Exploit Development (part 14) Structured Exception Handler Over-Write

Video Activity

This lesson covers structured exception handler over writes. These are Window specific exception handlers for when the program makes an error. Construction exception handlers allow a developer to gain control of a program.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15
Video Description

This lesson covers structured exception handler over writes. These are Window specific exception handlers for when the program makes an error. Construction exception handlers allow a developer to gain control of a program.

Video Transcription
00:04
All right, let's finish up export development by looking at a slightly different kind.
00:10
We'll exploit. We've worked with Save Return Pointer over rights for all of this module. So let's take a look at something called the structured exception handler over right. This is going to be Windows specific structure. Exception handlers for how Windows deals with errors in the program.
00:26
For when
00:27
error occurs, execution is passed through the structured exception handler, which is
00:33
basically a leap list of
00:37
eight byte structures. So we have the address or a pointer to the next link in the chain, if you will,
00:44
the next structured exception handler entry and then the
00:48
address of the structured exception handler itself. So if the 1st 1 can't process the exception that moves to the next one, the next one and so on. And finally we have the last one, which has all f's
01:00
as the address of the next one. There is no next one.
01:07
Then we're at the end, so you're probably seeing the full operating system one that being
01:12
the program has encountered in error and needs to close. But developers can, as their own structure, exception handlers that they like
01:21
So let's see how we can use structured exception handlers to get control of the program
01:26
who are again going to look at war. FTP.
01:29
So I have more FTP skill to dot pie that is included with the course as well. So it's another exploit skeleton
01:40
so very similar to what we had previously. Seven sort of 1100 days. This time we have 1200 days.
01:49
So what happens if we make our attacks during a longer on? We do need to change our i p address to your Windows X p A system.
02:00
Otherwise, this is exactly the same as our regular work TP skeleton that we did earlier
02:06
in this section
02:07
who you should be familiar with it. It is sending a long user and I am
02:13
and causing a buffer overflow conditions. Of course, in this case, we already have a safe return pointer over right That works. But you may find yourself in many situations where you only have the structured exception handler as a way of getting exploit ability or even getting a cries in the first place. So
02:31
this is definitely worth knowing her windows exploitation. So let's go ahead and say this
02:38
up over two x p and start up where STP
02:45
honey to delete my
02:47
FTP demon. Not that
02:53
sort of worth DP
02:57
hurt
03:00
munity bugger
03:01
catch to worth teepee
03:06
on DDE
03:07
play.
03:09
We should be good to go here.
03:14
All right, We've been run this,
03:16
Make it executed ble ch mom plus X
03:22
and run it
03:23
He's the same output here,
03:25
so everything looks normal.
03:28
But if we pop over here
03:30
we are crash were caused
03:34
and says we got an access violation when writing 200 b 00000 We look at the i p
03:42
valid address in Emma's V C r t. We do not have the i p control. So we crashed that
03:47
we don't have control the eyepiece. Oh, this looks pretty non explainable to may
03:53
now service in something, but it's certainly not as good as code execution.
04:00
We'll take a look at our stack here
04:02
she are razed down at the bottom. It looks like the end of our stacks Heres your a a f f f f c
04:11
so that all of f d e and s A cz well, and it looks like we're trying to write 200 b 00000 So this would basically loop around and that would be the next address on the stack if there was one. It looks like we're trying to write off the end of the stack, which is
04:29
good way to calls, an exception. So,
04:32
see, is there any hope for us at all? Well, the name of the section in structured exception handlers, So that should give you some clue.
04:42
We got a view
04:44
and as ch Chain,
04:46
look at her structure Exception handler. Change we've got are just here
04:53
and then. So the next address has also been ever written
04:57
with a CZ and then the structured exception Handler. 41 41 41 41.
05:02
So we've overwritten instruction exception Handler. So we're called. If the program crashes, it will pass execution to the structure exception handler. If we were outside of the B bugger, that would just happen automatically. But because we're in the deep bugger
05:17
were crashed and we have a chance to see what's going on here, and it says you shift F seven of eight F 9/2 the exception to the program. We want to do *** F nine
05:30
Tell it to completely passed the exception.
