iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
SEH based exploitation[basics]
  • chroniccommand
    Posts: 1,389
    I've recently been diving in Windows exploitation because I've heard it's good for learning exploitation. So I figured I'd write a little paper involving Windows exploitation. This paper will focus a bit on SEH based exploitation. I'll be going over what SEH is, how to exploit it and more. Of course I won't dive too much into it, I'll just keep it at a simple level.

    What is SEH?
    SEH stands for Structured Exception Handler. If you're familiar with programming, you should be somewhat familiar with exception handlers. Basically you check if something works and if it doesn't, you perform some other action. Lets take a look at it in Python
    Python example:

    try:
        import simplejson
    except ImportError:
        print(\"Simplejson couldn't be loaded!\")

    If you don't have the simplejson module installed, it prints the error message. This is a simple example.


    SEH exploitation
    But what happens if the program doesn't have any error handling and the program crashes? What happens to the execution flow? Well it's pretty basic actually. The default windows exception handler kicks in. This happens when you see the "Send this crash report to microsoft" error(which everybody hates). Or you may see some error about an address not being able to be executed. Either which way, this is the default exception handler. We can see the SEH chain in a debugger such as Ollydbg or Immunity debugger. I'll use Immunity as a quick example for this paper. Take a look at this screenshot which shows the application has crashed and the EIP points to where it crashed:
    http://i.imgur.com/WjSTs.png
    So we can see the EIP = the address where it crashes. Now if we look at our SEH chain, we can see the EH has been overwritten with our A's.
    http://i.imgur.com/IXqgr.png
    As you see, the address of the beginning of the SEH chain is 0012FD64. The SE handler is our A's, 41414141
    We can verify this by looking at our threads.
    http://i.imgur.com/DF0Nd.png
    So we take a look at the dump and see it is pointing to the SEH chain.

    So how can this be exploited? Well it's quite a simple concept, but a bit harder to actually perform, so I'll leave it out of this. But basically we overwrite the SEH chain so we point it to our shellcode which will then be executed instead of the normal exception handler.

    For more on SEH based exploitation, google it :P
    Also:
    http://www.chase.org.pk/en/archives/cha ... ir-seh.pdf

    I hope this was simple and informative. Unfortunetly since I'm beginning windows based exploitation I only know basics such as this. But I plan to learn more and share more :)
  • Sh3llc0d3
    Posts: 1,910
    Nice guide, simple and to the point explanation of SEH, seems like you missed a bit out on how you overwrote the EH with A's. Would be good to see an example :) nice progress though :)
  • chroniccommand
    Posts: 1,389
    said:


    Nice guide, simple and to the point explanation of SEH, seems like you missed a bit out on how you overwrote the EH with A's. Would be good to see an example :) nice progress though :)



    It was a simple program that was exploitable. Just overwrote A's into the buffer ;P
  • Xin
    Posts: 3,251
    Nice, you should include more screenshots into what you are entering as the buffer and such as well.
    Xin
This discussion has been closed.
All Discussions