SEH Security Changes in XPSP2 and 2003 SP1

If you´re reading this, hopefully you already know why abusing Structured Exception Handling, or SEH, is extremely interesting for Windows exploit writers. As a quick summary, SEH can provide a useful and portable way to precisely locate stack-based shellcode, and can also be used to evade Microsoft´s stack protection by having the OS dispatch control to a bogus exception handler, bypassing the stack cookie check.

In fact, causing an exception before the function returns is probably the only way to avoid the stack cookie check, which makes the security of SEH an area of great importance.

So, this whole thing began when I started cataloguing all of the new exploitation-related security features that Microsoft have added to their recent operating systems. All those high level details, covering much more than just SEH, can be found in an eEye whitepaper.

After describing those new protection methods at a conference recently, a Microsoft employee told me privately that the new Structured Exception Handling (SEH) protection was not nearly as weak as I had described. That interested me, since my primary research for that part of the presentation was a paper by David Litchfield, written in 2003, nothing having been published since. It appeared that some changes had been made in XPSP2 and 2003 SP1 which had not been made public. Obviously, it was time to go digging!Read Full Story

Leave a Reply