Creating Your Own Exploits
201
even longer string of 11,000 bytes, you can overwrite the Structured Excep-
tion Handler (SEH). Controlling the SEH makes the exploit more reliable,
because it makes it more versatile. Similarly, the use of an application DLL
for a return address makes the exploit portable across different operating sys-
tem versions.
Figure 14-1: The debugger pauses at the point of the crash.
To send the 11,000-byte string, we make a small change in the fuzzer
code, as shown here:
print_status("Generating fuzzed data...")
fuzzed = "A" * 11000
print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
req = '0002 LIST () "/' + fuzzed + '" "PWNED"' + "\r\n"
Rather than using the random string of characters, this code modifica-
tion sends a string of 11,000
A
s as part of the malicious request.
Controlling the Structured Exception Handler
If you restart the
surgemail
service, reattach the debugger to the process,
and rerun the module, you should see the crash that fuzzing found in your
debugger. If you’re using the Immunity Debugger, you should be able to see
the contents of the SEH chain by selecting
View
SEH chain
. Right-click the
value, which should be
41414141
, and select
Follow address in stack
to dis-
play the stack contents leading to the SEH overwrite in the lower-right pane
shown in Figure 14-2.