OSED SEH Overflow

• https://jasonturley.xyz/windows-exploit-development-part-2-structured-exception-handler-seh-overflow/

• https://github.com/stephenbradshaw/vulnserver

All you need to know about the SEH Overflow challenge for OSED exam preparation.

The example below was made when building an exploit for DiskPulse Enterprise v10.0.12. Other versions of this exploit are:

• https://www.exploit-db.com/exploits/42778

• https://github.com/snowcra5h/DiskPulse-Exploit

0. Common Code

import struct
import socket


def LE(num):
    return struct.pack('<I', num)


def send(payload, host='127.0.0.1', port=80):
    request  = b'GET /' + payload + b'HTTP/1.1' + b'\r\n'
    request += b'Host: ' + host.encode() + b'\r\n'
    request += b'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0' + b'\r\n'
    request += b'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' + b'\r\n'
    request += b'Accept-Language: en-US,en;q=0.5' + b'\r\n'
    request += b'Accept-Encoding: gzip, deflate' + b'\r\n'
    request += b'Connection: keep-alive' + b'\r\n\r\n'

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.send(request)
    s.close()

1. Determine Exception Handler Offset

Generate a unique pattern and feed it to the vulnerable application.

Inspect the crashed thread ExceptionList in WinDbg to find the overwritten value:

Calculate the offset from buffer to the target _except_handler overwrite:

2. Confirm SEH Overflow

Confirm that you can actually control the Handler value - if true, it will be overwritten with d34dc0d3.

3. Enumerate the Bad Characters

Determine the bad characters set which when included causes unwanted behavior.

In case the bad characters cause the SEH overflow not happen at all, this command can help to speed up the debug routine:

In case the bad characters are truncated from memory, dump the bytes (EstablisherFrame - the second argument of the vulnerable ExecuteHandler) and examine them manually or use find-bad-chars.py by @epi052:

4. Search for P/P/R Sequence

P/P/R is pop R32, pop R32, ret:

Locate a module with /SafeSEH OFF using narly:

WinDbg Classic Script

Search with a WinDbg Classic Script:

Update your script with the discovered value.

PyKD

• https://hshrzd.wordpress.com/2022/01/06/python-scripting-for-windbg-a-quick-introduction-to-pykd/

• https://jasonturley.xyz/install-pykd-in-windbg/

• https://github.com/uf0o/PyKD

Search with find-ppr.py by @epi052:

5. Short Jump over NSEH

Break on the P/P/R and assemble a short jump over the Next structure exception handler:

Update your script with the disassembled jump value.

Examine the memory before executing the jump to make sure we'll land in the desired buffer:

6. Find a Region for the Shellcode

Add a shellcode stub to the script and break after the short jump over NSEH.

Search the stack memory to find the shellcode stub start address:

7. Island Hop

As one of the options of moving EIP into the shellcode, align the stack (ESP) with the corresponding offset from (6):

Update your script with the disassembled align & jump instructions.

Break on the alignment jump and make sure the target buffer is the shellcode stub:

However, if the island hop is too close to the shellcode on stack, we may see the hop itself when aligning the stack which is unwanted:

In this case, we can calculate the raw offset between the shellcode on stack and current EIP:

And then assemble an appropriate jump:

8. Exploit!