05:33
So you're on Mac, You don't have to function ships that time
05:39
and look what happens. Access violation. When executing 41 41 41 41
05:45
we passed the exception. And since the
05:48
exception handler was overwritten by 41 41 41 41
05:54
we once again happy I p control again. This would happen automatically outside of the d bugger. The user's not going to have to do shift at nine
06:01
to make this happen out of the d bugger. It would just be seamless. So Bones were able to create some sort of crash. We will pass controls the exception handler. So if we can gain control of it,
06:15
then we should still be able to get execution.
06:18
So that kind of puts us back in the same place where we were previously. We need to find out which age or those that are overriding this time the structured exception handler.
06:29
So we know how to deal with that. Would you, uh,
06:31
exclamation point Motta and then pattern underscore create.
06:36
This time we want 1200 days. Well, not 1200 age 1200 bytes of our pattern.
06:44
We let Mona create a pattern.
06:49
Yeah, and we want to get to
06:53
see
06:55
logs were a teepee,
06:58
and we have a new pattern
07:01
big
07:02
by the day.
07:06
All right, so let's grab our pattern
07:13
and put it into our exploit while we're here, we go ahead and restart,
07:23
but I need to get rid of my
07:26
you database file
07:44
girl again. We can restart this directly in the d bugger.
07:49
Go back to work to be killed too.
07:54
Comment out. Buffer equals a times Well 1200 thought for equal to with quotations around it are cyclic pattern.
08:05
The only change we need to make here.
08:09
Who had run it
08:11
them output Here it's good.
08:15
Get our same access violation
08:18
here. But if we look at,
08:20
yes, the H train again
08:22
once again over it. And so the corrupt injury should tell you that
08:28
that's not a valid address there. And then we have part of the pattern.
08:33
Who did your Mona find in this p
08:35
and this time of being interested in our registers in particular, we're going to be interested in what's in their structured accepting handler.
08:46
This will again Take a little bit of time. It is searching through all of memory.
08:56
All right, so let's take a look
09:01
open a 2nd 1 here.
09:03
We won't see logs for s DVD,
09:07
and then we want
09:11
are finding this p.
09:15
Well, that's huge.
09:16
And let's see what we thought at the H record Next associate real,
09:22
uh, slowed address over it and with normal pattern
09:26
offset 569 569 bites in, followed by 612 lights of secret cyclic data after the handler.
09:39
So we have
09:39
offset 569. So then we'll have four bites of the
09:46
structure. Exception handler itself. And then after that, we have 612 bytes, possibly to work with
09:54
Wow,
09:54
we can easily verify this. So we say that the also it is 569 bites. And so let's
10:01
see if that's true
10:09
Look like
10:11
since we have controlled the E V X Register,
10:16
but only 11 bites after it. As it turned out, that won't be remotely relevant because
10:22
our registers will actually get zeroed out when we passed the exception.
10:28
So just jumping to register isn't going to work here. We'll have to do
10:33
things a little bit,
10:35
were interesting, so we won't just be able to jump. To register here is always zeroed out. Let's go ahead and verify that. Offset
10:43
again, that is
10:48
CH record
10:50
offset. 569.
10:56
Let's restart.
11:22
All right, So
11:26
in comments out our buffer variable home not say buffer equals a times
11:33
569 plus B
11:37
Times four and then bumper plus equals
11:41
see Time's
11:45
1200 miners,
11:48
the lengths of butter
11:50
and saving ourselves the trouble of the arithmetic. If we don't pad this, then we won't get the exception. Remember, we are writing off the end of the stack, so we have to make sure our string is long enough to make that happen. So in some cases you may just be able to drop off the end of your string as long as you've got
12:07
so it's safe return point over right. You may be able to drop off whatever comes after.
12:13
In this case, it's very important that we have enough bites to write off the end of this stack.
12:18
Possible looses
12:20
crash that we won't pass to the structured exception handler.
12:24
All right, let's verify this
12:30
same outfit here.
12:33
Get the same access violation here, riding out the end of the stack.
12:37
Believe you r ch chain.
12:43
We have
12:43
22 42 42 42 in the NFC age or the next
12:50
structured, accepted handlers of the pointer to the next part.
12:54
And we have 43 43 43 43
12:58
Could be our 1st 3 first four seas around it
13:01
in a few age itself
13:05
So
13:07
we can pass it on your ship at nine.
13:11
And we get an access violation while executing our 1st 4 seas.
