SlideShare uma empresa Scribd logo

CNIT 127 14: Protection Mechanisms

Sam Bowne
Sam Bowne

Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q. Instructor: Sam Bowne Class website: https://samsclass.info/127/127_F18.shtml

Educação
1 de 84
Baixar para ler offline
CNIT 127: Exploit Development
 
 Ch 14: Protection Mechanisms Updated 11-3-18
Topics • Non-Executable Stack • W^X (Either Writable or Executable Memory) • Stack Data Protection – Canaries – Ideal Stack Layout – AAAS: ASCII Armored Address Space – ASLR: Address Space Layout Randomization
Topics (continued) • Heap Protections • Windows SEH Protections
Protection Mechanisms • General protection mechanisms • Try to reduce the possibility of a successful exploit – Without making the vulnerability disappear • Protections have flaws and can be bypassed
Example C Code
Non-Executable Stack
NX-Stack • Code injected onto the stack will not run • Now enabled by default in most Linux distributions, OpenBSD, Mac OS X, and Windows • Bypass techniques involve executing code elsewhere, not on the stack • The return address can still be over- written
ret2data • Place shellcode in the data section – Using buffered I/O, which places data on the heap, or some other technique • Use the corrupted return value to jump to it
ret2libc • Use return address to jump directly to code in libc – Such as system() on Unix or WinExec() on Windows • In a stack-based buffer overflow – Attacker controls entire stack frame – Including return address and arguments • Limitation: range of valid characters – Can't inject 'x00'
ret2strcpy • Based on ret2libc • Place shellcode on the stack • Use strcpy() to copy NOP sled + shellcode to a writable and executable memory address – dest • Use the return address when strcpy() finishes to jump to somewhere in the NOP sled – dest_ret
ret2strcpy
ret2gets • Needs only one argument: a writable and executable memory address – dest • Reads NOP sled and shellcode from stdin • Often controlled by attacker
ret2gets
ret2code • Generic name for all ways of using code that already exists in the application • May be real code that performs function for the application • Or just fragments of existing code
Chained ret2code • Also called chained ret2libc • Executes a series of calls to existing code • Three techniques – Move stack pointer to a user-controlled buffer – Fix the stack pointer after each return, with pop-pop-pop-pop-ret – Return into functions implemented using pascal or stdcall calling conventions, as used in Windows, which fix the stack upon return
ret2syscall • For Linux, the arguments for syscall are in registers • Must find two code fragments and chain them together – First one pops all the needed arguments from stack into desired registers, then returns – Second one issues a syscall • Easier on Windows, BSD, or Mac OS X than on Linux – Syscall arguments on the stack
ret2text • Jump into the .text section of the executable binary itself – Where the program's code lives • Increasingly important to overcome other protections – W^X and ASLR
ret2plt • Jump to Procedure Linkage Table – A table of pointers to libc functions – Present in the memory space for every dynamically-linked ELF executable • Limited to the functions called by the program
ret2dl-resolve • Jump to ELF's dynamic linker resolver (ld.so) – Can perform ret2plt attacks using library functions that are not used by the target binary
Limitations of NX Stack • Still allows return address to be abused to divert execution flow • Does not prevent execution of – Code already present in a process's memory – Code in other data areas
Demonstration: Stack Defenses in Visual Studio C++
LABEL in .text Section
.data, Heap, and Stack
Compile with Protections • .text and .data don't change
Compile Without ASLR
Stack Cookie Changes
W^X (Either Writable or Executable Memory)
W^X Extends NX Stack • Memory is either – Writable but not executable • or – Non-writable and executable • So injected code won't run, no matter where it goes
PaX • An early Linux implementation of W^X • Very secure, but never included in mainstream Linux distributions – To improve performance and maintainability
NX Bit • Available in Windows starting with Win XP SP2 • Called "Data Execution Prevention" • Opt-in for client versions • Opt-out for server versions
Limitations of W^X • Chained ret2code still works – Using code that's already present, without changing it • ret2code works – As long as there is code present that does what the attacker wants • Some memory may still allow W+X • Can use chained ret2code to write to disk and then execve() the disk file
