Saturday, February 18, 2012

More About SEH and SafeSEH

As explained before, SEH (Structured Exception Handling) is the protection integrated on a system of a software to handle the abnormal flow of the program that can caused the program to act abnormal too (crash, hang, etc). SEH will prevent the EIP to be overwritten directly by the excess data sent by the fuzzer. SEH will fully control the memory used by the software. This protection definitely forcing hackers to develop a technique to bypass the SEH protection. When this protection can be controlled, the execution process on the CPU also can be controlled easily like in the Direct Return Exploitation.

The most popular technique to bypass this protection is using the POP, POP, RETN technique. Basically stack in the memory is a structured memory consist of 32 bit virtual file. The first POP command will take out the topmost value layer of the virtual file to the other register on the memory. And the second POP command will take out the second layer of the stack on the memory. Finally the third command, RETN will be the first layer on the stack, so the system will start the execution process from that location depend on the memory address pointed by the RETN command.

When the technique above is done smoothly, the control of the process in the CPU is in our hand and can be manipulated as we wish. The problem now is, Windows have one more protection to prevent the SEH to be manipulated by the POP, POP, RETN technique called "SafeSEH".

In windows XP SP2 and Windows Server 2003, there is a new technology to protect the SEH to be bypassed called SafeSEH. Generally, SafeSEH is only a linker that can be used at the compilation process of a program/software in Windows system. When the SafeSEH is used, the application will generate a table that contain all memory address that will be used by itself and also save the addresses of the SEH on the modules used. This means, when an exploitation that utilize the POP POP RETN command happen, the address that used to bring the SEH to the POP POP RETN address wont work because the address is not recorded in the table generated by the SafeSEH and the exploitation will failed.

In addition to the SafeSEH protection, windows xp also have another protection against the exploitation that can be integrated into its dll files. This feature called "IMAGE_DLLCHARACTERISTICS_NO_SEH". If a dll file use that feature, it will prevent the use of any address inside itself to be used as the command to bypass the SEH. An example is when the dll file have a POP POP RETN command inside.

There are some technique to bypass that protection :
1. Using modules or files that don't have SafeSEH and IMAGE_DLLCHARACTERISTICS_NO_SEH features integrated. Usually third party application library doesn't compilated with that two disturbing features.
2. Use the library that will be used to overwrite SEH from outside the application that have POP POP RETN command inside.
3. Use memory address outside HEAP memory.
4. Use an integrated handler memory that already registered.

"the quieter you become, the more you are able to hear.."


Post a Comment