Windows Exploitation: SEH based overflow

Exploiting SEH-based buffer overflows with Metasploit

Background

Exception handlers are code modules that catch exceptions and errors generated during the execution of the program. This allows the program to continue execution instead of crashing. Windows operating systems have default exception handlers and we see them generally when an application crashes and throws a pop up that says “XYZ program has encountered an error and needs to close”. When the program generates an exception, the equivalent address of the catch code is loaded and called from the stack. However, if we somehow manage to overwrite the address in the stack for the catch code of the handler, we will be able to control the application. Let’s see how things are arranged in a stack when an application is implemented with exception handlers:

Exercise

exploit a buffer overflow vulnerability in AIMP2 Audio Converter 2.51 build 330.

Guidelines

1. Find the actual vulnerability using the PoC below:

After generating the malicious playlist.pls and attempting to play it using AIMP2c.exe, the application will crash. SEH chain was overwritten. Both SEH and NSEH contain 0x4100 indicating a Unicode based exploit.

2. With the vulnerability confirmed, it is now time to figure out the offset where the SE structure gets overflown. Using mona.py, generate a 5000 byte payload and modify the PoC

3. You should be able to get a calculator popup after attempting to play ‘playlist.pls’ generated by the exploit.

Quality Expectations

This exercise requires a screen recording video submission Make sure that your recording is clean and meets quality expectations.

Open chat
Hello 👋.
Tell me, how can I help you?