How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem]

[rhyskidd at gmail.com (Rhys Kidd)]

Oh Metasploit has already provided exploits that will reliably bypass
Windows NX/DEP

http://metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/dcerpc/msdns_zonename.rb

The issue, as I discussed it with HD previously, is that there is no
widespread way of doing this by making changes to the payloads. In the above
case it was done within the exploit module, first ensuring NX/DEP was
disabled in the target vulnerable process, and then passing to the chosen
payload.

Keep in mind that NX/DEP isn't the only built in protection against remote
code execution in modern Windows. There's also stack canaries, ASLR, heap
protection etc which may or may not be enabled depending on the particular
process, CPU and OS release. The type of vulnerability it self is also
relevant. Certain vulnerable API calls will be easier/harder to use when the
target may be using these mitigating protections.

But if you have suggestions for a more generically applicable method, please
discuss!

Rhys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071025/c7335e45/attachment.htm>