Scribd
Upload
258 views

Defeating Data Execution Prevention and Aslr in Windows XP Sp3

Data prevention Execution (DEP) and Address space layout randomization (ASLR) are two protection mechanisms integrated in Windows operating system to make more complicated the task of exploiting software. This document show how these two features can be bypassed using different techniques. URL: https://www.htbridge.ch/publications/defeating_data_execution_prevention_and_aslr_in_windows_xp_sp3.html Other information security publications: https://www.htbridge.ch/publications/

Uploaded by

High-Tech Bridge
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF or read online on Scribd
258 views

Defeating Data Execution Prevention and Aslr in Windows XP Sp3

Data prevention Execution (DEP) and Address space layout randomization (ASLR) are two protection mechanisms integrated in Windows operating system to make more complicated the task of exploiting software. This document show how these two features can be bypassed using different techniques. URL: https://www.htbridge.ch/publications/defeating_data_execution_prevention_and_aslr_in_windows_xp_sp3.html Other information security publications: https://www.htbridge.ch/publications/

Uploaded by

High-Tech Bridge
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 42

Your texte here .

Defeating DEP and ASLR in Windows

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

What is DEP?
Your texte here .

Data Execution Prevention (DEP) is a set of hardware and software technologies It performs additional checks on memory to help prevent malicious code from running on a system

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Hardware-enforced DEP
Your texte here .

Hardware-enforced DEP causes an attempt to transfer control to an instruction in a memory page marked as no execute to generate an access fault. Relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory region DEP functions on a per-virtual memory page basis, usually changing a bit in the page table entry (PTE) to mark the memory page The actual hardware implementation of DEP and marking of the virtual memory page varies by processor architecture: The no-execute page-protection (NX) processor feature as defined by AMD The Execute Disable Bit (XD) feature as defined by Intel. To use these processor features, the processor must be running in Physical Address Extension (PAE) mode. Windows will automatically enable PAE mode to support DEP.

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Intel Hardware-enforced
Your texte here .

DEP

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

AMD Hardware-enforced DEP


Your texte here .

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Software-enforced DEP
Your texte here .

Software-enforced DEP runs on any processor that can run Windows XP SP2 By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor It protects only user-mode processes. It must be supported by the operating system. Software-enforced DEP does not protect from execution of code in data pages but instead from another type of attack which is called Security Exception Handling (SEH) overwrite

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

DEP settings
Your texte here .

/NOEXECUTE= OptIn Turn on DEP for necessary Windows programs and services only /NOEXECUTE= OptOut Turn on DEP for all programs and services except for those that I select /NOEXECUTE= AlwaysOn permanently enables DEP /NOEXECUTE= AlwaysOff permanently disables DEP The default setting on Windows XP SP2 is OptIn, while the default setting on Windows 2003 Server SP1 is OptOut

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

ASLR
Your texte here .

The PaX project first coined the term "ASLR". Implementations of ASLR in July, 2001. Exploits attacks rely on programmer skills to identify where specific processes or system functions live in memory In order for an attacker to leverage a function, he must first be able to tell the code where to find the function Before ASLR implementation memory locations were easily discovered by attackers and malware code ASLR (Address space layout randomization) involves randomly positioning memory areas, usually areas the base address of the binary file and position of libraries, heap and stack Without ASLR, a library will always going to be loaded at a predictable address and can be leverage by an exploit Bypassing ASLR means targeting non-ASLR libraries to build a reliable exploit

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

ASLR DEFEATED
Your texte here .

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

DEP in action
Your texte here .

(1)

The routine inject_shellcode_in_stack push the payload into the stack Once the shellcode has been injected the code jumps to the execute routine The CALL ESP instruction fetch the beginning of the shellcode

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

DEP in action
Your texte here .

(2)

Since the page 0x0022e000 size 00002000 has only Read and Write attributes an access violation is triggered at the address 0x0022feb4 DEP has successfully stop shellcode execution from the stack

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Bypassing DEP
Your texte here .

(1)

When hardware DEP is enabled, we are not able to jump to our shellcode on the stack, because this one will not be executed. An access violation will terminate the process. (slide 10) Different techniques are available to accomplish this task DEP can be disabled if the later is running in OptIn or OptOut mode Another approach is to call API functions that are able to change the memory attributes (PAGE_READ_EXECUTE) from where the payload lives Some of the techniques are introduced in the next slides

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

VirtualAlloc technique
Your texte here .

(2)

We can create a new memory region with executable attributes We then copy our shellcode to this memory region (WriteProcessMemory or memcpy APIs) This technique needs at least the use of two different APIs

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

HeapCreate technique (3)


Your texte here .

Comparable to VirtualAlloc()

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

SetProcessDEPPolicy technique
Your texte here .

(4)

This allows to disable the DEP policy for the current process It will work for Vista SP1, XP SP3, Server 2008, and only when DEP Policy is set to OptIn or OptOut modes

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

VirtualProtect technique
Your texte here .

(5)

This function will change the access protection level of a given memory page It will allow to mark the location where our shellcode lives as PAGE_READ_EXECUTE

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

WriteProcessMemory technique
Your texte here .

(6)

This technique will permit us to copy the shellcode to a memory region with EXECUTE attributes Later we can jump to it The target location must be Writable and Executable

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Operating System vs API


Your texte here .

