Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan


Throwing an Exception

Type: R0 Recovery
Size: 3 bytes
Compat: All
Migration: Not necessary
Requirements: No held locks in wrapped frame

If a vulnerability occurs in the context of a frame that is wrapped in an exception handler, it may be possible to simply trigger an exception that will allow execution to continue like normal. Unfortunately, the chances of this recovery method being usable are very slim considering most vulnerabilities are likely to occur outside of the context of an exception wrapped frame. The usability of this approach can be tested fairly simply by triggering the overflow in such a way as to cause an exception to be thrown. If the machine does not crash, it could be the case that the vulnerability occurred in a function that is wrapped by an exception handler. Assuming this is the case, writing a payload that simply triggers an exception is fairly trivial.

00000000  31F6              xor esi,esi
00000002  AC                lodsb