Abusing SEH For Fun


Published on

This slide will show you how to abuse the structured exception handling and exploit it.

Published in: Art & Photos, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Abusing SEH For Fun

  1. 1. Abusing SEH for Fun<br />By modpr0be [at] Digital Echidna [dot] org<br />
  2. 2. The content <br />What is SEH?<br />Look at the SEH Structure<br />How SEH works?<br />Protections against SEH<br />Abusing SEH<br />SEH Exploit Demo<br />
  3. 3. What is SEH?<br />a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception (from corelan)<br />an exception is an event, which occurs during the execution of a program, that disruptsthe normal flow of the program's instructions.<br />a catcher, who is trying to catch unusual behavior.<br />
  4. 4. What is SEH?<br />This structure ( also called a SEH record) is 8 bytes and has 2 (4 byte) elements :<br />a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)<br />a pointer, the address of the actual code of the exception handler. (SE Handler)<br />
  5. 5. What is SEH?<br />Image was taken without permission from http://images.google.com<br />
  6. 6. Look at the SEH Structure<br />Image was taken from http://corelan.be <br />with permission from Peter van Eeckhoutte (Corelan)<br />
  7. 7. Look at the SEH Structure<br />Beginning of SEH chain<br />SEH chain will be placed at the top of the main data block<br />It also called FS:[0] chain as well (on intel: mov [reg], dwordptrfs:[0])<br />End of seh chain<br />Is indicated by 0xFFFFFFFF<br />Will trigger improper termination to the program<br />
  8. 8. How SEH Works?<br />Stack<br />TEB<br />FS[0]: 0012FF40<br />0012FF40<br />0012FFB0 : next SEH record<br />0012FF44<br />7C839AD8 : SE Handler<br />0012FFB0<br />0012FFE0 : next SEH record<br />0012FFB4<br />0040109A : SE Handler<br />0012FFE0<br />FFFFFFFF : next SEH record<br />0012FFE4<br />7C839AD8 : SE Handler<br />
  9. 9. Protections Against SEH<br />XOR<br />before the exception handler is called, all registers are XORed with each other, so it will make them all point to 0x00000000<br />DEP & Stack Cookies<br />Stack Cookies or Canary is setup via C++ compiler options<br />DEP will mark the memory stack to no execute.<br />It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7<br />Those two protections can make it harder to build exploits.<br />
  10. 10. Protections Against SEH<br />SafeSEH<br />additional protection was added to compilers, helping to stop the abuse of SEH overwrites.<br />It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.<br />
  11. 11. Abusing SEH<br />On direct RET technique:<br />Simply find an instruction to jump to the stack, done.<br />While on SEH Based:<br />You cannot simply jump to the stack, because the registers are XORed.<br />We can take advantage this exception handling condition by overwrite the SE Handler address.<br />The OS will know the exception handling routine, and pass it to next SEH record.<br />Pointer to next SEH will bring us to the shellcode.<br />Game over!<br />
  12. 12. Abusing SEH<br />In other words, the payload must do the following things:<br />Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.<br />Overwritethe pointer to the next SEH record with some jumpcode(so it can jump to the shellcode)<br />Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.<br />The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).<br />
  13. 13. Abusing SEH<br />When the exception occurred, the position on the stack will going like this:<br />Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.<br />It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack)<br />Top of stack<br />Our pointer to next SEH<br />address<br />
  14. 14. Abusing SEH<br />Image was taken from http://corelan.be <br />with permission from Peter van Eeckhoutte (Corelan)<br />
  15. 15. Seeing is believeingSEH Exploit Demo<br />
  16. 16. Question?<br />
  17. 17. Digital Echidnahttp://www.digital-echidna.orgmodpr0be<br />