Saturday, February 4, 2012

Buffer Overflow : Direct Return & SEH Based

At my other post we've known a little thing about buffer overflow. Now we will talk two cases that happened when we do a Buffer Overflow that is Direct Return Exploit and SEH Based Exploit and whats the difference between those two.

- Direct Return Exploit
Direct return exploit happened to a program that can't handle an exception. A condition where an application trying to execute a code outside its normal work cycle. As the results, when an application that can't handle an exeption buffer overflowed, the EIP registered in the buffer memory will directly overwritten by the rest of the data that we use to overflow the application.

- SEH Based Exploit
SEH(Structured Exception Handling) is a method used by an application to handle an exception when the application is trying to execute a code outside its normal work cycle. SEH will fully handle the memory used by the application. As the results, when the program with SEH enabled is overflowed, the data that we use to overflow the application can't directly overwrite the EIP register on the memory. That will make the exploit won't work properly. But thats not the end for the hacker. SEH Based Exploit is a technique to handle that. With some improvements here and there, the EIP can be overwriten by the overflow data sent by the hacker.

Simple conclusion. Direct return exploit directly overwrite the EIP memory after an application buffer overflowed, while SEH based exploit still have to get over the exception handler after buffer overflowed an application.

"the quieter you become, the more you are able to hear.."


Post a Comment