Abusing SEH For Fun

Abusing SEH for FunBy modpr0be [at] Digital Echidna [dot] org

The content

What is SEH?

Look at the SEH Structure

How SEH works?

Protections against SEH

Abusing SEH

SEH Exploit Demo

What is SEH?

a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception (from corelan)

an exception is an event, which occurs during the execution of a program, that disrupts the normal flow of the program's instructions.

a catcher, who is trying to catch unusual behavior.

What is SEH?

This structure ( also called a SEH record) is 8 bytes and has 2 (4 byte) elements :

a pointer to the next exception_registrationstructure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)

a pointer, the address of the actual code of the exception handler. (SE Handler)

What is SEH?

Image was taken without permission from http://images.google.com

Look at the SEH StructureImage was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)

Look at the SEH Structure

Beginning of SEH chain

SEH chain will be placed at the top of the main data block

It also called FS:[0] chain as well (on intel: mov[reg], dword ptr fs:[0])

End of seh chain

Is indicated by 0xFFFFFFFF

Will trigger improper termination to the program

How SEH Works?

StackTEB

FS[0]: 0012FF40 0012FF40

0012FF44

0012FFB0 : next SEH record

7C839AD8 : SE Handler

0012FFB0

0012FFB4

0012FFE0 : next SEH record

0040109A : SE Handler

0012FFE0

0012FFE4

FFFFFFFF : next SEH record

7C839AD8 : SE Handler

Protections Against SEH

XOR before the exception handler is called, all registers are

XORed with each other, so it will make them all point to 0x00000000

DEP & Stack Cookies Stack Cookies or Canary is setup via C++ compiler options DEP will mark the memory stack to no execute. It was introduced since Windows XP SP2 and Windows

2003, enabled by default on Windows Vista and 7 Those two protections can make it harder to build

exploits.

Protections Against SEH

SafeSEH

additional protection was added to compilers, helping to stop the abuse of SEH overwrites.

It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.

Abusing SEH

On direct RET technique: Simply find an instruction to jump to the stack, done.

While on SEH Based: You cannot simply jump to the stack, because the registers

are XORed. We can take advantage this exception handling condition

by overwrite the SE Handler address. The OS will know the exception handling routine, and

pass it to next SEH record. Pointer to next SEH will bring us to the shellcode. Game over!

Abusing SEH

In other words, the payload must do the following things: Cause an exception. Without an exception, the SEH

handler (the one you have overwritten/control) won’t kick in.

Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)

Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.

The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).

Abusing SEH

When the exception occurred, the position on the stack will going like this:

Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.

It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack)

Top of stack

Our pointer to next SEHaddress

Abusing SEHImage was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)

Seeing is believeingSEH Exploit Demo

Question?

Digital Echidnahttp://www.digital-echidna.org

modpr0be