13:18
All right, so we have verified the offsets again. We do have eight bites to work with. We have in s e age and then as the age itself who actually need to put
13:28
whenever we want to be executed. Whatever memory address we want there in STH. So we need it to be
13:35
in place of those 1st 4 sees, This is going to be true every time. Structured exception Handler entries are always eight lights long in s e age. The next corner to the next one on then s ch itself
13:48
right afterwards was just how structured exception handlers work.
13:54
All right, go ahead and
13:56
to what we can do here. So again, we lost the one register we did control with all of
14:01
11 bites that we had control of it. Husband zeroed out
14:05
so we don't have control of any of our registers. We can't just jump to anything,
14:11
so we're going to have to be a little bit more sneaking.
14:16
So if we actually look in our stack here, nothing interesting at E S p. Of course, he has people for nothing interesting here,
14:24
but it is P plus eight. It looks like we have control here. And also farther down, like here is well
14:31
here,
14:33
here, in here we have our bees,
14:37
which again is an N S C H.
14:39
We have our seas,
14:45
so it looks like it's a pointer to N. S. C. H
14:50
right there. Yes, people state
14:54
So we could find a way to get to that again. This is going to be the same every time. That's what makes it exploitable is that every time when you pass the exception, you will end up with an f th at Yes, People say you know anything about exploit development. You probably heard the term pop pop read. This is what that is about
15:11
on. What we're going to do is pop this line off the stack, pop this line off the stack. We don't care where they go as long as they get burned off the stack. And yes, people ate becomes the top of the stack and then we can return to it. That will say, Execute whatever is it this memory address and the instructions at that memory address
15:31
early? Be enough, the age at the age and then
15:33
whoever comes after, whoever bees and our seas.
15:39
So can we do that?
15:41
Well, we have to find
15:45
Pop, pop, Rhett and Equivalent. Luckily, Mona could do that for us,
15:50
so we do a Mona S C H
15:54
on. We can tell it's CPB to get rid of the bad characters again. Those are zero
16:00
hero for Noah and you're a hero. D for hitting Enter and 40 for the AB symbol in the user name could have it automatically through those out.
16:12
So this is just like the jump pretty much except it's looking for this time a series of pointers.
16:18
The pop up in red and again, it doesn't matter what register the pop goes to. We just want to burn those two lines off the stack. So that gives us some more options since we can't take any registered for the pop.
16:32
All right, so we take a look at the output of S C H
16:38
waas So big,
16:41
let's make it smaller.
16:44
Yes,
16:45
12.
16:48
All right, that's more reasonable. All right, so we've got
16:52
or pop pop threats here. We just have one little problem.
16:56
Remember I mentioned safe sth well when people started actually exploding structured exception handlers,
17:03
People got the idea. Well, maybe we should make this a little bit harder and safe. Sth was born
17:10
and it actually does come into play on our when there's extra service back three. It did come
17:17
starting with believe extra service. That too.
17:19
So will you see that safe at the ages on for all of our operating system deals? It's not on for war of tp itself and its deal l
17:29
so safe if th is eventually going to record the correct location of the structured exception handlers. So when we try and overwrite them, they're not basically in the table, It says these are the valid ones that will fail.
17:42
Getting around There are other ways of getting around, say Khozh, rather than just using a model that doesn't use it.
17:49
But that's the best way,
17:52
and that's what we'll do here.
17:56
So again, war F d. P d. Itself. We ran into this previously. It has untold light in all of its pointers. It is loaded at mullahs at the beginning, so we're not going to be able to use any pointers from there who may be stuck with just this one. Mfc 42 dot dll It's the only
18:14
save that ch corner that's not going to have no bites in it.
18:18
Moon automatically take that into account it throughout all our bad characters, and also throws out anything that comes from a safe, sth compiled model who everything on this list is going to be from Ft. $42. Dll.
18:33
So I just grabbed the 1st 1 here. You don't have to worry about the red for Andi.
18:38
Probably read eight down here again with the calling convention. That's just ripping off additional lines in addition to returning.
18:48
So we saw in the previous one with war FTP it was had the return address than four bites of padding. And then he s peace, who was like there was an extra line that would be that right, for it would return. And that would also revolved the argument.
19:00
So again, that's a calling convention. That just depends really on the compiler and platform that you use what it does in terms of dealing with arguments.
19:10
So we don't worry about that at all. As long as we end up
19:14
returning to
19:15
Yes, P plus eight.
19:18
Well, pop, align, all pop another line off and in return
19:25
and most of scrap the 1st 1
19:30
And while we're here, we can restore it.
