
The instructions that suits us is a POP-POP-RET. So we need an instruction or a set of instructions, that can jump to that position of the stack. If we quickly inspect that state of the stack, we are going to see that in the third position of the stack, is located our A’s string. If we press SHIFT + F9 we are going to pass exception the program and we are going to reach the memory address 00410041, our SEH value. Where is our buffer located and what instruction do we need

Some values are going to change and get modified, also we are not going to be able to use some instructions and we are going to need to use the imagination, or Corelan tutorials 😛 Step 3. This transformation is going to complicate all the process of exploit development. The process that is happening, is that the ASCII character “\x41″ is converted to u”\u0041”. But we have 00410041, this is indicative that our buffer it’s getting converted to Unicode. ASCII to Unicode conversionĪs I said, we overwritten the SEH, but we expected to have the value 41414141 in it (4 A’s). We managed to overwrite the Structured Exception Handler(SEH). If we do the same with a debugger attached to the process of the application we can see the following: When we introduce this string, the application is going to crash. We mark “Use SOCKS proxy” box, and the we paste the 5000 A’s string in the Host field: I manually input 5000 A’s in this field in this options menu: Right click on a host > AMT > AMT Settings dialog The vulnerability is a local Buffer Overflow that leads in code execution. Now I’m going to write the exploit from the scratch without any help, the idea is to prepare the exam 🙂 Step 1.

You can read his write-up in the following blog post: This vulnerability was discovered by Adam Jeffreys from Nettitude, so all the credit goes to him. I’m currently preparing the OSCE exam, and I decided that after doing some Vulnserver exercises… I needed to start working on “more realistic” exploits.įor this case, I chose the following application: DameWare Mini Remote Control and I will cover the process of creating a working exploit for a SEH based local Buffer Overflow that corresponds to CVE-2018-12897. Last week I’ve been having fun trying to create exploits for already discovered vulnerabilities.
