SEH (Structured Exception Handler) exploit can be written to target a Windows host. We use the buffer overflow vulnerability in the Big Ant Server software as a detailed example of this exploit type.
Purpose Learning :
Understanding the concept of SEH, SafeSEH, Bad Charachter, Payload, Exploit
 | |
| Big Ant Server On Windows |
Making the fuzzer with python language to trigger a buffer overflow.
 |
| Fuzzer1 |
Start the BigAnt Server, open the ollydbg and attach process of BigAntServer and play the ollydbg to analisys the process. Next run the fuzzer from Bactrack, after the fuzzer run BigAnt application is normally not the case crash like fuzzing for non SEH.
 |
| After Fuzzing |
In the picture above the EIP not overwrite, lets see the SEH chain by view -> SEH Chain.
 |
| SEH Chain |
This indicates that the application is the SEH. Next cek into the EIP with press SHIFT + F9, the EIP is overwrite with 41414141.
 |
| EIP Overwrite |
Stack overwite too with charachter AAAAA. Lets cek the stack overflow in the memory dump to see the buffer by right click in the stack overwrite with character AAAA and follow in the dump. In the moemory dump full of 41 41 41 41.
 |
| Stack Overflow |
 |
| Dump |
Next lets to see the modules by view the executable modules to know what modules are loaded by the application.
 |
| Executable Module |
 |
| Vbajet module |
|
|
|
I choose the vbajet.dll because this file dosnt have the features of image DLLCharacteristics No SEH. To further more analisys the modulle yo can put the module and working with backtrack tools laik MSFPESCAN to accounting and analyze.
 |
| MSFPESCAN |
Back to the Ollydbg, next phase are find the POP, POP, RETN that are often used. its used to by passing the SEH directly into the EIP and we will be able to controll of the EIP. In the CPU left above by right click and search for sequence of command.
 |
| CPU | |
 |
| Find Sequence of commands |
 |
| POP POP RETN |
To be continue
0 comments:
Post a Comment