I am working on an SEH exploit. the problem I am facing here that all POP/POP/RETN addresses end with null bytes, so everything placed after it gets corrupted.
Is it possible to use Metasploit Msfencode to encode the address of the POP/POP/RETN instructions its self to get over the problem of the null byte ?
The exploit structure is: (300 bytes of junk + nseh + seh + 3000 bytes of junk)
There is a Immunity Plugin mona.py, developed by awesome guys at corelan.be . you can check pop/pop/ret combinations using that . Morever mona.py also provides with a skeleton to convert your exploit module to metasploit module hence porting it there .
Also try !mona suggest to see the exploiting options after placing mona.py in Pycommands folder of immunity debugger . It might suggest you something else as well .
You can use msfencode but encoding will make payload longer and 300 bytes is too less .But you can try to see if it fits .
If non of the above works then you might have to do what Ditmar suggested .
This question is impossible to answer accurately without a specific look at the binary or more detail about what you have access to.
In general, if your SEH address contains a null byte you should stick nseh&seh at the end of your payload for exploit simplicity. Having nseh be a jump up to your shellcode usually works fine with this, your problem may instead be fitting your shellcode into 300 bytes(that you have control over?).
There are lists of techniques you may try, but I still see you being limited to those 300 bytes.
