Windows 8 DEP bypass

2012-05-02 113971人围观 漏洞

This Time we’ll colour our hands with the blood of windows 8 Developer’s Preview edition. What we need , a target application, a vulnerability, and a debugger, and though notepad + calc also.

So we have Windows 8 : Developer’s Preview Edition
Firefox : 3.6.16
Java (JRE) : 6u29

So what is the difference in windows7 and windows8 exploitation.
To achieve code execution in win7 we just need a ROP chain to execute the VirtualProtect and then execute the shellcode.

And the whole process is like:

We steer the cpu by any instruction like “call register”, call dword ptr[register+offset],…etc
And then a pivot of stack to our controlled (sprayed) heap block.
And then the ROP chain will get execution and will proceed to execute and lay the stack for VirtualProtect() and finally after VirtualProtect the code execution is transferred to shellcode.

But in windows 8 there is protection implemented in Virtual memory manipulating functions like VirtualProtect, VirtualAlloc, etc.
The protection checks for the stack pointer (ESP register) to be inside the permitted range.
And prior to execute the VirtualProtect function in our ROP chain, the stack pointer (ESP register) is checked to be present within this range.
The range is taken from the TEB (Thread Environment Block), where stack’s initial value and stacklimit are saved.

If the ESP is greater than stacklimit or less than initial value, then it means a stack pivote has been carried out and and this will lead to raising an exception and failing the exploitation attempt.

So how to bypass this protection?

The answer is: what it requires, provide it.

It requires the stack might be within the range of original ESP prior to stack pivote. And then make the call to VirtualProtect.

So what we do actually is, we pivot the stack to our controlled heap block and preserve the original stack value into a register, then we pop the values from our controlled current stack and mov them into originl stack memory block and then decrease the register containing the original stack address by 4 bytes or a word and then move the next argument to VirtualProtect and again decreasing the value of original stack address in that register by 4 butes and finally the address of VirtualProtect can also be placed over the original stack block so that when we pivote back to original stack then the next return instruction will execute the VirtualProtect placed over the original stack block.

Following is an old 0day. The vulnerability is silently patched for Firefox below 4.0:

Requires : JRE 6u29 (Latest) or less.

Windows 8 Calc payload