Metasploit mailing list archives
How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem]
From: rhyskidd at gmail.com (Rhys Kidd)
Date: Mon, 29 Oct 2007 20:45:36 +0900
Well DEP/NX works by marking sections in memory as being executable, or data (and thus non-executable). When you overwrite a buffer, your chunk of shellcode will be written onto a portion of memory tagged as non-executable. Hence, a problem. To get around this, the methods of skape, skywing (and I assume Immunity, although I haven't seen it in action) is to use currently existing chunks of code in the target process to a different purpose. Because it has always been code it is marked executable, and fine to return to through a SEH overwrite, saved return address overwrite etc. The method of controlling EIP will attacker data isn't directly relevant. An attacker will then use some currently existing small sections of code in standard loaded modules like ntdll.dll, user32.dll etc that permit a DEP deactivation call to NtSetInformationProcess be undertaken. These sections of code will of course be labeled as code, and executable. Only once DEP has been disabled in the process, may the attacker return to shellcode which is marked non-executable and begin to execute it. Rhys -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071029/0ff281af/attachment.htm>
Current thread:
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- ani_loadimage_chunksize problem H D Moore (Oct 24)
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Rhys Kidd (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 29)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Rhys Kidd (Oct 29)
- ani_loadimage_chunksize problem Thomas Werth (Oct 24)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Pusscat (Oct 25)
- How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem] Thomas Werth (Oct 25)
- ani_loadimage_chunksize problem H D Moore (Oct 24)