• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Abusing SEH For Fun
 

Abusing SEH For Fun

on

  • 836 views

This slide will show you how to abuse the structured exception handling and exploit it.

This slide will show you how to abuse the structured exception handling and exploit it.

Statistics

Views

Total Views
836
Views on SlideShare
785
Embed Views
51

Actions

Likes
0
Downloads
18
Comments
0

1 Embed 51

http://www.scoop.it 51

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Abusing SEH For Fun Abusing SEH For Fun Presentation Transcript

    • Abusing SEH for Fun
      By modpr0be [at] Digital Echidna [dot] org
    • The content
      What is SEH?
      Look at the SEH Structure
      How SEH works?
      Protections against SEH
      Abusing SEH
      SEH Exploit Demo
    • What is SEH?
      a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception (from corelan)
      an exception is an event, which occurs during the execution of a program, that disruptsthe normal flow of the program's instructions.
      a catcher, who is trying to catch unusual behavior.
    • What is SEH?
      This structure ( also called a SEH record) is 8 bytes and has 2 (4 byte) elements :
      a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)
      a pointer, the address of the actual code of the exception handler. (SE Handler)
    • What is SEH?
      Image was taken without permission from http://images.google.com
    • Look at the SEH Structure
      Image was taken from http://corelan.be
      with permission from Peter van Eeckhoutte (Corelan)
    • Look at the SEH Structure
      Beginning of SEH chain
      SEH chain will be placed at the top of the main data block
      It also called FS:[0] chain as well (on intel: mov [reg], dwordptrfs:[0])
      End of seh chain
      Is indicated by 0xFFFFFFFF
      Will trigger improper termination to the program
    • How SEH Works?
      Stack
      TEB
      FS[0]: 0012FF40
      0012FF40
      0012FFB0 : next SEH record
      0012FF44
      7C839AD8 : SE Handler
      0012FFB0
      0012FFE0 : next SEH record
      0012FFB4
      0040109A : SE Handler
      0012FFE0
      FFFFFFFF : next SEH record
      0012FFE4
      7C839AD8 : SE Handler
    • Protections Against SEH
      XOR
      before the exception handler is called, all registers are XORed with each other, so it will make them all point to 0x00000000
      DEP & Stack Cookies
      Stack Cookies or Canary is setup via C++ compiler options
      DEP will mark the memory stack to no execute.
      It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7
      Those two protections can make it harder to build exploits.
    • Protections Against SEH
      SafeSEH
      additional protection was added to compilers, helping to stop the abuse of SEH overwrites.
      It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.
    • Abusing SEH
      On direct RET technique:
      Simply find an instruction to jump to the stack, done.
      While on SEH Based:
      You cannot simply jump to the stack, because the registers are XORed.
      We can take advantage this exception handling condition by overwrite the SE Handler address.
      The OS will know the exception handling routine, and pass it to next SEH record.
      Pointer to next SEH will bring us to the shellcode.
      Game over!
    • Abusing SEH
      In other words, the payload must do the following things:
      Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.
      Overwritethe pointer to the next SEH record with some jumpcode(so it can jump to the shellcode)
      Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.
      The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
    • Abusing SEH
      When the exception occurred, the position on the stack will going like this:
      Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.
      It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack)
      Top of stack
      Our pointer to next SEH
      address
    • Abusing SEH
      Image was taken from http://corelan.be
      with permission from Peter van Eeckhoutte (Corelan)
    • Seeing is believeingSEH Exploit Demo
    • Question?
    • Digital Echidnahttp://www.digital-echidna.orgmodpr0be