.

[Article]-Tutorial: SEH Based Exploits and the Development Process

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue May 04, 2010 10:20 am

[Article]-Tutorial: SEH Based Exploits and the Development Process

I think all of you will really like this one, a step-by-step tutorial for exploit dev. Be sure to stop by Mark Nicholls security blog, isolated-threat, that focuses on malware, shellcode and exploits. After visiting, if there's any tutorials you'd like to see from Mark, feel free to ask.

Permanent link: [Article]-Tutorial: SEH Based Exploits and the Development Process


Image


Tutorial by Mark Nicholls AKA n1p

The intent of this exploit tutorial is to educate the reader on the use and understanding of vulnerabilities and exploit development. This will hopefully enable readers to gain a better understanding of the use of exploitation tools and what goes on underneath to more accurately assess the risk of discovered vulnerabilities in a computer environment. It is important for security consultants and ethical hackers to understand how buffer overflows actually work, as having such knowledge will improve penetration testing capabilities. It will also give you the tools to more accurately assess the risk of vulnerabilities and develop effective countermeasures for exploits doing the rounds in the wild.

With this in, I am going to focus exclusively on the practical skills needed to exploit Structured Exception Handler buffer overflows. I won't go into too much detail regarding the theory of how they work, or how buffer overflows can be discovered. There are many other resources available on this subject, and I encourage you to research this further

Warning! Please note that this tutorial is intended for educational purposes only, and skills gained here should NOT be used to attack any system for which you don't have permission to access. It is illegal.



Let us know what you think,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue May 04, 2010 11:00 am

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

Will have to give it a good read-over.  Thanks, don!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Tue May 04, 2010 11:12 am

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

Very nice, I will definitely try this soon. Thanks!
ZF
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Tue May 04, 2010 1:38 pm

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

Cheers for that. Any questions just shout!
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 04, 2010 3:04 pm

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

n1p, that's a fantastic read!  I skimmed through it once already, and plan to go back and read it again a few times.  The links at the end are priceless on their own.  Thanks!
~~~~~~~~~~~~~~
Ketchup
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Tue May 04, 2010 3:21 pm

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

Thanks! That is no problem. I might try make it a monthly thing, so if you have any suggestions let me know.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 04, 2010 3:30 pm

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

You could write a tutorial on heap-based overflows.  I haven't touched those at all, and would love to learn more. 

You could also go into fuzzing a bit.  For example, what do you watch for when looking for off by one or format string vulnerabilities?
~~~~~~~~~~~~~~
Ketchup
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Wed May 05, 2010 2:55 am

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

N1p: I'm starting the think you're going to be my guide to knowledge, with all your tutorials.
Thanks a lot for this m8!
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Wed May 05, 2010 5:55 am

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

The article was very informative. I do not have any experience with exploit development but even then was able to understand it  :)
Looking forward to more stuff from you.

@ketchup perhaps this will be a good starting point  ;)
Last edited by Xen on Wed May 05, 2010 6:00 am, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 05, 2010 6:58 am

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

Equix3n, lol, I knew that sounded familiar. 
~~~~~~~~~~~~~~
Ketchup
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri May 07, 2010 10:25 am

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

n1p wrote:Thanks! That is no problem. I might try make it a monthly thing, so if you have any suggestions let me know.


Article was cool. Corelan (since you linked it) has some very thorough works as does OpenRCE. I'd personally like to see more 'weaponization' articles, e.g. ActiveX anyone. It's surprising I didn't see mention of WinDBG in your article. pusscat has a wicked module (byakugan) that allows you to perform all sorts of stuff: (quoting) Real Time Heap Visualization, Buffer Identification and Hunting, Return Address Hunting...

There are a lot of interesting and cool write-ups (yours included) lurking around, I wish I could find more WinDBG based content though. Olly is fine, Immunity - latest version is buggy - but nevertheless good. I find that WinDBG is a lot more powerful for windows debugging. I've just begun tinkering with Klockwork (Architect, etc.) and I'm definitely impressed and at times confused by a lot of it. I would have made mention in your article to those reading it, they may want to take a brief drive-by of Assembly programming and understand a little more about registers. E.g., you can manipulate other registers to eventually get control of EIP. You don't necessarily have to specifically target it outright.
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Sat May 08, 2010 5:46 am

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

Sil,

You certainly make some good points! Windbg is awesome and is covered greatly over at corelan, however to some people it can be entirely overwhelming when they start out learning about RE. It has quite a steep learning curve when compared with olly/immunity. Not to mention the interface!

You are right about the lack of docs on using it, so may be a useful addition to tuts.

Cheers
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Jun 18, 2010 2:21 am

Re: [Article]-Tutorial: SEH Based Exploits and the Development Process

Thanks for your efforts n1p, really liked your article. ;)

Return to /root

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software