19:56
Okay,
19:59
good
20:00
away.
20:03
All right.
20:07
So remember, we put our
20:11
that's the age over, right? Right after the bees, the visa and N S C h. And at th itself was overwritten with the 1st 4 seas.
20:18
So in little Indian for Ma, we can put our corner.
20:22
That didn't work out. So
20:26
you still have a pattern.
20:36
Try that one more time. So a ch at it. Copy.
20:47
And
20:49
that it
20:51
their husband.
20:52
All right, so plus, we need to put this in little Indian format. So
20:56
see a first and 80
21:00
then
21:02
45 on. Then
21:07
we should get rid of this
21:08
look, and that's going to go into STH. So that is going to tell it to do the pop pop Brit
21:15
after
21:17
we passed the exception.
21:18
So this is kind of like jump to a register. It's just a little bit more complicated than just doing a jump for popping two things off the stack and then returning to it
21:29
to get to enough ch.
21:33
All right, you see this?
21:37
No. Well, yeah. I was running not to worry about setting a breakpoint at this point because it's going to crash first time cause anyway, so we're going to set it on the fly.
21:53
Same error.
21:56
You are a CH chain now. It is a valid address. So we do need to set a break point. What we can do is hit F two. When it's highlighted, will turn red. That means the break point is set.
22:07
So then when we pass it with ***, that mine,
22:11
we paused. Then Now it's a valid address. It won't crash.
22:15
So we see in our CPU window pop pop and then Rhett
22:22
so we'll go Thio. People ate here
22:25
and
22:29
no way
22:30
they pull it in the stack.
22:33
There's our four peas
22:36
who is still points to an S C H followed by a ch. You could already see the problem here. We've got four bites toe work with before we run into the pop Operate itself
22:47
got always nice space over here.
22:51
I think it's so there were 600 something.
22:53
Thanks.
22:56
Yes, it's 112. So 612 bytes to work with her shell code. Awesome. But we don't really have any way to get there at this point, But one thing at a time.
23:07
All right, So let's do our F sevens to do our pop pop. Brett, Let's go back to the S. P s and follow ESPN stack so we can watch these two lines be burned off.
23:18
So watch your stack as well. You have seven The pop
23:22
in the V. X. Again. We don't really care where it goes. That pops one line off ha! PVP up another line off
23:30
and then we return.
23:36
And now we're seeing a CPU window. We do have our
23:40
for bees and then we have
23:44
there.
23:45
What I was trying to turn this into our codes.
23:49
Where are
23:51
the dress of our pop pop Brett? And then we have again all that nice space for shell code that we can't use until you can get there. So what could we possibly do in terms of shell code? In Four bites?
24:03
Not very much and four bites? There is one thing we can do, and it's called a short jump on. As the name implies, it allows us to jump a short distance.
24:14
Well, we want to jump eight bites. We want to jump from here.
24:18
Here.
24:19
That seems doable in a short distance, right? Well, it needs to be able to be done in or by its. Luckily, it could be done in two. So that's good.
24:30
Let's try that.
24:33
Right. So let's restart.
24:53
All right, this is going to go in place of our own S C h
24:59
There. We need
25:00
a short jump, which the op code for that is E B and hex
25:06
and in the length to junk.
25:10
So we can get up from
25:12
the Tao as, um as well by open up
25:17
another terminal and go to user
25:21
care medicinally dash framework and tools
25:25
open up metabolism. Underscore. Sheldon R B We used this previously. We're trying to move a S p out of the way of our decoder and our other war of peopie example with safe return pointer.
25:37
So this time we want to do a
25:41
Yeah,
25:45
let's see if we want to jump from here. So that's gonna be
25:52
dollar sign, and we want to jump
25:59
eight bites.
26:02
So from the beginning of N f th we want to jump eight by its over an S e agent over sth from here,
26:10
some pay by its board.
26:12
So that is E V 06 from the end of the op code six place. So there's two bites left over. And then the four by its of S C h E v Fear of six. You'll come to just remember that you do this over and over again. If you work with structured exception handlers
26:30
and there are cases were like E. B is a bad character. Some things we have to work a little bit harder that certainly can get more complicated.
26:37
But, you know, just the basic example who just do this over and over.
26:42
All right, so that will jump us past
26:48
ch. So we need to change his B times for Toby Times too. Since we took up
26:55
two of the bites there.
