|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [VulnDiscuss] Main thread's exception handler
From: Halvar Flake (HalVar
gmx.de)
Date: Tue May 18 2004 - 17:04:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hey all,
I have not read the exploit either, but the first threads TEB address
is static, and if you happen to know what you´re doing you can use this
to hijack the top-level pointer to the SEH chain (fs:0 of the first
thread is aliased to 0x7FFDE000 if I recall correctly) reliably -- this
is superior to using the UnhandledExceptionFilter ptr. The technique
is not much fun unless you can do multiple
(read: as many as you wish)
writes, and I would assume it is far inferior to other published approaches.
It is quite aged as well ("vintage exploits" ;), dating to some time around
2001/2002 IIRC.
If you get a decent number of writes, it can be quite useful tho. Does
anyone know more about Windows randomizing TEB/PEB addresses in XPSP2 ?
Cheers,
Halvar
--
"Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen!
Jetzt aktivieren unter http://www.gmx.net/info
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]