Skip to main content

Buffer Overflow Attack on Windows

Generally Exploiting In windows system is very tough,though you have to overcome various protection and bypass.In some cases you have to use Kernel Mode exploits.
And also we will show you the target machine which we will perform attack is XP,otherwise if we will try on win7,win8,win10,then we will have to cross the path where all doors are closed.hope you got my point.First we will discuss some of the protection mechanism here.
ASLR
DEP
SEH
SAFESEH
SEHOP
Control Flow Guard(CFG)
Stack Compiler Option(/GS cookie option)
EMET
Heap Isolation and many more coming.............

But before starting our exploit development process we should know some theory which is very necessary.Otherwise we are in the middle of way and we don't know the path to go around.
Windows Memory Layout
 In an X86 system, when a application starts,a process is created and virtual memory assigned.so the address space ranges from 0x00000000 to 0xFFFFFFFF which is called user-land level of OS.If the address range from 0x00000000 to 0x7fffffff,then that range is called kernel land.These lands are nothing but permission level by Rings in OS which again ranges from 0 to 3.For more details click here
PEB And TEB:
When a process is created PEB and TEB is created.
A PEB(Process Execution Block) contains all user-land parameters that associated with current process like:
Location of main executable
pointer to the loader data
pointer to the information about the heap
The PEB is closely associated with kernel mode EPROCESS data structure.it resides in the application mode address space of the process that it relates to.we can check further in windbg
 

Similarly In case of TEB(Thread Execution Block):It is the data structure which store the currently running thread.It is also called as Thread Information Block(TIB).it also starts with address of SEH.
it is also declared as undocumented  by Microsoft.
The TEB can be used to get lot more information on the process without using any API.One can set a pointer to PEB and can access IAT,process start arguments etc..
it contains list of FS:tab in which offset 30 is the PEB [FS:0x30].There are lot more we can see here
FS:18 is the address of TEB. Everything we can verify the below commands in windbg:


SEH:
SEH  is also called as structured Exceptional handling.Before discussing more about SEH,let us know about some important concept which will require during seh .
An exception is an event that occurs during the execution of program,and requires the execution of code outside of the normal flow of program.
There are two types of exception like hardware and software exception.Hardware based is generated by CPU and generally occurred due to instructions like divide by zero or an attempt to access to invalid memory.Software based exception occurs by OS.like the system can detect if an invalid parameter is used.

For handling these error Structural Exception Handling is used which can control both software and hardware based exceptions.
As we know during programm we can handle the exception by try and catch block.Similarly windows uses SEH technique to handle the exception.If windows watches any exception it will throw a custom error message "Application has encountered a problem and need to close".After that it will send the error report to OS.

SEH structure:
Now Let's explore SEH in detail that how this structure looks like.the SEH chain records are group of linkedilist.we can see below
typedef  struct _EXCEPTION_REGISTRATION_RECORD
{
struct _EXCEPTION_REGISTRATION_RECORD *Next;
PEXCEPTION_ROUTINE Handler;
}EXCEPTION_REGISTRATION_RECORD,*PEXCEPTION_REGISTRATION_RECORD;


So When a Fault occurs,operating system calls a user-
defined callback function.This function can do pretty much whatever it wants like tell the system  what it will do next in the system.
In General A Callback function looks like 
EXCEPTION_DISPOSITION
__cdcel _except_handler(
struct _EXCEPTION_RECORD *ExceptionRecord,
void * EstablisherFrame,
struct _CONTEXT *ContextRecord,
Void * DispatcherContext
);

So the question arises,how does os know where to call if a fault occurs.the answer is Exception registration record that we have already discussed in this blog at first.
Let's have a look on the each member of _except_handler_function

So the First member to the _except_handler function is pointer to EXCEPTION_RECORD is 
below:
typedef struct _EXCEPTION_RECORD
{
DWORD ExceptionCode;
DWORD ExceptionFlags;
Struct _EXCEPTION_RECORD *ExceptionRecord;
PVOID ExceptionAddress;
DWORD NumberParameters;
DWORD ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
}
EXCEPTION_RECORD;

The _except_handler function will check whether Exception can be handled with current exception handler or not,otherwise it will move to next registration Record

EstablisherFrame:
The Establisherframe actually is teh address of  EXCEPTION_REGISTRATION_RECORD as we have already discussed pointing to the NEXT SEH. This is very helpful for exploitation

The Third one is CONTEXT structure represents the register value for a particular thread like
typedef struct _CONTEXT
 {
     DWORD ContextFlags;
     DWORD   Dr0;
     DWORD   Dr1;
     DWORD   Dr2;
     DWORD   Dr3;
     DWORD   Dr6;
      DWORD   Dr7;
     FLOATING_SAVE_AREA FloatSave;
     DWORD   SegGs;
     DWORD   SegFs;
     DWORD   SegEs;
     DWORD   SegDs;
     DWORD   Edi;
     DWORD   Esi;
 DWORD   Ebx;
     DWORD   Edx;
     DWORD   Ecx;
     DWORD   Eax;
      DWORD   Ebp;
     DWORD   Eip;
      DWORD   SegCs;
     DWORD   EFlags;
     DWORD   Esp;
        DWORD   SegSs;
 } CONTEXT;

When the Exception occurs,it checks these register values
The last one DispatcherContext gives the various information like what type of exception occurred,where occurred
So the moral of the story is when An Exception Occurs,windows starts at the top of chain and checks the _EXCEPTION_REGISTRATION_RECORD function to check whether it can handle the error,if not it will move to next chain and so on by *NEXT .At the last of exceptional handler chain windows places 0XFFFFFFFF so that exception is properly handled and send a message like "Access Violation Error in the application"

The above pic describes everything as we have discussed earlier.for the exploitation of SEH many techniques to count which can not be discussed here.lots of Tutorials available in internet.i will post about exploitation if i have time.
for further you can follow below links
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
http://www.fuzzysecurity.com/tutorials/expDev/3.html
and many more...........
Credit for this tutorials:
Microsoft
Securitysift

ASLR(Address Space Layout Randomization):


Comments

Popular posts from this blog

Intro To Malware Analsys

Hi Folks, here I will analyze a malware which is possible packed with nspack. Details are below:SHA256:5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4File name:5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4