It will sound navie for those who already know this concept > yet i will appreciate a help from those guys by clearifying. > I also know some guys will come up with the flame as its the > Hacking culture to flame others who knows less then them. but > i can remember the day when i used to wonder how they break > into the system and i often got flamed for asking a question. > yet i have come along this far by not heeding an ear to their > flame and by keeping learning. so a flame will not work ofcourse :P > > Thanks in advance,
Attachment:
SEHattackII.png
Description: PNG image
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
