[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Exploiting in Unicode and XP SP2
On Tuesday 06 June 2006 10:30, Ivan Stroks wrote:
> The problem I am facing is that the buffer that I can
> overflow, is converted to Unicode before the overrun,
> therefore I can only write an address for the SEH
> handler in the format 00XX00XX, where XX is controlled
> by me.
> . Which is the best tool to search for this
> addresses? OllyUni? msfpescan? other?
> Apparently, using this tools I cannot look for,
> for example a call [ebp+30]...I am missing something?
Try using memdump.exe (in framework-2.6/tools/) to dump all process
memory, then run msfpescan with the -d option pointing to the memdump
output directory, and -x to specify the call [ebp+0x30] opcode:
$ msfpescan -d [dir] -x "\xff\x55\x30"