background image

Creating Your Own Exploits

201

even longer string of 11,000 bytes, you can overwrite the Structured Excep-
tion Handler (SEH). Controlling the SEH makes the exploit more reliable, 
because it makes it more versatile. Similarly, the use of an application DLL 
for a return address makes the exploit portable across different operating sys-
tem versions.

Figure 14-1: The debugger pauses at the point of the crash.

To send the 11,000-byte string, we make a small change in the fuzzer 

code, as shown here:

print_status("Generating fuzzed data...")

 

fuzzed = "A" * 11000

  print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
  req = '0002 LIST () "/' + fuzzed + '" "PWNED"' + "\r\n"

Rather than using the random string of characters, this code modifica-

tion sends a string of 11,000 

A

s as part of the malicious request.

Controlling the Structured Exception Handler

If you restart the 

surgemail

 service, reattach the debugger to the process, 

and rerun the module, you should see the crash that fuzzing found in your 
debugger. If you’re using the Immunity Debugger, you should be able to see 
the contents of the SEH chain by selecting 

View

SEH chain

. Right-click the 

value, which should be 

41414141

, and select 

Follow address in stack

 to dis-

play the stack contents leading to the SEH overwrite in the lower-right pane 
shown in Figure 14-2.