202
Chapter 14
Figure 14-2: The overwritten SEH entry
Now that you know that you can control the SEH chain on the vulner-
able
surgemail
process with an overly long buffer, it’s time to determine the
exact length required to overwrite it on the target. As you will recall from
our discussions of stand-alone exploit development, before you can use a
return address, you first need to find out where, exactly, the overwrite
occurs.
We can modify our fuzzer code to create a nonrepeating, random string
of characters of a specific length, as shown next:
print_status("Generating fuzzed data...")
fuzzed =
Rex::Text.pattern_create
(11000)
print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
req = '0002 LIST () "/' + fuzzed + '" "PWNED"' + "\r\n"
In this listing, we use
Rex::Text.pattern_create
to generate the nonrepeat-
ing random string of characters with our fuzzer. Rerunning the fuzzer module
now shows that SEH was overwritten on the target with
684E3368
, as shown
in Figure 14-3.
Figure 14-3: The SEH overwritten with random
characters