Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Report
Share
Report
Share
1 of 16
More Related Content
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
2. Data Execution Prevention [DEP]
Hardware Data Execution Prevention utilizes the NX ("No eXecute page
protection“ of AMD) or XD (“eXecute Disable“ of Intel) bit on DEP compatible
CPU‟s, and will mark certain parts of the memory as non executable.
Normally the part in memory containing data (heap, stack and memory pool)
are marked as non executable.
So arbitrary code injection on these areas won‟t get executed.
Different DEP options in Windows OS
OptIn : Only a limited set of Windows system modules/binaries are protected
by DEP.
OptOut : All programs, processes, services on the Windows system are
protected, except for processes in the exception list
AlwaysOn : All programs, processes, services, etc on the Windows system are
protected. No exceptions
AlwaysOff : DEP is turned off.
@ajinabraham
3. How Will We Execute the Shellcode
When DEP Is Enabled?
We will craft a Windows API call that will disable DEP
for a specific memory region that we can control.
We have to use the instructions in the executable
region of the process and chain them in a particular
order to call the Windows API to disable DEP.
So once DEP is disabled, we can execute the
shellcode in the memory region that we control.
For that purpose we use ROP Chains.
@ajinabraham
4. Bypassing DEP with ROP Chains
A ROP Chain is a chain of instruction that contains a sequence of
gadgets.
A *Gadget is a group of instructions in the ROP Chain that ends with
a RET instruction.
A ROP NOP is a pointer to a RET.
With ROP Chains, we will jump from one part of the chain to another
part without executing a single instructions in the DEP protected
region.
In Effect what we are doing is, we use ROP Chains to setup the stack
with parameter for the Windows API call and finally call the API to
disable DEP.
* Gadget actually refers to higher-level macros/code snippets as per Hovav Shacham.
@ajinabraham
5. Exploitation when DEP is Enabled
Exploitation in 2 Stages
1st Stage
Disable DEP.
2nd Stage
Jump to Shellcode and Execute it.
@ajinabraham
6. Windows APIs for disabling DEP
API / OS
XP SP2 XP SP3 Vista SP0 Vista SP1 Windows 7 Windows 8 Windows 2003 SP1 Windows 2008
VirtualAlloc
yes
yes
yes
yes
yes
yes
yes
yes
HeapCreate
yes
yes
yes
yes
yes
yes
yes
yes
no (1)
yes
no (1)
yes
no (2)
no(2)
no (1)
yes
NtSetInformationProcess
yes
yes
yes
no (2)
no (2)
no(2)
yes
no (2)
VirtualProtect
yes
yes
yes
yes
yes
yes
yes
yes
WriteProcessMemory
yes
yes
yes
yes
yes
yes
yes
yes
SetProcessDEPPolicy
(1) Doesn‟t exist.
(2) Will fail because of default DEP Policy settings.
Source: https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
@ajinabraham
7. Universal APIs for disabling DEP
Available
across all Windows Builds till date.
VirtualAlloc()
VirtualProtect()
@ajinabraham
8. Invoking a Function
Stack Layout
void add(int a, int b)
{
int x=25;
char y=„a‟;
printf(“Sum is %dn”,a+b);
}
ESP
EBP - x
add(2,3);
}
a
Local Variables
25
EBP
EBP
int main()
{
Low Memory
EBP + x
RETN
2
3
High Memory
Parameters
9. VirtualAlloc()
VirtualAlloc() is a Windows API present in kernel32.dll used to disable DEP.
it will allocate new memory. One of the parameters to this function specifies the execution/access
level of the newly allocated memory, so the goal is to set that value to EXECUTE_READWRITE.
VirtualAlloc() Win API Call Structure
LPVOID WINAPI VirtualAlloc
(
_In_opt_ LPVOID lpAddress,
_In_
SIZE_T dwSize,
_In_
DWORD flAllocationType,
_In_
DWORD flProtect
=>
A pointer to VirtualAlloc()
=>
=>
=>
=>
Return Address (Redirect Execution to ESP)
dwSize (0x1)
flAllocationType (0x1000) )
flProtect (0x40)
);
@ajinabraham
10. Stack Should Contain
Return Address
Return Address pointing to another ROP chain that will copy
the shellcode to the newly allocated memory and jump to it.
lpAddress
Starting address of the region where we want to allocate the
memory. You can provide a hardcoded value.
dwSize
Size of the region in bytes. We use rop chains to create and
write this value to the stack.
flAllocationType Set to 0×1000 (MEM_COMMIT). We use rop chains to create
and write this value to the stack.
flProtect
Set to 0×40 (EXECUTE_READWRITE). We use rop chains to
create and write this value to the stack.
@ajinabraham
11. VirtualProtect()
VirtualProtect() is another Windows API present in kernel32.dll used to disable DEP.
The VirtualProtect function changes the access protection of memory in the calling process.
VirtualProtect() Win API Call Structure
BOOL WINAPI VirtualProtect
=>
A pointer to VirtualProtect()
_In_ LPVOID lpAddress,
=>
Return Address (Redirect Execution to ESP)
_In_ SIZE_T dwSize,
=>
dwSize (0x201)
_In_ DWORD flNewProtect,
=>
flNewProtect (0x40)
_Out_ PDWORD lpflOldProtect
=>
A writable pointer
(
);
@ajinabraham
12. Stack Should Contain
Return Address
Return Address pointing to the shellcode on the stack. This value
is dynamically created using ROP chains.
lpAddress
Pointer to the base address of the region of pages whose access
protection attributes need to be changed. i.e. this will be the
base address of the shellcode. It is a dynamically created value.
dwSize
Size of the region in bytes. It is a dynamically created value using
ROP chains.
flNewProtect
lpflOldProtect
Set to 0×00000040 : PAGE_EXECUTE_READWRITE. This parameter
specifies the new protection flag. It is also dynamically created.
Pointer to variable that will receive the old protection
flag. It is a writable static address.
@ajinabraham
13. Ways to write a ROP Chain
Basically three ways.
1. We can load all the API parameters into the various
registers and use a PUSHAD instruction to push them to
the stack in the proper order.(Easiest)
2. we can directly write the parameters to the stack in
the proper order and then return to them (this will be
more difficult).
3. Create entire payload using ROP Chain (requires some
ninja skills).
@ajinabraham
14. Let‟s Exploit Something
We will use the VirtualAlloc() API call to disable DEP.
Our Strategy
Use ROP chains to put the parameters for VirtualAlloc() in the stack.
Call the function VirtualAlloc() which will disable DEP.
Jump to shellcode and execute it.
To achieve this we can put the required values in register and then use a
pushad instruction to put these values into the stack at once.
@ajinabraham