![]() |
Informative Information for the Uninformed | ![]() |
||||||||||||
![]() |
![]() |
|||||||||||||
![]() ![]() |
![]() |
|
||||||||||||
![]() |
IntroductionLike other operating systems, the Windows operating system finds itself vulnerable to the same classes of vulnerabilities that affect other platforms, such as stack-based buffer overflows and heap-based buffer overflows. Where the platforms differ is in terms of how these vulnerabilities can be leveraged to gain code execution. In the case of a conventional stack-based buffer overflow, the overwriting of the return address is the most obvious and universal approach. However, unlike other platforms, the Windows platform has a unique vector that can, in many cases, be used to gain code execution through a stack-based overflow that is more reliable than overwriting the return address. This vector is known as a Structured Exception Handler (SEH) overwrite. This attack vector was publicly discussed for the first time, as far as the author is aware, by David Litchfield in his paper entitled Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server[2]2.1.
In order to completely understand how to go about protecting against
SEH overwrites, it's prudent to first spend some time describing the
intention of the facility itself and how it can be abused to gain
code execution. To provide this background information, a
description of structured exception handling will be given in
section
Subsections |