Knowledge is not an object, it’s a flow
Save the environment - don’t print this document !
If you want to show your respect for my work - donate : http://www.corelan.be:8800/index.php/donate/
http://www.corelan.be:8800 - Page 1 / 15
Peter Van Eeckhoutte's Blog
:: [Knowledge is not an object, it´s a flow] ::
Exploit writing tutorial part 3 : SEH Based Exploits
Peter Van Eeckhoutte · Saturday, July 25th, 2009
In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using
various techniques to jump to the shellcode. The example we have used allowed us to directly overwrite EIP and we had a pretty large buffer space to host our shellcode.
On top of that, we had the ability to use multiple jump techniques to reach our goal. But not all overflows are that easy.
Today, we’ll look at another technique to go from vulnerability to exploit, by using exception handlers.
What are exception handlers ?
An exception handler is a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an execption. A typical
exception handler looks like this :
try
{
//run stuff. If an exception occurs, go to <catch> code
}
catch
{
// run stuff when exception occurs
}
A quick look on the stack on how the try & catch blocks are related to each other and placed on the stack :
Windows has a default SEH (Structured Exception Handler) which will catch exceptions. If Windows catches an exception, you’ll see a “xxx has encountered a problem
and needs to close” popup. This is often the result of the default handler kicking in. It is obvious that, in order to write stable software, one should try to use
development language specific exception handlers, and only rely on the windows default SEH as a last resort. When using language EH’s, the necessary links and calls
to the exception handling code are generate in accordance with the underlying OS. (and when no exception ha