Blog Picture

Part of the Exploit Development Module – Certified Cybersecurity Engineer (CCSE) – By Cyberwarfare Labs

πŸ“š Table of Contents

  1. Introduction
  2. What is a Stack Overflow?
  3. Understanding Structured Exception Handling (SEH)
  4. Where Does POP-POP-RET Come In?
  5. Breaking Down POP-POP-RET
  6. Step-by-Step Example of Using POP-POP-RET in an SEH Exploit
  7. Finding a Suitable POP-POP-RET Instruction
  8. Example Exploit Code
  9. What Happens When We Run the Exploit?
  10. Conclusion
  11. Next Steps

πŸ”° Introduction

This blog post is part of the Exploit Development module in my journey through the Certified Cybersecurity Engineer (CCSE) certification by Cyberwarfare Labs.

In this article, we explore a common and effective technique in Windows exploitationβ€”POP-POP-RET, which is often used in SEH-based exploits. We’ll cover not only what it is and how it works but also walk through a practical example and payload structure.

🧠 What is a Stack Overflow?

A stack overflow is a flaw that occurs when a program writes more data to a stack-based buffer than it can hold. This causes adjacent memory to be overwritten, which can include other local variables and more importantly, the return address.

If the conditions are right, an attacker can overwrite the EIP (Instruction Pointer) and redirect execution to malicious code. If not, the program will likely crashβ€”leading to a Denial of Service (DoS).

In Structured Exception Handler (SEH) based overflows, we target the SEH chain on the stack, aiming to hijack control flow when an exception occurs.

πŸ“Œ Understanding Structured Exception Handling (SEH)

Structured Exception Handling (SEH) is a mechanism in Windows that allows applications to gracefully handle exceptions such as illegal memory access, division by zero, etc.

  • Every thread maintains an SEH chain (linked list of exception handlers).
  • This chain is stored on the stack, making it exploitable.
  • When an exception occurs, Windows walks this chain to locate a suitable handler.

πŸ“Œ Where Does POP-POP-RET Come In?

In SEH exploits, our goal is to overwrite the SEH handler with an address that helps us redirect execution to our shellcode.

That’s where POP-POP-RET comes in. It helps us bypass basic protections and cleanly transfer execution from the overwritten SEH record to our shellcode, without triggering further exceptions.

πŸ“Œ Breaking Down POP-POP-RET

This sequence of instructions helps clean up the stack before jumping to your shellcode:

  • POP – Removes and discards the top of the stack.
  • POP – Removes another stack value.
  • RET – Pops the next address off the stack and jumps to it (our shellcode).

βœ… Example Flow:

  1. SEH handler is overwritten with the address of a POP-POP-RET sequence.
  2. When an exception triggers, Windows jumps to this address.
  3. POP and POP discard stack garbage.
  4. RET sends execution to your crafted payload.

πŸ“Œ Step-by-Step Example of Using POP-POP-RET in an SEH Exploit

Scenario: Vulnerable Windows Application

  1. Buffer Overflow Identified

    • Input function allows more bytes than the buffer can safely handle.

  2. Analyze Stack Layout

    • Locate Next SEH and SEH Handler on the stack.

  3. Payload Construction

    • Overwrite Next SEH with a short jump (\xEB\x06) to shellcode.
    • Overwrite SEH Handler with address of a POP-POP-RET instruction.

  4. Trigger Exception

    • Application crashes.
    • Windows traverses the SEH chain.
    • Our POP-POP-RET sequence is executed.
    • RET takes execution to our shellcode.

πŸ“Œ Finding a Suitable POP-POP-RET Instruction

We are using Mona.py in Immunity Debugger to find usable instructions that are not protected by SafeSEH or ASLR.

!mona seh

Example output:

0x1001AABB : pop pop ret | [vulnlib.dll]

Using this address in our payload to overwrite the SEH handler.

πŸ“Œ Example Exploit Code

payload  = b"A" * 2000                      # Fill buffer to reach SEH
payload += b"\xEB\x06\x90\x90"             # Next SEH: Short Jump over SEH
payload += b"\xBB\xAA\x01\x10"             # SEH Handler: POP-POP-RET address
payload += b"\x90" * 20                    # NOP sled
payload += b"\xcc" * 300                   # Shellcode: INT 3 for debugging

Breakdown:

  • "A" * 2000 β†’ Fills the buffer and reaches SEH
  • \xEB\x06 β†’ Jumps 6 bytes forward (to shellcode).
  • \x90\x90 β†’ NOPs for alignment.
  • \xBB\xAA\x01\x10 β†’ Little-endian address of POP-POP-RET. Overwrites SEH
  • "\x90" * 20 β†’ Safe space for Shellcode
  • "\xcc" * 300 β†’ Breakpoint to analyze control transfer in debugger (Shellcode).

πŸ“Œ What Happens When We Run the Exploit?

  1. Application crashes β†’ triggers exception.
  2. Windows reads SEH chain β†’ finds overwritten handler.
  3. Executes POP-POP-RET β†’ stack cleaned.
  4. RET jumps to Next SEH (short jump).
  5. Execution lands in shellcode β†’ code execution achieved.

πŸ“Œ Conclusion

  • POP-POP-RET is a classic yet powerful method in SEH exploitation.
  • Helps bypass protections by cleaning the stack and redirecting flow.
  • Requires a deep understanding of the stack and exception handling.

While modern protections like SafeSEH, DEP, and ASLR make this harder today, it’s a critical foundational technique for understanding Windows exploit development.

I’m planning to enroll in their Exploit Development course which goes indeep about exploit development Certified Exploit Development Professional (CEDP) and will definitely write a review about it.

Here’s another good article that showcase this vulnerability in Easy Chat Server 3.1 here