SEH Handler 공부

2018. 1. 9. 16:570x04 pwnable/윈도우즈 어플리케이션 취약점 분석

728x90

SafeSEH : SafeSEH는 SEH 기반 공격 시도를 실시간으로 차단해준다.

 

/safeSEH 컴파일러 스위치를 모든 실행 가능한 모듈에 적용할 수 있다.

스택을 보호하는 대신 예외 핸들러 프레임 체인이 보호되는데, 만약 SEH 체인이 변조되면 애플리케이션은

감염된 핸들러로 점프하지 않고, 종료된다. SafeSEH는 예외 핸들링 체인이 실제 핸들러로 이동하기 전에

변조 여부를 검사한다.

 

버그 바운티 팁이라고도 볼 수 있겠다.

취약한 애플리케이션이 SafeSEH로 컴파일 되지 않았거나 로드 된 모듈들 중 하나 이상이 

SafeSEH로 컴파일 되어 있지 않은 경우, 

 

해당 모듈 또는 애플리케이션 "DLL 파일"에서 POP/POP/RET

주소를 가져온다. 

 

Garget : pop pop ret , call ebp + 0x30, 

 

 

!mona mod 

 

mona를 통해 보호 기법의 유무를 알 수 있다.

 

SHE4 StackLayer 

 

ESP + 0x8 : POP POP RET

 

CALL EBP + 0x30 

 

얘내들을 사용하는 이유 ?

 

예외가 발생했을 경우 seh 구조체를 들어가면 핸들러가 있다. 

 

seh 체인을 잘 봐야한다. 

 

 

call과 jmp명령어는 최소 5바이트는 사용한다. 

 

CALL이나 JMP는 절대주소를 이용하고 

 

SHORT JMP는 상대주소를 이용하게 되면서, 명령어 OPCODE는 \xEB 

 

\xEB 00~7F (양수) - 스택 앞으로 JMP

\xEB 80~FF (음수) - 스택 뒤로 JMP

 

SafeSEH 우회 방법은 3가지가 있다.

 

1가지 : 프로그램에서 로드 된 모듈 중 SafeSEH가 적용되지 않는 모듈이 있다면 예외 처리 핸들러는 호출됨

2가지 : 예외 처리 핸들러의 주소가 힙 주소로 덮어씌워져 있다면 예외 처리 핸들러는 호출됨

3가지 : 예외 처리 핸들러의 주소가 프로그램에서 로드 된 모듈이 아닌 다른 메모리 영역의 모듈 주소를 가리키고 있다면

예외 처리 핸들러는 호출됨

 

call dword ptr [esp+n]

jmp dword ptr [esp+n]

call dword ptr [ebp+n]

jmp dword ptr [ebp+n]

call dword ptr [ebp-n]

jmp dword ptr [ebp-n]

call dword ptr [esp-n]

jmp dword ptr [esp-n]

esp-16, esp+8, esp+16, esp+1c, esp+2c, esp+32, esp+40 etc

ebp-18 

 

 

MP3CDConverter

 

ollydbg 에서 Ctrl+S 해서 가젯을 찾는다.

 

가젯

#R32를 하면 EAX, ECX, EBX, EDX, ESP, EBP, ESI, EDI든 어떤 것이든 괜찮다라는 의미임

POP R32

POP R32

RET

 

 

 

CALL EBP+0x30 찾는법 

call dword ptr ss: [ebp+0x30]으로 찾음 

CTRL +B(Binary) -> FF 55 30 

 

Immunity Debugger - mona.py

 

특정 바이너리 attach 후 !mona seh 하고 log data를 보면 사용할 수 있는 것들이 출력됨

정확하게 모든 것을 다 보려면 Immunity Debugger 경로에 seh.txt를 보면 됨

너무 많다.

 

0x0040793f : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0040794a : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00407a9d : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00407ab3 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00407ac0 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0040d167 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0040d16e : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0040d1b8 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00412ffb : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0041364e : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0042116c : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00423ac4 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00425f40 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00428e1a : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0042909d : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00431c5d : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0043237b : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00432f9e : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00433372 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x004335fc : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00434e3e : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00436b25 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x004385de : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x004392c9 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0043bbb0 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00445c38 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00445f06 : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044734a : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x004476b9 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00447f34 : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044c979 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044d27c : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044e38d : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044ef05 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00450404 : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0045124e : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00452ff7 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00453033 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0045a0aa : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0045a4a7 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0045a6a5 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0045aa55 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0045c19b : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x10002581 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x1000259d : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x10002ece : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x100045f7 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x10004607 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x10005f43 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x10006c7e : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x10006c86 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x10008c05 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)

0x00416a7f : pop esi # pop ebx # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00416aa6 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00416ab2 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0041922a : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0041d273 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00426f6d : pop esi # pop ebx # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00426f77 : pop esi # pop ebx # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00431680 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x00436263 : pop esi # pop ebx # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044b7b7 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044bfe6 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044bff3 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044c000 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044c00d : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044c01a : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044c39b : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

0x0044e401 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

 

 

사용 시 주의 할 점 : 반드시 SafeSEH가 false여야 한다.

 

0x0040793f : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii 

{PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] 

ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 

(C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)

얘를 사용할 것이다. 

 

배운 내용 

 

GS로 인하여 기존의 RET를 변조하는 방식의 공격이 불가능하다. 

SEH 구조체는 Stack에 위치하여 공략 가능

SafeSEH가 등록되어 있기 때문에 pop/pop/ret나 call ebp+0x30을 실행하여 우회 

해당 가젯 수집 방법 (pop/pop/ret , call ebp+0x30)

Short JMP 기계어 코드 -> relative address 

상대주소에서 00~7F (스택 위)

상대주소에서 80~FF (스택 밑)

 

 

아까 만든 INT3 프로그램을 들어가서 SEH 핸들러를 살펴보자.

 

우선, 프로그램에 INT3이 걸려있기 때문에 그 다음 주소인 00401040이 EIP로 되어있다.

(shift + F9)

 

스택을 살펴보면 다음과 같다.

0012FF68   0012FFB0  Pointer to next SEH record

0012FF6C   00401785  SE handler

 

스택을 풀이해보면 다음과 같다.

0012FF6C에는 SE handler가 있고, 0012FF68에는 Pointer to next SEH record가 존재함

 

 

그럼 우리는 아까전에 배운 safe seh우회를 생각해보면, 

 

pop / pop/ ret -> pop32 pop32 ret -> esp+0x8 

call dword ptr ss: ebp+0x30 

가 된다.

 

 

'0x04 pwnable > 윈도우즈 어플리케이션 취약점 분석' 카테고리의 다른 글

DEP 그리고 ROP (AKA 준나 어렵네)  (0) 2018.01.11
SEH Handler 우회 공부  (0) 2018.01.09
SEH 기초공부 1  (0) 2018.01.09
GS 기초 공부 1  (0) 2018.01.09
BOF 기초공부 4  (1) 2018.01.09