Metasploit mailing list archives
How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem]
From: security at vahle.de (Thomas Werth)
Date: Mon, 29 Oct 2007 12:03:22 +0100
I've taken a look at this. Still i have one more question. It seems exploit rewrites seh so that dep deactivation can be called. If i'm wrong how is then deactivation func called ? Now to my question. I guess deactivation needs admin rights, so if a application is exploited which runs not as admin such an deactivation + exploit attempt should fail, right ? Rhys Kidd schrieb:
Oh Metasploit has already provided exploits that will reliably bypass Windows NX/DEP http://metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/dcerpc/msdns_zonename.rb The issue, as I discussed it with HD previously, is that there is no widespread way of doing this by making changes to the payloads. In the above case it was done within the exploit module, first ensuring NX/DEP was disabled in the target vulnerable process, and then passing to the chosen payload. Keep in mind that NX/DEP isn't the only built in protection against remote code execution in modern Windows. There's also stack canaries, ASLR, heap protection etc which may or may not be enabled depending on the particular process, CPU and OS release. The type of vulnerability it self is also relevant. Certain vulnerable API calls will be easier/harder to use when the target may be using these mitigating protections. But if you have suggestions for a more generically applicable method, please discuss! Rhys
Current thread:
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- ani_loadimage_chunksize problem H D Moore (Oct 24)
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Rhys Kidd (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 29)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Rhys Kidd (Oct 29)
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Pusscat (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 25)
- ani_loadimage_chunksize problem H D Moore (Oct 24)