SEH Exploit and trouble with shellcode

[Kx499]

I am just wrapping up the PWB course and decided to practice on an SEH exploit. I took the Elecard 5.7 m3u exploit http://www.exploit-db.com/exploits/16253/ and tried recreating it under xpsp3 and vista using pvefindaddr (btw thanks for the great paper sickness). I was able to write my own exploit for both that pops up a calc, I used the nice jseh functionality of pvefindaddr for vista since everything but the exe is safeseh protected.

I have had trouble trying to get any other payload to work since the space that seems available is only about 240 bytes, the exploit out there indicates there should be plenty of room for any shell code, I just can't seem to find it. I've got:

junk (4bytes) + nseh + seh + nops(16) + shell(318 bytes) + rest (21000 bytes)

In the debugger it just repeats this before and after my seh pointer until the end of the dump:
junk + nseh + seh +nops + first 220 bytes of shell + 20-30 bytes of rest

it just gets me stuck in a never ending loop. I've searched memory and can't find the rest of "rest". I did find about 100 bytes or so 700 - 800 bytes up from my seh pointer, which looks like this:

100 bytes + junk (4bytes) + nseh + seh + nops(16) + + first 220 bytes of shell + 20-30 bytes of rest

That's where that nasty loop starts. Can anyone give me any pointers on how I might get this working using a large payload (using one thats about 320 bytes)? Those 100 bytes woudl give me what I want, just not sure how to make use of them.

[Dudeman02379]

I haven't tried this exploit but if you look through memory do you see any other areas that have an unbroken block of whatever character you are using to overflow the buffer? For example if you are using

Code:

rest = "\x90"*(21000)

do you see anywhere in memory with 320 or more consecutive \x90 bytes?

If so it may be possible to use some creative jumps to hit this space. Or possibly look into egghunters.

This topic isn't really directly related to backtrack so your thread might get locked by one of the mods. Feel free to pm me if you want some help and I can try to find some time to play with this exploit.

[pigtail23]

have u tried exactly to inject like this:

rest = "\x90"*(21000-len(header+junk+nseh+seh+nops+sc))

[Kx499]

Thanks.

pigtail, I just tried that combination with the same results.

Dudeman, I did search in memory and all I could find was 264 nops (close but no cigar) at the top of that repeating pattern that I was talking about. I'm new to egg hinters, and I looked into that, but couldn't find a spot that I could fit my shell code. I'll hit you up with a pm, not sure how to split my shell code up like that and still make it work.

[Dudeman02379]

I responded via PM with some good links. Let me know how it goes.

[pigtail23]

have you checked your shellcode for badchars?

[Kx499]

Yep, but I don't think the bad chars isn't the problem it just gets cut off due to lack of space.

Dudeman sent me some links from the corelan site that I am reading through right now....just from what I gathered from a brief read through it looks like I need to implement an omelet hunter but I need to play around with it a little first. Definitely learning a few things with what I though was going to be a simple seh exploit to recreate.

[Kx499]

Just to follow up, omlet hunter was the answer.......but not with-out a lot of trial and error. I actually had to modify the omlet hunter code to start it's search at the top of the current stack instead the bottom of the stack as it defaults to.

Thanks again to dudeman for the pointers, tried to send you a pm, but private messages seem to be down. Was a great learning experience.....learned a lot of tricks with the debugger and some asm along the way.

[Dudeman02379]

Happy to help. I actually tried to send you a pm today to see how it was going but I also saw that pm was down. I was wondering if it was just me but it looks like it isn't. If you don't mind I would like to see how the exploit turned out. I'll send you a pm when they start working again.

[bolexxx]

if you want to share the links or pointers, use the forum. its what its for. if you want to chat over pm, then there is no need for this thread