26:57
That's the only change we need to make here is to add that short jump and do keep two bites of padding in. So our ch pop pop Brett will be in the right place
27:12
and run it.
27:18
Yeah, and a ch chain And said our break point with that, too.
27:23
Pass. It was shipped at nine
27:26
at seven. F seven F seven.
27:30
Now we have our short jump.
27:33
Who do? It s Devon on that
27:36
takes us right after a ch. So now we have 612 lights to work with her shell code.
27:44
Awesome. Very, very awesome. Looks like we've gotten ourselves out of the woods here
27:48
so we could just put in our shell code. Of course,
27:52
we could even just copy the shelter that we used previously. On the first
27:56
we're a CP model.
28:02
No,
28:06
you just need to make sure we have
28:07
off the right bad characters.
28:22
All right, go ahead and restart
28:26
and actually do that. Let's take war. Ftp scale that high. It's actually not there anymore. I deleted it.
28:34
Um all right, well, let's do it. Must have been home and payload window. Whose shell reverse TTP this time and they get it is in line. So we're going to use that cat. We don't want to set up a medicine ball handler.
28:48
We're have set l host equal to i p address of
28:52
Callie. Believe a 77
28:57
may check that
29:00
config. Yep. 77.
29:03
Who's left the import default to 4444
29:08
size. Think it said I have 617 by its bad characters. No,
29:15
you're a hero deed again. There is a blogger posted bulb security. That calm that shows how to find bad characters is a bit tedious. My least favorite part of exploit development, in fact, but it's worth knowing if you want to continue. So I encourage you to look at that log post
29:30
and format is pipe on.
29:51
All right. We don't have to worry about movie ESPN of the way here. Chicago and I will work just fine.
29:57
You just pee is gonna be far, far away from where we end up.
30:07
So above bucker
30:11
paste in Bob.
30:14
And we wanna put buck right after
30:17
or sth
30:19
and you make sure we keep the seas so again that will, when we did the plus equal that will automatically adjust the links. But we want to make sure that we are writing
30:30
over the end of the stack. So it calls the exception. So we do need to make sure we've had it.
30:40
Run it.
30:41
Yes, we leader
30:42
listener is gonna root.
30:45
And that cat,
30:48
L v P If it wasn proposed Leon Port 4444
30:52
We did you to reverse Shell
30:56
and come back over on DDE
31:02
past the exception again. If we're outside of the d bugger, this will automatically happen. I didn't get a break point, so it should just automatically run here.
31:10
Worshipped at nine on our running
31:14
and quick come back over.
31:15
Well, in fact, do get our shell here. So everything worked.
31:22
All right, So
31:26
what?
31:26
Open up.
31:27
No bad here
31:32
and our steps.
31:33
We still want to get a crash
31:37
and
31:37
verify offset too
31:41
well, not verify.
31:44
Find off. That too
31:47
a ch
31:49
for it.
31:51
Uh, head and he ate and link
31:56
on DDE
32:00
you Luna,
32:00
find MSP. Look for a ch
32:06
verify. Offset to enunciate
32:10
find,
32:12
huh?
32:13
Huck wretch with
32:16
Mona s C H on a person can do
32:21
so he bay
32:22
that character's
32:27
and then we want us Really The pop of red won't put it in a little Indian, of course. And then we want
32:36
sure jump
32:37
and in f g h over
32:40
FC eight. Sure, that's gonna be
32:43
you're being You're six
32:45
plus two bites of padding
32:52
shell code after
32:53
associate
32:55
and you sure
32:59
to keep the
33:00
crash. So make sure that whatever is called in the exception is always gonna happen.
33:06
Fairly common mistake to have whatever it's called in the crash
33:09
when I was going on in the shell codes or, like a reed error, trying to read to a bad address
33:15
or write about a dress and then having that
33:20
place in the attacks during be part of the shell code. So particularly with medicine boy that's going to regenerate itself every time and your polymorphic shell coat never know what you're gonna get, so you might accidentally get something that's not a bad reader, right? And then it won't crash it all.
33:35
So something to keep in mind.
33:37
So as far as we're gonna go with exploit development there, certainly much more to learn. But this is just a basic overview. We've done a lot of using medicinally using other people's exploits. I wanted to give you an idea of how these things were found and how we can write an exploit kind of put you on the road towards coming and exploit developer.
Up Next