1. Abusing SEH for Fun By modpr0be [at] Digital Echidna [dot] org
2. The content What is SEH? Look at the SEH Structure How SEH works? Protections against SEH Abusing SEH SEH Exploit Demo
3. What is SEH? a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception (from corelan) an exception is an event, which occurs during the execution of a program, that disruptsthe normal flow of the program's instructions. a catcher, who is trying to catch unusual behavior.
4. What is SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 byte) elements : a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception) a pointer, the address of the actual code of the exception handler. (SE Handler)
5. What is SEH? Image was taken without permission from http://images.google.com
6. Look at the SEH Structure Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
7. Look at the SEH Structure Beginning of SEH chain SEH chain will be placed at the top of the main data block It also called FS:[0] chain as well (on intel: mov [reg], dwordptrfs:[0]) End of seh chain Is indicated by 0xFFFFFFFF Will trigger improper termination to the program
8. How SEH Works? Stack TEB FS[0]: 0012FF40 0012FF40 0012FFB0 : next SEH record 0012FF44 7C839AD8 : SE Handler 0012FFB0 0012FFE0 : next SEH record 0012FFB4 0040109A : SE Handler 0012FFE0 FFFFFFFF : next SEH record 0012FFE4 7C839AD8 : SE Handler
9. Protections Against SEH XOR before the exception handler is called, all registers are XORed with each other, so it will make them all point to 0x00000000 DEP & Stack Cookies Stack Cookies or Canary is setup via C++ compiler options DEP will mark the memory stack to no execute. It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7 Those two protections can make it harder to build exploits.
10. Protections Against SEH SafeSEH additional protection was added to compilers, helping to stop the abuse of SEH overwrites. It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.
11. Abusing SEH On direct RET technique: Simply find an instruction to jump to the stack, done. While on SEH Based: You cannot simply jump to the stack, because the registers are XORed. We can take advantage this exception handling condition by overwrite the SE Handler address. The OS will know the exception handling routine, and pass it to next SEH record. Pointer to next SEH will bring us to the shellcode. Game over!
12. Abusing SEH In other words, the payload must do the following things: Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in. Overwritethe pointer to the next SEH record with some jumpcode(so it can jump to the shellcode) Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode. The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
13. Abusing SEH When the exception occurred, the position on the stack will going like this: Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack. It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack) Top of stack Our pointer to next SEH address
14. Abusing SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)