How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem]

[security at vahle.de (Thomas Werth)]

I've taken a look at this. Still i have one more question.
It seems exploit rewrites seh so that dep deactivation can be called. If
i'm wrong how is then deactivation func called ?
Now to my question. I guess deactivation needs admin rights, so if a
application is exploited which runs not as admin such an deactivation +
exploit attempt should fail, right ?


Rhys Kidd schrieb:
> Oh Metasploit has already provided exploits that will reliably bypass
> Windows NX/DEP
>
> http://metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/dcerpc/msdns_zonename.rb
>
> The issue, as I discussed it with HD previously, is that there is no
> widespread way of doing this by making changes to the payloads. In the above
> case it was done within the exploit module, first ensuring NX/DEP was
> disabled in the target vulnerable process, and then passing to the chosen
> payload.
>
> Keep in mind that NX/DEP isn't the only built in protection against remote
> code execution in modern Windows. There's also stack canaries, ASLR, heap
> protection etc which may or may not be enabled depending on the particular
> process, CPU and OS release. The type of vulnerability it self is also
> relevant. Certain vulnerable API calls will be easier/harder to use when the
> target may be using these mitigating protections.
>
> But if you have suggestions for a more generically applicable method, please
> discuss!
>
> Rhys