Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem]

From: rhyskidd at gmail.com (Rhys Kidd)
Date: Mon, 29 Oct 2007 20:45:36 +0900
Well DEP/NX works by marking sections in memory as being executable, or data
(and thus non-executable). When you overwrite a buffer, your chunk of
shellcode will be written onto a portion of memory tagged as non-executable.
Hence, a problem.

To get around this, the methods of skape, skywing (and I assume Immunity,
although I haven't seen it in action) is to use currently existing chunks of
code in the target process to a different purpose. Because it has always
been code it is marked executable, and fine to return to through a SEH
overwrite, saved return address overwrite etc. The method of controlling EIP
will attacker data isn't directly relevant.

An attacker will then use some currently existing small sections of code in
standard loaded modules like ntdll.dll, user32.dll etc that permit a DEP
deactivation call to NtSetInformationProcess be undertaken. These sections
of code will of course be labeled as code, and executable.

Only once DEP has been disabled in the process, may the attacker return to
shellcode which is marked non-executable and begin to execute it.

Rhys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071029/0ff281af/attachment.htm>
Previous By Date Next
Previous By Thread Next

Current thread: