Dailydave mailing list archives
RE: Non executable memory pages with AMD64 + XP SP2
From: "Maynor, David (ISS Atlanta)" <dmaynor () iss net>
Date: Sun, 5 Dec 2004 16:35:39 -0500
I have looked at it in detail. At first I though I was just a super duper shellcoder because all my payloads executed with no problem. After more investigation I discovered that the SP2 implementation of the NX technology covers only vital windows services by default. This means that you hello world or basic stack overflow that you write will not receive the protection until it is enabled system wide. 32 bit XP SP2 does use NX technology if running on a processor that supports it. It has to run in PAE mode though. I wrote a white paper for ISS on these shortcomings. It should be made public pretty soon. -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Nicolas RUFF Sent: Sunday, December 05, 2004 4:10 PM To: dailydave Subject: [Dailydave] Non executable memory pages with AMD64 + XP SP2 Hello everybody, Did anyone out there have a chance to test non-executable memory pages on AMD64 + XP SP2 ? I sent a mail on Bugtraq a few weeks ago but I did not receive much support from the community. It seems to me that non-executable pages are never enabled (at least for basic user programs, such as "hello world" buffer overflow), unless you manually specify /PAE, despite: http://support.microsoft.com/kb/875352 If you read the small caps on AMD commercials in France, they say something like: "you must manually enable the Enhanced Virus Protection for each of your application to be fully protected". What is this supposed to mean ??? I suspect Microsoft went on a last-minute change, considering the number of software failing with non-executable pages (at least on my computer - e.g. nVidia userland interface). To sum up : 1/ 64-bit OS are not ready for production - if you ever tried to get drivers for the Windows XP 64-bit edition (available from MSDN) you know what I mean. 2/ 64-bit OS are as fast as 32-bit OS (tested on Fedora 64 and XP 64). Applications will be running in 32-bit emulation mode for a long time and will not benefit from 64-bit processors either. 3/ 32-bit XP SP2 does not use non-executable memory pages (AFAIK). 4/ Shellcoders will benefit from new RIP-relative addressing, as M. Conover pointed out. So, could someone figure out a good reason why I spent $300 on this s*** ? (Not couting the motherboard and memory upgrade). Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail : nicolas.ruff (at) edelweb.fr ----------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Non executable memory pages with AMD64 + XP SP2 Nicolas RUFF (Dec 05)
- RE: Non executable memory pages with AMD64 + XP SP2 Mike Bailey (Dec 05)
- <Possible follow-ups>
- RE: Non executable memory pages with AMD64 + XP SP2 Maynor, David (ISS Atlanta) (Dec 05)
- RE: Non executable memory pages with AMD64 + XP SP2 Maynor, David (ISS Atlanta) (Dec 05)
- Re: Non executable memory pages with AMD64 + XP SP2 Nicolas RUFF (Dec 06)
- RE: Non executable memory pages with AMD64 + XP SP2 Maynor, David (ISS Atlanta) (Dec 06)