Exploiting in Unicode and XP SP2

I am trying to exploit a stack buffer overflow in a
Windows Application running in XP SP2.
I 'm able to overrun the buffer and modify SEH.
The problem I am facing is that the buffer that I can
overflow, is converted to Unicode before the overrun,
therefore I can only write an address for the SEH
handler in the format 00XX00XX, where XX is controlled
by me.

I have already read the papers for writting shellcode
in Unicode, using the Venetian method and understand
them completely.

What I need is a way to return to my shellcode, which
should be achieved by using some "fixed" address where
a call/jmp/pop pop ret instruction can be found.

So here are the questions:

. Which is the best tool to search for this
addresses? OllyUni? msfpescan? other?
Apparently, using this tools I cannot look for,
for example a call [ebp+30]...I am missing something?

. I have found an address with a call [ebp+30] in
Unicode.nls. In Windows 2000, I can execute the
instruction located in that memory space, where as in
XP, I cannot. Does XP prevent the execution of
intructions, if the memory hasn't Execute access?
Because I can execute in W2K, but not in XP.

Any help would be really appreciated.



Send instant messages to your online friends http://au.messenger.yahoo.com

Relevant Pages

  • Re: Possible buffer overflow vulnerability solution.
    ... with XP SP2 and Windows ... data is overwritten by a buffer overflow attack. ... Execution Prevention feature marks certain parts of memory as no execute. ...
  • Re: Possible buffer overflow vulnerability solution.
    ... Most buffer overflows DO occur by the means you say, ... > data then overwrites an area of memory that contains executable code. ... > next time Windows goes to execute that overwritten piece of code it ...
  • Re: How to develop a random number generation device
    ... what is in the memory you've over run into. ... subject to the caveat that the term "buffer overrun" is normally used ... Exploitation requires the write to succeed, ...
  • Re: [Lit.] Buffer overruns
    ... If you can prove that your program is free of buffer ... >be developed in such a way that buffers cannot be overrun. ... coding discipline, or a combination of a coding and testing discipline, ...
  • Re: G76 parameter line
    ... esp w/ the older controllers....the controller ... (where your "M" codes are concerned)....often the MTB will decide ... the buffer is executed IIRC. ... the control can execute much of anything. ...