In this tutorial I will exploit a vulnerable program called Easy Chat Server in order to demonstrate how to create a SEH based BoF exploit.

As you can see at exploit-db http://www.exploit-db.com/exploits/8142/ Easy Chat Server has username and password parameters vulnerable to buffer overflow.

We can exploit this buffer overflow vulnerability via a GET HTTP request by giving our payload as input for the username parameter instead of giving a normal username. Password parameter doesn't matter.
Now it's time to create a program which will exploit this vulnerability.
Let's see what happens if we pass 1000 A's to the username parameter
http://i.imgur.com/iNulm.png

http://i.imgur.com/wGffY.png

http://i.imgur.com/arTbN.png

We get the message "Access violation when reading [41414141] - ..." and if you press Alt + s you will notice that we've corrupted the SEH chain and it has been overwriten with 41414141 (A's in hex).

The next step is to follow this address in the stack (right click and select this option) and now we should figure out the offset of the pointer to next SEH record and the exception handler.
To do this I will use pattern_create and pattern_offset tools provided by metasploit.



and now we need to replace the 1000 A's with the 1000 character string created by pattern_create tool
http://i.imgur.com/MOqVN.png

and now let's run the python program again.

http://i.imgur.com/sefvA.png

By using the pattern_offset tool we can figure out the offset to the pointer to next seh record, the offset of exception handler will be the previous offset + 4


as expected

By knowing where pointer to next seh record and seh is we can overwrite them with whatever we want.
Let's update our python code and do this
http://i.imgur.com/baLyg.png
and there we go
http://i.imgur.com/ej4zM.png

Now we want to execute our shellcode on the remote system but how are we going to accomplish this?

First we will overwrite the pointer to next seh record with a short JMP for 6 bytes (\xeb\x06\x90\x90)
so we will jump over the exception handler and land to our payload
eb is the opcode for jmp and 90 is for nop as you already know :)
why 6 bytes? \xeb\x06 occupies 2 bytes, the next two bytes are nops and the next four bytes are the pointer to the exception handler. So 2 + 4 = 6 bytes.

The next thing to do is overwrite to pointer to exception handler so it will point to a pop/pop/ret sequence.
To find a pop/pop/ret sequence we must search in a module without safeseh.

To find modules that aren't safeseh protected I'm going to use pvefindaddr by c0relanc0d3r.

http://i.imgur.com/HarXZ.png



press alt+e and double click on that module.
Now right click and Search for... Sequence of commands and now search for an address that does not contain a null byte by pressing control+L

http://i.imgur.com/9zG9k.png

or you can easily use pvefindaddr like this: !pvefindaddr p SSLEAY32. Then search for a suitable address in the output file.

To finish the exploit replace CCCC with the address of pop/pop/ret sequence and then add your shellcode to buffer variable.

Run the exploit and the shellcode should be executed.