Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: overwriting SEH and debugging

From: H D Moore <sflist () digitaloffense net>
Date: Thu, 20 Dec 2007 11:36:46 -0600
This occurs because of a feature known as "SafeSEH". This is a new 
compiler flag that creates a list of registered SEH handlers within each 
executable and DLL. If your target executable was compiled with /SafeSEH 
and you try to return into a module that has been also been compiled with 
this feature, but the address you chose is not in the list of registered 
handlers, then the exception handling code will not transfer execution.

There are a few options to work around this:

1. On Windows 2003, prior to SP1, SafeSEH was essentially broken and you 
can return to DLLs such as "ATL.dll" and a few others without the 
registered list being checked.

2. Find a module loaded into memory that was not compiled with this flag. 
In the case of non-Microsoft applications, use a return address in a DLL 
shipped with the product. There is an OllyDbg plugin that lets you check 
all loaded modules for a registered SEH list. I am a lazy bastard and 
just use msfpescan:

# Windows XP SP0
$ msfpescan -i ws2help.dll | grep SEHandler
<no results>

# Windows XP SP2
$ msfpescan -i ws2_32.dll | grep SEHandler
SEHandlerTable                 0x71abbcc0
SEHandlerCount                 0x00000001

3. Find another opcode, in-memory, that is not part of a module, but is 
still marked executable. A known location on the heap or a loaded 
codepage might do the trick. Using a debugger, or tools like memdump.exe 
+ msfpescan can simplify this.

More information:

http://www.openrce.org/downloads/details/244/OllySSEH
http://www.immunitysec.com/products-immdbg.shtml
http://msdn2.microsoft.com/en-us/library/9a89h429(VS.80).aspx
http://sf-freedom.blogspot.com/
http://www.milw0rm.com/exploits/4651

-HD

On Thursday 20 December 2007, opexoc () gmail com wrote:

I am in situation that I have successfully overwrite SEH in some app. I
know that because when I am debugging this app I get exception ( access
violation ) and then I can thanks to go to fs:[0] find out what is in
first SEH structure.

I have overwritten this SEH by ordinary \xeb\x30\x90\x90 and address of
POP edi/POP esi/RET 8 instruction in shell32 module. I am wondering why
when I press SHIFT+F9 in ollydbg I get "Debugged program was unable to
process exception". But when I overwrite address of handler in SEH by
for example: \x41\x42\x43\x44 then when I press SHIFT+F9 I get that
0x44434241 cannot be accessed - so next exception - as it should be.
Where is a problem?
Previous By Date Next
Previous By Thread Next

Current thread: