I am just wrapping up the PWB course and decided to practice on an SEH exploit. I took the Elecard 5.7 m3u exploit http://www.exploit-db.com/exploits/16253/ and tried recreating it under xpsp3 and vista using pvefindaddr (btw thanks for the great paper sickness). I was able to write my own exploit for both that pops up a calc, I used the nice jseh functionality of pvefindaddr for vista since everything but the exe is safeseh protected.
I have had trouble trying to get any other payload to work since the space that seems available is only about 240 bytes, the exploit out there indicates there should be plenty of room for any shell code, I just can't seem to find it. I've got:
junk (4bytes) + nseh + seh + nops(16) + shell(318 bytes) + rest (21000 bytes)
In the debugger it just repeats this before and after my seh pointer until the end of the dump:
junk + nseh + seh +nops + first 220 bytes of shell + 20-30 bytes of rest
it just gets me stuck in a never ending loop. I've searched memory and can't find the rest of "rest". I did find about 100 bytes or so 700 - 800 bytes up from my seh pointer, which looks like this:
100 bytes + junk (4bytes) + nseh + seh + nops(16) + + first 220 bytes of shell + 20-30 bytes of rest
That's where that nasty loop starts. Can anyone give me any pointers on how I might get this working using a large payload (using one thats about 320 bytes)? Those 100 bytes woudl give me what I want, just not sure how to make use of them.