Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep


Like other operating systems, the Windows operating system finds itself vulnerable to the same classes of vulnerabilities that affect other platforms, such as stack-based buffer overflows and heap-based buffer overflows. Where the platforms differ is in terms of how these vulnerabilities can be leveraged to gain code execution. In the case of a conventional stack-based buffer overflow, the overwriting of the return address is the most obvious and universal approach. However, unlike other platforms, the Windows platform has a unique vector that can, in many cases, be used to gain code execution through a stack-based overflow that is more reliable than overwriting the return address. This vector is known as a Structured Exception Handler (SEH) overwrite. This attack vector was publicly discussed for the first time, as far as the author is aware, by David Litchfield in his paper entitled Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server[2]2.1.

In order to completely understand how to go about protecting against SEH overwrites, it's prudent to first spend some time describing the intention of the facility itself and how it can be abused to gain code execution. To provide this background information, a description of structured exception handling will be given in section [*]. Section [*] provides an illustration of how an SEH overwrite can be used to gain code execution. If the reader already understands how structured exception handling works and can be exploited, feel free to skip ahead. The design of the technique that is the focus of this paper will be described in chapter [*] followed by a description of a proof of concept implementation in chapter [*]. Finally, potential compatibility issues are noted in chapter [*].