(achieved with modules having SafeSEH OFF)
- Setup:
- After installing the specific version of Sync Breeze, launch the Sync Breeze Client from the Start Menu click Options > Server > make a note of Server Control Port field(default: 9121)
- We'll be targeting the server control component of Sync Breeze and also be crashing the application throughout the exploit development process so try opening Services.msc to quickly restart the application
- Initial Crash:
- We perform a crash (code's here) by crafting a custom protocol header carrying a large buffer (A's or \x41 1000 times) resulting in replacing the AX register with 41's, but at this point the debugger intercepted what is called as a First Chance Exception which is a notification that an unexpected event occurred during the program's normal execution, so if we let the application go (using
gcommand in windbg) we gain control over the IP register (41's replaced)
- We perform a crash (code's here) by crafting a custom protocol header carrying a large buffer (A's or \x41 1000 times) resulting in replacing the AX register with 41's, but at this point the debugger intercepted what is called as a First Chance Exception which is a notification that an unexpected event occurred during the program's normal execution, so if we let the application go (using
The above seen behavior is due to the presence of the Structured Exception Handler's (SEH) mechanism which is used by windows to handle exceptions. For more refer official OffSec material
!teb- get Thread Environment Block information for a specific thread (some exceptions since being mentioned as thread specific)!exchain- extension displays the exception handlers of the current thread. Supports 3 arguments that can be used to gather information on specific types of exceptions, such as C++ try/catch exceptions. By default, it displays the exception handler implemented using the SEH mechanismk- display the call stack.load narly- windbg extension which generates a list of all loaded modules and their respective protections!nmod- outputs a list of all loaded modules and their memory protectionsNOTE(module specific): !nmod extension will be used to see which all modules have SafeSEH turned OFF allowing us to further search for P/P/R (POP, POP, RET) instruction to subvert the exection flow. For more context refer 4.5.2 Gaining Code Execution section from the official OffSec material
$><DISK_DRIVE:\SCRIPT_LOCATION\SCRIPT_NAME.wds- execute a .wds script in windbg