Thanks to Corelan.be for this awesome information

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

VirtualProtect Technique in action


Your texte here .
The present code will first find kernel32.dll base image address in a generic way Then it will find the offset of VirtualProtect API and add it to the base address. Later the code will find the current bottom of stack and calculate the size of it VirtualProtect Api is called to change the current memory stack attributes to PAGE_EXECUTE_READWRITE A shellcode will be injected in the stack and get executed after the RETN 10 instruction from VirtualProtect Api

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

HeapCreate in action
Your texte here .

A new heap of 296 bytes is created with PAGE_READ_EXECUTE attributes. The heap base address returned in EAX is then passed to WriteProcessMemory The final RET instruction execute the shellcode from the new heap

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

WriteProcessMemory in action
Your texte here .

The shellcode is copied to a kernel32.dll memory address which the memory attributes are Read and Execute The example is using a memory harcoded address in windows xp sp3 which does not contain any relevant code It is important to choose the correct memory address, otherwise the system could crash after copying the shellcode

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Return to Libc technique


Your texte here .
To take advantage of return to Libc technique we need to overwrite the return address with a function address for i.e. WinExec or System We must provide the correct arguments for the function in order to execute it properly We do not execute code in the stack, but in the memory page where the native function lives Some of the benefits are: We can executed a code with small buffer We do not need to inject code

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Return oriented programming (ROP)


Your texte here .
As a replacement for returning to functions we return to instructions called gadgets in EXECUTABLE memory pages It is possible to return in the middle of instructions to create new instructions The RET instruction will fetch memory addresses from the stack in order to prepare it to successfully call an API function Python libraries like DEPLib from Pablo Sol or pvefindaddr from Corelan.be permit us to quickly find ROP gadgets from non-ASLR libraries

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (1)

Your texte here .


We are going to exploit a server application in Windows XP SP3 up to date, running DEP in mode /NOEXECUTE=OptOut The goal is to create the exploit using non-ALSR modules in order to bypass randomization The application was compiled with Visual Studio 10 with NX Compat and DYNAMICBASE flags

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (2)

Your texte here . the application with a simple <Evil Buffer> + <CALL ESP> <NOP> <SHELLCODE> When we try to exploit
technique it throws an STATUS_ACCESS_VIOLATION (0xC0000005) DEP is sucessfully preventing code execution from the actual thread stack

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (3)

Your texte here .


To get around this protection we will implement the ROP technique The first step is to know which modules are loaded in memory when the vulnerable application runs. The objective is to use non-relocatable modules, so we can bypass memory randomization We are going to use python script !pvefindaddr from corelan.be For this particular exploit development we have 8 non-ASLR modules to search for ROP gadgets, This is pretty enough to create our exploit

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (4)

Your texte here .


The next step is to create our ROP gadgets The !pvefindaddr rop command will create a list of all available gadgets from the non-ASLR modules

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (5)

Your texte here .


We can now start to use our ROP gadgets to deactivate Data Protection Execution We are going to use the SetProcessDEPPolicy technique with the flag 0, which means disable DEP for the current process After searching the correct ROP gadgets from the previous list our exploit is finally created Lets trace it in our debugger

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (6)

Your texte here .


When the buffer overflow occurs we need first to pivot our stack to reach our controlled buffer. The XCHG EAX,ESP instruction permits us to point ESP to 0x0013fb68 address which is the beginning of our controlled data in the stack

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (7)

Your texte here .


The next instruction will POP the value 0xffffffff into the EBX register, which will be later incremented to obtain a null dword

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (8)

Your texte here .


The EBX register contains the flag that will be passed as parameter to the SetProcessDEPPolicy API

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (9)

Your texte here .


We put the address of SetProcessDEPPolicy into EBP register

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (10)

Your texte here .


The two next steps will be to POP into ESI and EDI a pointer to a RET instruction, this will simulate a NOP sled

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (11)

Your texte here .


The last step is to execute a PUSHAD instruction. This will prepare our stack to successfully call SetProcessDEPPolicy and automatically set the return pointer from SetProcessDEPPolicy to our shellcode

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (12)

Your texte here .


Our stack is now ready to call SetProcessDEPPolicy and deactivate DEP

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (13)

Your texte here .


We place a breakpoint at the RETN 4 instruction which is the end of SetProcessDEPPolicy

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (14)

Your texte here .


Now we are able to reach our shellcode and it will successfully get executed without any access violation fault

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (15)

Your texte here .


Finally our shellcode is executed without issues. Lets try the exploit without a debugger

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Practical ROP example in Windows XP SP3 (16)

Your texte here .


We can effectively execute our shellcode bypassing DEP and ASLR protections

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Conclusions
Your texte here .

DEP and ASLR are designed to increase an attacker's exploit development costs ASLR is easy bypassed if we can count on memory modules which do not have this feature turn on The return oriented programming can be used to with no trouble get around dep protections This techniques can be also used in others windows flavors such as windows Vista or Windows 7

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

References
Your texte here .
http://www.uninformed.org/?v=2&a=4&t=txt http://support.microsoft.com/kb/875352 http://technet.microsoft.com/en-us/library/bb457155.aspx http://technet.microsoft.com/en-us/library/cc738483%28WS.10%29.aspx http://msdn.microsoft.com/en-us/library/ms633548%28v=vs.85%29.aspx http://opc0de.tuxfamily.org/?p=430 http://www.cs.bham.ac.uk/~covam/blog/binary/ http://www.corelan.be Windows Internals fourth edition https://www.blackhat.com/presentations/bh-usa08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

Your texte here .

Your questions are always welcome!


[email protected]

ORIGINAL SWISS ETHICAL HACKING


2011 High-Tech Bridge SA www.htbridge.ch

You might also like