Skip to content

Commit

Permalink
Added SEH notes
Browse files Browse the repository at this point in the history 
Added SEH notes
  • Loading branch information
@1nPr0c
1nPr0c committed Sep 14, 2015
1 parent 0d6a65e commit 35bc20e
Showing 1 changed file with 14 additions and 1 deletion.
15 changes: 14 additions & 1 deletion Cheatsheet_ExploitDev.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,17 @@ for buffstring in buffer:
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe"
"\xff"
"\xff"


[+] Structured Exception Handler (SEH) Exploitation notes

- Crash the application
- Check SEH overwirte (view-seh chain)
- Find offset (!mona pattern_create <length>)
- Find certain SEH references to the cyclic pattern (!mona findmsp)
- Verify offset to NSEH (Next Exception)
- Find POP/POP/RET address with mona (!mona seh -cpb <bad chars>)
- Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding)
- Add shellcode to the payload
- Ensure existing padding to make sure the crash still happens.

0 comments on commit 35bc20e

Please sign in to comment.