securitystack-overflowexploitseh

Stack overflow exploits: RET vs. SEH overwrite


I have been studying tutorials on writing both RET value and SEH overwrite exploits, using stack overflow.

As I understand it, when I overwrite the SEH value, the RET value is overwritten as well, also it is much harder to make a SEH exploit because you need also to throw an exception in order to make the exploit run.

If so, what is the use of SEH overwrite exploit, if I can always use the RET value instead? And what are the pros and cons of SEH overwrite over RET overwrite?


Solution

  • It depends what is the vulnerability and what are the exploit conditions.

    If you can overwrite the RET and build a full blown exploit than you are correct and overwriting the SEH would is unnecessary.

    But this is not always the case .. In some cases RET overwrite protections will be present, like the stack canary.

    In this case exploiting using RET overwrite would be far more difficult (if not impossible) than overwriting the SEH handler and generating an exception.

    Same can be said about overwriting the SEH, if SafeSeh is ON and stack canary is OFF it would be far more easier to exploit using RET overwrite than SEH.

    Generally speaking, I would say that the main fact that would determine which exploit technique to use depends on the existing mitigations and the ease of exploitation.

    Its always good to have another attack vector that could be used if all other options fail.