u/hex-lover

hello all ,

im now studing OSED, and in the chapter we can overwrite EIP after sending lets say 0x12,000 Bytes .
but they somehow instead they want to overwrite SEH , but why ? they wrote this :

Theoretically, we could overwrite the target return address by precisely calculating the required offset and size for the overflow.However, a huge buffer length is required for a successful overflow, which means we would likely corrupt pointers on the stack that will be used by the target function before returning into the overwritten return address. In short, even if a direct EIP overwrite is possible, it would require a lot of work.

Instead, we’ll perform an even larger copy and attempt to overwrite the SEH chain and trigger anexception by writing beyond the end of the stack.

but also we send more big buffer to overwrite SEH so also this will corrupt more pointers in stack so what is the point ?

hello all,

i have learned many topics that will help me to discover and exploit vulnerabilities in windows apps 32bit .
so usually people if they want to scan an application where they search for ?
like i want to test an application to get CVE for example , where to search ? since this is a desktop app not web .

hello ,

im reading exp-300 , they want to send a tcp request to port 11460 so they put a breakpoint on recv winapi because they guess it will this api .

but i dont want to guess, so is there any ways or tools people use to monitoring winapi being used ?

also other than rohitab app?