Hi list, I am trying to exploit a stack overflow in an application under Windows XP SP2. The problem is that the content of the buffer I can overflow is converted to Unicode, so I just can control 2 of 4 bytes of the overwritten SEH handler pointer. I have read all papers related to Unicode shellcoding (Venetian method, etc) and understand them fully.
My problem is that I am having some issues regarding the way to bring execution back to my code, which is the previous instance. Supposing I can find a pop,pop,ret (or equivalent) "unicode addressable" and I am able to return to my EXCEPTION_REGISTRATION structure, just before my SEH handler. There, I should do a short JMP/CALL to jump over this record, falling in my shellcode. The problem is that, as this value is also encoded in Unicode, I won't be able to specify a JMP/CALL instruction. So...how will I land in my code? I am missing something here? Thanks, IvaN! Send instant messages to your online friends http://au.messenger.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
