Hi,
I have been studying stack overflow on windows, then i got the flaw of Real Player with files .smil to make the overflow. When I overflow the program with Ollydbg I saw that the only way to exploit is using SEH. Reading some papers, I saw that I need to overwrite the SEH with an address of some register that points to my shellcode. But when a make SHIFT-F9 to the Ollydbg go to the SEH, the values of all registers is changed. Why??? How can I point any register to my shellcode??? I saw that I can increment or decrement the esp to point the shellcode. How can I do this??? Where do I put this piece of code??? Please, give-me a light!!!!
Thanks....

read papers/books, there is all needed on the web for this, you won't get many help here as soon as most members are kiddies of the script, and me busy analyzing vulnerabilities, so good luck dude. Or I can maybe help you posting a thread here with all papers that I have used to learn all this, let me know.. you will have to learn C programming so before all this because as soon as you try to find bugs within C functions, you should understand what are supposed to do those vulnerables C functions..
Lemme know if you have much questions, but if it's so large "how to hack", no way , all is already wrote.

happy reading:
http://heapoverflow.com/f0rums/showthread.php?t=1129

Hi. I've just recently gotten into SEH exploitation myself, so I'm no authority, but this is what I've found.

First, as far as stuff to read, check out class101's papers page and read at least the first one by Litchfield. That's where I started. However, the information in that one is a bit obsolete: eEye Digital Security (http://www.eeye.com/html/resources/newsletters/vice/VI20060830.html#vexposed) . Check out the Shellcoder's Handbook as well, I have found it to be an actual good book so far and not a howto for professional script kiddies.

To briefly address your question: from what you say, it sounds like you've gotten the basic picture of SEH exploitation. Maybe you already read Litchfield's paper. The problem is that ever since Code Red used that method of exploitation, Microsoft changed the way SEH works. They made it so that all registers are cleared before the exception handler is dispatched. Therefore you can't just find a CALL EBX anymore.

So you have to take a less direct approach. Said approach is described in the page to which I linked above, and probably in some of class101's papers (sorry, I didn't open them all to see what they were). It's still certainly possible, but more difficult.

Hi


You still need to understand how does SEH work! According to your post, i assume that one of the register is pointing to your SEH next pointer?
If you cannot find any register that pointing to SEH next pointer you will have to use pop pop ret. Is it possible to post your code? Btw, What is the OS you are working on?