Exploit Research
DEP Bypass with ROP ChainsOPEN SECURITY
WWW.OPENSECURITY.IN
AJIN ABRAHAM
@AJINABRAHAM
Data Execution Prevention [DEP]
Hardware Data Execution Prevention utilizes the NX ("No eXecute page protection“ of AMD) or XD (“eXecute Disable“ of Intel) bit on DEP compatible CPU’s, and will mark certain parts of the memory as non executable.
Normally the part in memory containing data (heap, stack and memory pool) are marked as non executable.
So arbitrary code injection on these areas won’t get executed.
Different DEP options in Windows OS
OptIn : Only a limited set of Windows system modules/binaries are protected by DEP.OptOut : All programs, processes, services on the Windows system are protected, except for processes in the exception listAlwaysOn : All programs, processes, services, etc on the Windows system are protected. No exceptionsAlwaysOff : DEP is turned off.
@ajinabraham
How Will We Execute the Shellcode When DEP Is Enabled?
We will craft a Windows API call that will disable DEP for a specific memory region that we can control.
We have to use the instructions in the executable region of the process and chain them in a particular order to call the Windows API to disable DEP.
So once DEP is disabled, we can execute the shellcode in the memory region that we control.
For that purpose we use ROP Chains.
@ajinabraham
Bypassing DEP with ROP Chains
A ROP Chain is a chain of instruction that contains a sequence of gadgets.
A *Gadget is a group of instructions in the ROP Chain that ends with a RET instruction.
A ROP NOP is a pointer to a RET.
With ROP Chains, we will jump from one part of the chain to another part without executing a single instructions in the DEP protected region.
In Effect what we are doing is, we use ROP Chains to setup the stack with parameter for the Windows API call and finally call the API to disable DEP.
* Gadget actually refers to higher-level macros/code snippets as per Hovav Shacham. @ajinabraham
Exploitation when DEP is Enabled
Exploitation in 2 Stages
1st StageDisable DEP.
2nd StageJump to Shellcode and Execute it.
@ajinabraham
Windows APIs for disabling DEPAPI / OS XP SP2 XP SP3 Vista
SP0Vista SP1
Windows 7 Windows 8 Windows 2003 SP1
Windows 2008
VirtualAlloc yes yes yes yes yes yes yes yes
HeapCreate yes yes yes yes yes yes yes yes
SetProcessDEPPolicy no (1) yes no (1) yes no (2) no(2) no (1) yes
NtSetInformationProcess
yes yes yes no (2) no (2) no(2) yes no (2)
VirtualProtect yes yes yes yes yes yes yes yes
WriteProcessMemory yes yes yes yes yes yes yes yes
Source: https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
(1) Doesn’t exist.(2) Will fail because of default DEP Policy settings.
@ajinabraham
Universal APIs for disabling DEP
Available across all Windows Builds till date.
VirtualAlloc()VirtualProtect()
@ajinabraham
Invoking a Function
void add(int a, int b)
{
int x=25;
char y=‘a’;
printf(“Sum is %d\n”,a+b);
}
int main()
{
add(2,3);
}
25
Stack Layout
RETN
2
3
Local Variables
Parameters
EBP
EBP - x
Low Memory
High Memory
EBP + x
ESP
EBP
a
VirtualAlloc()
VirtualAlloc() is a Windows API present in kernel32.dll used to disable DEP.
it will allocate new memory. One of the parameters to this function specifies the execution/access level of the newly allocated memory, so the goal is to set that value to EXECUTE_READWRITE.
VirtualAlloc() Win API Call Structure
LPVOID WINAPI VirtualAlloc => A pointer to VirtualAlloc()
(
_In_opt_ LPVOID lpAddress, => Return Address (Redirect Execution to ESP)
_In_ SIZE_T dwSize, => dwSize (0x1)
_In_ DWORD flAllocationType, => flAllocationType (0x1000) )
_In_ DWORD flProtect => flProtect (0x40)
);@ajinabraham
Stack Should Contain
Return Address
lpAddress
dwSize
flAllocationType
flProtect
Return Address pointing to another ROP chain that will copy the shellcode to the newly allocated memory and jump to it.
Starting address of the region where we want to allocate thememory. You can provide a hardcoded value.
Size of the region in bytes. We use rop chains to create and write this value to the stack.
Set to 0×1000 (MEM_COMMIT). We use rop chains to create and write this value to the stack.
Set to 0×40 (EXECUTE_READWRITE). We use rop chains to create and write this value to the stack.
@ajinabraham
VirtualProtect()
VirtualProtect() is another Windows API present in kernel32.dll used to disable DEP.
The VirtualProtect function changes the access protection of memory in the calling process.
VirtualProtect() Win API Call Structure
BOOL WINAPI VirtualProtect => A pointer to VirtualProtect()
(
_In_ LPVOID lpAddress, => Return Address (Redirect Execution to ESP)
_In_ SIZE_T dwSize, => dwSize (0x201)
_In_ DWORD flNewProtect, => flNewProtect (0x40)
_Out_ PDWORD lpflOldProtect => A writable pointer
);
@ajinabraham
Stack Should Contain
Return Address
lpAddress
dwSize
flNewProtect
lpflOldProtect
Return Address pointing to the shellcode on the stack. This valueis dynamically created using ROP chains.
Pointer to the base address of the region of pages whose access protection attributes need to be changed. i.e. this will be thebase address of the shellcode. It is a dynamically created value.
Size of the region in bytes. It is a dynamically created value usingROP chains.
Set to 0×00000040 : PAGE_EXECUTE_READWRITE. This parameterspecifies the new protection flag. It is also dynamically created.
Pointer to variable that will receive the old protection flag. It is a writable static address.
@ajinabraham
Ways to write a ROP Chain
Basically three ways. 1. We can load all the API parameters into the various
registers and use a PUSHAD instruction to push them to the stack in the proper order.(Easiest)
2. we can directly write the parameters to the stack in the proper order and then return to them (this will be more difficult).
3. Create entire payload using ROP Chain (requires some ninja skills).
@ajinabraham
Let’s Exploit Something
We will use the VirtualAlloc() API call to disable DEP.
Our Strategy Use ROP chains to put the parameters for VirtualAlloc() in the stack.
Call the function VirtualAlloc() which will disable DEP.
Jump to shellcode and execute it.
To achieve this we can put the required values in register and then use a pushad instruction to put these values into the stack at once.
@ajinabraham
Exploit Code Structure
RETJUNK ROP Chain Exploit Shellcode
EIP ESP
NOPS
@ajinabraham
Thank You
References
https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
http://www.fuzzysecurity.com/tutorials/expDev/7.html
@ajinabraham