Smashing SEH

Ok so recently i have been working on a couple of Buffer Overflows where EIP is gained through smashing SEH so here is a quick mini primer on smashing SEH for fun and profit

So here is the short definition when a win32 program runs it sets on the stack and address of the SEH the program will jmp to this address if there is ever an exception that causes the program to die Thus the reason it is called the Standard Exception Handler.

So on occasion you will have a program that you can overflow the buffer thus overwriting data on the stack but and exception fires during the copy or something else in the data stream causes an exception causing the program to fire the SEH before you get code execution (thats overly simplified but you get the point) So what is a researcher to do? how bout overwrite the address that SEH is pointing to

So if we overwrite the buffer we will eventualy get to 2 address on the stack the first is the “Pointer to the Next SEH” and then the next address after that is the current SEH so coceptualy our buffer looks somewhat like this

so if we send a buffer and fill the top buffer space with A’s then set the Pointer to the Next SEH to BBBB set the SEH to CCCC and the second buffer space to DDDD our buffer will look something like this (again this is just an example)

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDDDDDDDDDDD

now remember this is just an example in the real world the buffers hopefully will be much bigger

so when the exception fires what you will see is eip set to CCCC and then 2 addresses down from EBP (stack base pointer) you will see a address that contains this

BBBBCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

now thats kinda interesting thats our buffer but how do we get to it?

Bring on the pop pop ret . If we can set the SEH to an opcode that contains a Pop Pop Ret when it fires it should pop 2 addresses off the stack and return into our buffer. ok so now we can get into the buffer but how do we get to shellcode from here? after all the buffer doesnt just contain our shellcode of DDDDDD it also contains BBBB and CCCC so what are we to do? Well up until this point we havnt used the Pointer To the Next SEH address for anything (the BBBB space) so what we do is we set BBBB to \xEB\x06\xFF\xFF what is \xEB\x06? in assembly it is Jmp Short 6 bytes so when we pop pop ret into this space the execution flow will hit this jump over our CCCC return address directly into our DDDDDDDD shellcode YaY!!!!

so now we have code execution by Busting the SEH on win32 programs

Some things to think about….

The buffer space after the return address may be to small for a full payload which means we may have to use a staged payload that jumps back into our main buffer

In windows XP sp2 microsoft introduced SafeSEH which limits where the SEH can point to. this can be overcome by pointing back into the binary itself for a pop pop ret provided the binary hasnt also been compiled with /SafeSEH

Just some things to think about and mabey get the brain juices flowing