Windows Exploitation - Structured Exception Handler Overflow

Introduction

Structured Exception Handlers (SEH) is a mechanism used by Windows C++ applications to catch exceptions that occur during the runtime of the program. Other high-level languages like Python, Java, C#, Rust, and Go also utilize exception handling ___.

I was first introduced to SEH overflows during my time in Offensive Security’s OSED certification training.

In modern 64-bit Windows systems, the function’s SEH is stored in a table __, as opposed to being on the stack

Mitigations

The mitigations mostly boil down to compiler-related mitigations. For example, in modern 64-bit Windows systems, the structured exception handlers are stored in a predetermined table generated by the compiler (far away from the stack), as opposed to being on the stack like in 32-bit systems.

1. SafeSEH - a compiler security measure that implements SEH validation
2. Stack Canaries - not a full mitigation, but can make SEH overflows considerably harder

Getting and Analyzing the crash

Overwriting the SEH

The methodology for overwriting an SEH is to forge a fake SEH, and use that to overwrite the function’s SEH.

PPR

PPR, or Pop-Pop-Ret, is a specific gadget used in SEH overflows as it primes the stack to execute your ROP chain and/or shellcode. The reason why you can’t use a simple ret or pop e*x; ret gadget instead of a PPR is due to how SEH’s are stored on the stack - let’s take a look at the diagram below.

## Shellcode ## Win