Metasploit mailing list archives
[Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record
From: lukasz skrzeszewski <kocur4d () gmail com>
Date: Fri, 23 Dec 2011 00:14:01 +0000
HI, I would like to use this post to say HelloWorld.rb to the community! I would like to suggest small change to: *Rex::Exploitation::Seh#** generate_dynamic_seh_record* function. Just to make *Msf::Exploit::Seh * mixin* *a bit more usable. At the moment when we are mixing *Msf::Exploit::Seh* module we have two options about how to create our seh record: - first default one is *generate_static_seh_record* which is classic "\xeb\x06" short 6 bytes jump. - second is *generate_dynamic_seh_record* which is a random short jump for up to 128 bytes. What if we have to jump for at least 50 bytes?? As an example I'll use an *"Exploit writing tutorial part b : SEH based exploits"* by *corelanc0d3r*(Gratz mate superb tutorial). ( www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ ) Long story short - its a typical SEH buffer overflow example with one exception: at some point when *corelanc0d3r* `d eip` he gets: 0:000> d eip0012f9a0 cc cc cc cc 3d 08 02 10-44 44 44 44 44 44 44 44 ....=...DDDDDDDD0012f9b0 44 44 44 44 44 44 44 44-*00 00 00 00* 44 44 44 44 DDDDDDDD*....*DDDD0012f9c0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD0012f9d0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD0012f9e0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD0012f9f0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD0012fa00 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD0012fa10 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD CCCCCCCC - its our 4bytes for a jump 3d080210 - its 4bytes for pop-pop-retn D..... - are payload. As we can see payload is corrupted with 4*\x00 after 16 bytes. *corelanc0d3r* explains that we can fix this issue by jumping after that 4byte "null void". Unfortunately(as far as i know) it cant be done at the moment if one would like to use *Msf::Exploit::Seh* mixin. When we use *generate_static_seh_record *our payload will be corrupted after 16bytes, same *generate_dynamic_seh_record *will fail if random length will be less then 28bytes. (I haven't test it yet:) just theory hope it is how I figure it out, coming back home on saturday and Ill test it) My solution: My suggestion to improve seh class is: - add another option(advance, normal - what's a difference??) to * Msf::Exploit::Seh#new* something like '*SehMinOffset*' equal 0 by default. - change lines in *generate_dynamic_seh_record* definition(* lib/rex/exploitation/seh.rb*) from: 52: pad = rand(space || 121) 53: rsize = pad + 8 To: 52: pad = rand(space || 121) 53: pad = datastore['SehMinOffset'] if(datastore['SehMinOffset'] > pad) 54: rsize = pad +8 That's it:) We can still use random length and make sure that jump will be of at least SehMinOffset length. I am new to the topic so I don't know how useful it might be, how many SEH exploits have similar problem. It looks like it will help in this example so it should be good enough. If there is any other way to solve this problem using this approach(mixin * Msf::Exploit::Seh*) that doesn't involved changing Rex code please let me know. I am learning and I am far far away from knowing so take it in consideration please:) Thank you Kocur4d ps: max value of SehMinOffset can be 120.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record lukasz skrzeszewski (Dec 22)
- Re: [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record HD Moore (Dec 27)
- Re: [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record Patrick Webster (Dec 27)
- Re: [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record HD Moore (Dec 27)