• No results found

SEH Exploitation pdf

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "SEH Exploitation pdf"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

Structured Exception Handler

EXPLOITATION

Brian Mariani

(2)

What is an exception

An exception is an event that occurs during the execution of a program

(3)

Structured Exception Handling

Blocks of code are encapsulated, with each block having one or more associated handlers.

Each handler specifies some form of filter condition on the type of exception it handles

When an exception is raised by code in a protected block, the set of corresponding handlers is searched in order, and the first one with a matchingfilter condition is executed

(4)

Exception pointers structure

(1)

Contains an exception record with a machine-independent description of an exception

(5)

Exception pointers structure

(2)

A pointer to the next exception registration structure

(6)

Thread information block

The Thread Information Block (TIB) is a data structure in Win32 that stores Thread Information Block (TIB)

information

about the currently running thread

(7)
(8)

How SEH works?

The exception handlers are linked to each other

They form a linked list chain on the stack, and sit relatively close to the bottom of the stack

When an exception occurs, Windows retrieves the head of the SEH chain walks SEH chain

(9)

Abusing the SEH

When exploiting an SEH overwrite and attacker clobbers the handler attribute of the

EXCEPTION_REGISTRATION_RECORD

EXCEPTION_REGISTRATION_RECORD with the address of an instruction sequence similar to POP POP RETPOP POP RET

When the exception occurs, this causes Windows to pass execution to this address, which subsequently returns to the location on the stack of the Next attribute of the

EXCEPTION_REGISTRATION_RECORD

EXCEPTION_REGISTRATION_RECORD

The Next attribute is also controlled by the attacker, but if we recall the stack layout Next attribute

from earlier, the Next attribute is below the Next attribute Handler attributeHandler attribute

This limits the attacker to 4 bytes before running into the Handler address he previously supplied to originally obtain code execution

However, by overwriting the Next attribute with the instructions that jump the Handler Next attribute

(10)

Overwriting the Next SEH record and SE

handler

To check a chain of exception handlers before and after an overflow we can use

WinDbg

WinDbg !exchain command!exchain

At the left we can see the SEH chain and the stack before the overflow occursSEH chain

(11)

What are we overwriting?

When we performs a regular stack based buffer overflow, we overwrite the return address of the Extended Instruction Pointer (EIP)Extended Instruction Pointer (EIP)

When doing a W SEH overflow, we will continue overwriting the stack after overwriting SEH overflow EIP

(12)

Viewing the SEH

before the overflow

before

Before the overflow occurs we can see the stack and the SEH chain.SEH chain.

The T SEH chain starts from SEH chain 0x015fd044 down to 0x015fd044 0x015fffdc0x015fffdc which indicates the end of the SEH chainSEH chain

Directly below 0x015fffe0, we see 0x015fffe0 0x7c839ad8, which is the address of the default 0x7c839ad8 SE SE handler

(13)

Viewing the SEH

after the overflow

after

EIP point to 0x61616161, so we can control the flow

of the program

Pointer to the Next record and SEH handler was

overwritten

TIB dumping let us know the SEH chain was sucessfully overwritten

Dumping the TIB confirms that the TIB SEH was overwrittenSEH

Code execution is successfully passed to the injected address 0x616161610x61616161

Addresses 0x015fd044 and 0x015fd044 0x015fd048 which were the 0x015fd048 Next SEH record and Next SEH SE SE handler

(14)

See an exception analysis

The command !analyze –v in Windbg give us more details about the triggering of the !analyze –v

(15)

How SEH base exploit works

When the exception is triggered the program flow go to the SE HandlerSE Handler

All we need is just put some code to jump to our payload

Faking a second exception makes the application goes to the next SEH pointer

As the Next SEH pointer is before the SE handler we can overwrite the Next SEH

Since the shellcode sits after the Handler, we can trick the SE Handler to execute POP POP

POP RET

POP RET instructions so the address to the Next SEH will be placed in EIP, therefore executing the code in Next SEH

(16)

Exploiting the application

We will exploit a vulnerability in Gogago Youtube Downloader Video ActiveX www.gogago.net/download/youtube_video_downloader_setup.exe

A buffer overflow is triggered after injecting more that 2230 bytes in the Download() function

This vulnerability could be exploited using a basic RET CALL technique

(17)

Creating the POC

We craft an html page calling the method DownloadDownload using the CLASSID

(18)

Overwriting Next pointer and SE

handler

To successfully overwrite the Next PointerNext Pointer and SE HandlerSE Handler we must calculate the exact number of bytes to inject

(19)

Finding POP POP RET instructions

Finding opcodes it’s not a difficult task you can use findjump or findjump IDAIDA

In this tutorial we will use WinDBG

We launch our prove of concept and we attach to Internet Explorer. After the overflow Internet Explorer

occurs we search the base memory address of the Gogago module MDIEex.dllMDIEex.dll

(20)

Building the exploit

After calculating the number of bytes to overwrite the Next Next pointer and pointer SE handler we SE handler

inject 4 bytes of code to jump to our shellcode this will replace the old SE handlerSE handler

Following the SE handler we inject the POP POP RET opcodes from the same module POP POP RET

of the exploited application

(21)

Executing the exploit

(1)

(22)

Executing the exploit

(2)

After the overflow occurs we successfully overwrites the old jscript SE handler later SE handler

(23)

Redirect code execution

(24)

Jumping to our payload

(25)

Shellcode execution

(26)

Questions

(27)

References

http://msdn.microsoft.com/en-us/library/ms680663%28v=VS.85%29.aspxhttp://msdn.microsoft.com/en-us/library/ms680663%28v=VS.85%29.aspx

http://msdn.microsoft.com/en-us/library/c68xfk56%28v=vs.71%29.aspxhttp://msdn.microsoft.com/en-us/library/c68xfk56%28v=vs.71%29.aspx

http://en.wikipedia.org/wiki/Win32_Thread_Information_Blockhttp://en.wikipedia.org/wiki/Win32_Thread_Information_Block

References

Download now ( PDF - 27 Page - 379.75 KB )

Related documents

Enlisting Hardware Architecture to Thwart Malicious Code Injection

Thus, we detail how the combination of the proposed secure return address stack and software defenses enables comprehensive multi-layer protection against buffer

3 Linux exploit development part 3 ret2libc pdf

Here is where libc comes in: instead of overwriting EIP with an instruction, we actually overwrite EIP with functions from within libc library, followed by the required function

x86 doc pdf

ting the stack pointer, the caller’s base pointer value is recovered, and the ret instruction is used to return to the appropriate code location in the caller. A good way to

Off-by-One exploitation tutorial

As we can see when the frame pointer was corrupted it pointed to a lower memory address which got us directly in our input buffer now the application thinks that this is the

API Monitoring System for Defeating Worms and Exploits in MS-Windows System

z Overflow Vulnerabilities: Hackers may find some security holes in software that are vulnerable to buffer or heap overflow attacks. Therefore, Hackers can overwrite the

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

I We managed to overflow the buffer and overwrite the return address – and crash the program.. I We managed to change the return address so that instructions in the calling

MSc Computer Science Dissertation

Our algorithm is designed to build exploits for three common classes of security vulnerability; stack-based buffer overflows that corrupt a stored instruction pointer, buffer

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

ok there is a real big note may you noticed as you know from classic buffer stack based buffer overflow the return address we want to use for changing executing flow contains a