Understanding SEH (Structured Exception Handler) Exploitation

[Nytro]

Understanding SEH (Structured Exception Handler) Exploitation

By Donny Hubener

July 6, 2009

1) Introduction

This paper is written to discuss the design and theory of how a Structured Exception Handler (SEH) exploit can be written to target a Windows host. We use the buffer overflow vulnerability in the ESF EasyChat Server software as a detailed example of this exploit type. While the paper attempts to cover the topics for those new to writing exploits, it still makes some assumptions about the reader’s related experience. For instance, the paper does not go into detail about how to write assembly code and how it is used for shellcode as the exploit payload. It also does not talk about the difference between hexadecimal and decimal number systems which is required to understand many of the numeric values used throughout the document.

Here is a list of topics you should be familiar with before continuing to read this paper:

- Hexadecimal number system

- Basic understanding of how Assembly language is used

- Basic understanding of Assembly Opcode Mnemomics

- Understanding of memory pointers

- General idea of memory registers and their use

- Some experience with writing program functions of any language

Additionally, it is recommended to obtain these items to follow along with this exercise:

- A WindowsXP SP1 machine (Virtual Machine is Ok) (Victim)

- Ollydbg (Free) installed on XP SP1 box

- OllySSEH Ollydbg Plugin (Free) installed on XP SP1 box

- ESF EasyChat Server 2.2 (Free)

- Another machine with Python (Free) installed. (can be any os) (Attacker)

One of the most important concepts to understand when writing functional exploits is that they are the result of a software bug. If all programs were perfectly written such that there were no flaws, there would be no vulnerabilities to exploit. In many cases, an attacker may be able to cause a program to crash due to insufficient error checking within the program. Causing the program to crash would be considered a Denial of Service (DOS) attack. However, causing a DOS condition in a program does not mean it can be fully exploited, but it does indicate that it could be possible. While there are several different types of attack vectors available to create a fully functional exploit, there are many cases where the conditions of the program or environment do not provide a viable exploit using any of the known vectors. This article is written with the assumption that an SEH attack vector is possible in the target software, and it is important to understand that this vector may not always be present in other vulnerable software.

Before we get started, take note that we will be mostly discussing the operation of two different software routines that are running simultaneously. One routine will be the vulnerable software program and it’s supporting function libraries that we are attempting to corrupt. For us, this first routine will be the EasyChat server software. The second routine is the Windows system exception dispatcher which constantly runs waiting for an error condition to occur. The dispatcher routine attempts to handle any exceptions (errors) that may occur in the first routine (EasyChat). As we go through this paper, try to keep these two routines separate in your mind.

Download:

http://www.i-hacked.com/freefiles/EasyChat_SEH_exploit_v1.3.pdf

Edited May 8, 2011 by Nytro