Capturing Control

There are at least two ways of capturing control, which will be considered in this section.

The first method consists of analyzing the vulnerable program to determine, which handler will be the current one at the moment of overflow and where its SEH frame will be (taking into account that the address of the SEH frame might depend on many unpredictable circumstances, for example, on the type of requests and calls that preceded the overflow). Having completed this analysis, the hacker must then think about how to overflow the buffer to overwrite the handler by replacing the pointer that it contains with the address of the shellcode. The value of the prev field is of no importance, because the shellcode is not going to return control that it has captured at the expense of such serious efforts.

The second method consists of registration of the custom SEH frame. How is it possible to register something in the system if control hasn't been captured yet? Is this a joke? No, it isn't! The pointer to the current handler is always located at the same address ” in the first double word of the TIB, which resides at the address fs:[00000000h] . Thus, it is possible to overwrite it using the poke pseudofunction. The presence of the FS segment register mustn't confuse the hacker, because the entire memory allocated to the process is mapped to the unified address space. Thus, it is possible to reach TIB through other segment registers, for example, through DS , which is used by the processor by default. In case of addressing using DS , TIB will be located at another offset. To recognize it, the hacker will have to use a debugger. It is possible to resort to SoftIce, Microsoft Kernel Debugger, or any other debugger of the hacker's choice.

First, it is necessary to determine the value of the selector loaded into the FS register. In SoftIce, the CPU command is responsible for achieving this. If SoftIce is tuned correctly, then all the main registers are automatically displayed in the top part of the window. Then, by viewing the global descriptor table (which is displayed by the GDT command), it is possible to find the corresponding base address. Under all operating systems of Windows NT, this address is FFDFF00h for the first threads of all processes. All further threads reduce it by 1000h ; in other words, the hacker obtains a series of pointers of the following form: 7FFDE000h, 7FFDD000h, 7FFDC000h , etc.

It is always useful to test your system. (What if some Windows NT-like operating system behaves differently?) The log of the debugger working session is provided in Listing 5.6.

Listing 5.6: Determining the address of the pointer to the current SEH frame
image from book
 :cpu Processor 00 Registers ---------------------- CS:EIP=0008:8046455B  SS:ESP=0010:8047381C EAX=00000000  EBX=FFDFF000 ECX=FFDFF890   EDX=00000023 ESI=8046F870  EDI=8046F5E0 EBP=FFDFF800   EFL=00000246 DS=0023  ES=0023  FS=0030  GS=0000 :gdt Sel.  Type      Base      Limit     DPL  Attributes GDTbase=80036000  Limit=03FF 0008 Code32     00000000  FFFFFFFF  0    P   RE 0010 Data32     00000000  FFFFFFFF  0    P   RW 001B Code32     00000000  FFFFFFFF  3    P   RE 0023 Data32     00000000  FFFFFFFF  3    P   RW 0028 TSS32      80295000  000020AB  0    P   B 0030 Data32  FFDFF000  00001FFF  0    P   RW 003B Data32     00000000  00000FFF  3    P   RW 
image from book
 

Pay attention ” FFDFF000h is not the address of the current SEH frame. It is the pointer to the frame. The frame itself must be formed directly in the shellcode, and the pointer to it must be written to FFDFx000h (see Fig. 5.1).

Now it only remains to carry out some invalid operation (such as division by zero). It is also possible to leave things as they are and wait until the damaged program causes an exception naturally. After this happens, the custom structured exception handler will immediately obtain control. The remainder of the attack is a matter of skill.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net