Scribd
Upload
46 views

Structured Exception Handler Based Stack Overflow

The document discusses how structured exception handling (SEH) works in Windows and how it can be bypassed to execute shellcode. When an exception occurs, the application goes to the current SEH record and executes the handler. By overwriting the SEH handler, the pointer can be changed to point to shellcode instead. The last steps involve using POP, POP, and RET operations to remove stack entries and transfer execution to the overwritten SEH record, which points to the shellcode.

Uploaded by

samuel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
46 views

Structured Exception Handler Based Stack Overflow

The document discusses how structured exception handling (SEH) works in Windows and how it can be bypassed to execute shellcode. When an exception occurs, the application goes to the current SEH record and executes the handler. By overwriting the SEH handler, the pointer can be changed to point to shellcode instead. The last steps involve using POP, POP, and RET operations to remove stack entries and transfer execution to the overwritten SEH record, which points to the shellcode.

Uploaded by

samuel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Structured Exception Handler

Based Stack Overflow


SEH Based Cont…..
• Windows supplies a default exception handler for when an
application has no exception handlers applicable to the associated
error condition.
• When the Windows exception handler is called, the application will
close and an error message similar to the one in the image below will
be displayed
•:
SEH Based Cont…..
• When an exception occurs, the application will go to the current SEH
record and execute the handler.
• As such, when we overwrite the handler, we need to put a pointer to
something that will take us to our shell code.
Final Steps of Bypassing SEH and Executing Shellcode

• The last steps of exploiting and bypassing SEH protection is the usage
of POP, POP and RET operations.
• By performing two POP operations we can remove the top entries of
the stack.
• And then with RETURN we can take and execute the memory address
and the instructions on that address.
• That address will be the next SEH that will be placed on EIP for
executing.

Junk = A*780

Overwritten next SEH

overwrite seh with pop edi


pop ebp ret

NOP sleed

Shell code

Junk

You might also like