4

I am new to structured exception handling based exploits.

Why don't we put our return address directly in SE handler to jump to our shellcode? (with no safe SEH)

Can anybody explain the reason of using pop pop ret?

I read something that said SEH bypasses ASLR and DEP, but how?

Our shellcode will be located on the stack and since the stack will be still non-executable, how is DEP bypassed?

Sajjad Pourali
  • 934
  • 1
  • 10
  • 22
Sani
  • 41
  • 1
  • 2
  • I have strong suspicion that you're talking about ROP (Return-Oriented-Programming) rather than SEH. SEH is just a way to pass control without being detected by static approaches. And yes, you're correct DEP would still trigger if you pass control to stack-located exploit by SEH. ROP bypasses DEP because it doesn't have any code to put on stack. Dangling pointers based attacks can defeat ASLR. SEH could be combined with either of them independently as an additional measure. – Van Jone Oct 05 '13 at 23:48

2 Answers2

2

http://www.exploit-db.com/wp-content/themes/exploit/docs/17505.pdf

Using SEH to achieve exploitation defeats neither DEP nor ASLR.

In particular, DEP will mitigate execution of shellcode off the stack memory page which, ultimately, it was what an SEH based exploit is trying to achieve.

Without a non-ASLR module in the process spacing being used to locate the SEH exploits key POP POP RET, ASLR remains to further impede exploitation.

As Van Jone suggested in his comment, ROP (and an info leak for module base address discovery) are necessary for DEP and ASLR defeat.

antik
  • 411
  • 3
  • 6
1

  1. Assuming that the shellcode is on the stack, we do not place the address of the shellcode in the address of the exception handler (what you called the "return address") because Windows has a some basic defence mechanism that prevents exceptions from jumping to addresses on the stack. SEH was abused commonly and repeatedly, and so it was created. Today, SafeSEH defines exact addresses that allow exceptions to jump to them and therefore with SafeSEH the attack will not work.

  2. We use pop, pop, ret because we can easily find this code in the text segment. As I explained above, we can not jump to the address on the stack but we can jump to the Text segment. pop, pop, ret jump to the address of the next SEH record since at the point when the exception handler starts running, ESP is 8 bytes from it. Notice that we control this value.

In winDBG:

0:000> !exchain
*0012ffb0*: seh_overflow!ILT+85(__except_handler4)+0 (0041105a)
0012ffe0: kernel32!ValidateLocale+2b0 (7c839ac0)
Invalid exception stack at ffffffff
0:000> g
(614.f68): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
:
0:000> dd esp L4
0012f6f8  7c9032a8 0012f7e0 *0012ffb0* 0012f7fc
  1. Sometimes we will not succeed to bypass DEP. But, if we see that there is a vulnerable DLL, we can exploit by calling VirtualProtect to change the memory protections of the stack to include the executable bit and than jump to the shellcode.

I also asked a question on the subject, you might want to take a look at it

alond22
  • 148
  • 1
  • 9