[Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record

[lukasz skrzeszewski <kocur4d () gmail com>]

HI, I would like to use this post to say HelloWorld.rb to the community!


 I would like to suggest small change to: *Rex::Exploitation::Seh#**
generate_dynamic_seh_record* function. Just to make *Msf::Exploit::Seh *
mixin* *a bit more usable.

At the moment when we are mixing *Msf::Exploit::Seh* module we have two
options about how to create our seh record:

  - first default one is *generate_static_seh_record* which is classic
"\xeb\x06" short 6 bytes jump.

  - second is *generate_dynamic_seh_record* which is a random short jump
for up to 128 bytes.



What if we have to jump for at least 50 bytes??



 As an example I'll use an *"Exploit writing tutorial part b : SEH based
exploits"* by *corelanc0d3r*(Gratz mate superb tutorial).

(
www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
)

Long story short - its a typical SEH buffer overflow example with one
exception:

at some point when *corelanc0d3r*  `d eip` he gets:

0:000> d eip0012f9a0  cc cc cc cc 3d 08 02 10-44 44 44 44 44 44 44 44
....=...DDDDDDDD0012f9b0  44 44 44 44 44 44 44 44-*00 00 00 00* 44 44
44 44  DDDDDDDD*....*DDDD0012f9c0  44 44 44 44 44 44 44 44-44 44 44 44
44 44 44 44  DDDDDDDDDDDDDDDD0012f9d0  44 44 44 44 44 44 44 44-44 44
44 44 44 44 44 44  DDDDDDDDDDDDDDDD0012f9e0  44 44 44 44 44 44 44
44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD0012f9f0  44 44 44 44 44
44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD0012fa00  44 44 44
44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD0012fa10  44
44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

CCCCCCCC - its our 4bytes for a jump

3d080210 - its 4bytes for pop-pop-retn

D..... - are payload.

As we can see payload is corrupted with 4*\x00 after 16 bytes.

*corelanc0d3r* explains that we can fix this issue by jumping after that
4byte "null void".

Unfortunately(as far as i know) it cant be done at the moment if one would
like to use *Msf::Exploit::Seh* mixin. When we use *generate_static_seh_record
*our payload will be corrupted after 16bytes, same *generate_dynamic_seh_record
*will fail if random length will be less then 28bytes.

(I haven't test it yet:) just theory hope it is how I figure it
out, coming back home on saturday and Ill test it)


My solution:

 My suggestion to improve seh class is:

 - add another option(advance, normal - what's a difference??) to *
Msf::Exploit::Seh#new* something like '*SehMinOffset*'  equal 0 by default.

- change lines in *generate_dynamic_seh_record* definition(*
lib/rex/exploitation/seh.rb*) from:


 52: pad = rand(space || 121)

53: rsize = pad + 8


 To:


 52:         pad    = rand(space || 121)

53:         pad = datastore['SehMinOffset'] if(datastore['SehMinOffset'] >
pad)

54:         rsize = pad +8



 That's it:) We can still use random length and make sure that jump will be
of at least SehMinOffset length. I am new to the topic so I don't know how
useful it might be, how many SEH exploits have similar problem. It looks
like it will help in this example so it should be good enough.

If there is any other way to solve this problem using this approach(mixin *
Msf::Exploit::Seh*) that doesn't involved changing Rex code please let me
know. I am learning and I am far far away from knowing so take it in
consideration please:)


 Thank you

Kocur4d

ps:

max value of SehMinOffset can be 120.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework