![](images/bottom_mid.jpg) |
- ... heap1
- There are
other documented techniques for bypassing non-executable
protections, such as returning into ZwProtectVirtualMemory
or doing a chained ret2libc style attack, but these
approaches tend to be more complicated and in many cases are more
restricted due to the need to use bytes (such as NULL
bytes) that would otherwise be unusable in common situations.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... process2
- With a few parameters that will be
discussed later
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... 23
- The reason this has to point to
2 and not some integer that has just the low byte set to 2 is
because nt!MmSetExecutionOptions has a check to ensure that
the unused bits are not set
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
appended4
- In reality, it may not be the return address that
is being overwritten, but instead might be a function pointer. The
fact that it is at a misaligned address lends credence to this fact,
though it is certainly not a clear indication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... attack5
- This is possible even when an SEH overwrite is
leveraged, given the right conditions. The basic approach is to
locate a pop reg, pop reg, pop esp, ret instruction set in
a region that is not protected by SafeSEH (such as a third-party DLL
that was not compiled with /GS). The pop esp shifts the
stack to the start of the EstablisherFrame that is
controlled by the attacker and the ret returns into the
address stored within the overwritten Next pointer. If one
were to set the Next pointer to the location of the
NtdllOkayToLockRoutine and the stack were set up as
explained above, the technique used to bypass hardware-enforced DEP
that is described in this document could be made to work.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
|