Chapter 5: Exploiting SEH

Overview

Overwriting the structured exception handler is an elegant and relatively new mechanism of protection against buffer overflow in Windows Server 2003. In addition to this, it finds other areas of application. For example, this is an excellent method of gaining control and suppressing critical-error messages that disclose the attack.

Structured Exception Handling (SEH) is the mechanism that allows applications to gain control if an emergency situation takes place (for instance, memory access errors, division by zero, or invalid operations) and handle them on their own without involving the operating system. Unhandled exceptions result in abnormal termination of the application, usually accompanied by the familiar message stating that the program has carried out an invalid operation and will be closed.

Pointers to structured exception handlers in most cases are located in the stack, in SEH frames , and overflowing buffers can overwrite them. Overwriting SEH frames usually aims at two main goals: obtaining control by replacing the structured exception handler and suppressing abnormal program termination in case of an exception. Protection against buffer overflow built into Windows Server 2003, like most protection mechanisms of this type, operates on the basis of SEH. By trapping the structured exception handler and replacing it with a custom handler, the hacker can disable this protection, which in the case of a successful attack won't be actuated.

A promising approach, isn't it? This mechanism is worth studying in detail. Initially, SEH had a powerful potential, which only recently became realized and implemented. The techniques of obtaining control described here were the first to appear. However, the future of structured exceptions is promising. Hackers are going to invent lots of cunning tricks. No matter how sophisticated the protection mechanism might be, the hackers will find countermeasures.