Limitations of W^X • Turning the protection off – Windows allows this with a single library call – ZwSetInformationProcess(-1. 22, 'x32x00x00x00", 4); – However, this requires injecting null bytes
Limitations of W^X • Changing a specific memory region from W^X to W+X – In Windows • VirtualProtect(addr, size, 0x40, writable_address); • addr and size specify the region of memory to be made W+X –A similar function exists in OpenBSD
Limitations of W^X • X after W – First write shellcode to writable, non- executable memory – Then change it to executable, non-writable • Create a new W+X region of memory – Possible in Windows, Linux, and OpenBSD – On Windows, use VirtualAlloc() – On Unix, use mmap()
Stack Data Protection
Canaries • StackGuard was first • ProPolice is improved version – Included in gcc – Also called SSP (Stack-Smashing Protector)
StackGuard Only Protected the Return Address • Ineffective, because attacker can still change other variables and the saved EBP – (Frame pointer) • StackGuard was replaced by ProPolice and Visual Studio's /GS protection
Canaries • First canary was NUL canary (0x00000000) • Replaced by Terminator canary (x000aff0d) – Includes four bad characters 
 to stop most injection • Null (0x00) • Line Feed (0x10) • Carriage Return (0x0d) • EOF (0xff) • Random canary
Ideal Stack Layout • Used by ProPolice and Microsoft's /GS feature • Places local buffers at the end of the stack frame – After other local variables • Copies function arguments into local variables – And relocates them • Protects the saved EBP and return value with a canary
Ideal Stack Layout
Compromises for Performance • Both ProPolice and Visual Studio make compromises – They protect some functions, and leave others unprotected • Visual Studio only copies vulnerable arguments – Leaving the rest unprotected
Vulnerabilities in Ideal Stack Layout • If a function contains several buffers – One buffer can overflow into the next one – Could turn a buffer overflow into a format string vulnerability • C structure members can't be rearranged – May have an unfavorable order • Functions with a variable number of arguments – Can't be placed in ideal layout
Vulnerabilities in Ideal Stack Layout • Buffers dynamically allocated with alloca() on the stack are always on top of stack frame • There may be something valuable to the attacker located after the buffer – In Windows, Exception Registration Record is stored on the stack – Other variables can be overwritten, because cookie is only checked when the function returns
AAAS: ASCII Armored Address Space
Null Bytes in Addresses • Load all shared libraries in addresses starting with 0x00 – Blocks string-based stack overflows – Because null bytes terminate strings • More effective on big-endian architectures – Where the 0x00 is at the start of the address • You can inject one 0x00, at the end of the string
Example • You want to execute this Linux command, which adds a new user account to the system – system(“echo gera::0:0::/:/bin/sh >>/etc/passwd“) • You can still make one call to system() by making the last injected byte x00
AAAS Limitations • Main executable is not moved to the ASCII Armored Address Space – It contains lots of useful code – Function epilogues – Programs PLT
ASLR: Address Space Layout Randomization
Not All Code is Randomized • Performance suffers from ASLR – Because it means that a register is permanently occupied holding the code base – There aren't enough registers available in a 32-bit OS to do that without slowing the system
Ways to Defeat ASLR • Use ret2gets – Specify location to put shellcode • Make the application supply the address for you – Useful addresses may be stored in registers or on the stack
linux-gate.so • Found in modern Linux distributions • A table of pointers used for system calls • Sometimes placed at a fixed location – Link Ch 14a
Insufficient Randomization • If there are only 8 bits of entropy, an attack has 1/256 chance of working just by luck • Heap cookies had only 8 bits in Windows XP SP2 and could be bypassed this way • In Win 7 and Server 2003, the cookie is still 8 bits, but there are other defenses, as we'll see later
Insufficient Randomization • Memory sections may maintain a fixed distance from each other, moving together by a fixed displacement – So only one guess is needed
Finding Addresses • Local privilege escalation – May be able to access "proc/<pid>/maps" – The memory map • Also, brute-forcing a 16-bit value is not impossible – 65,536 runs • Even a 24-bit value can be brute-forced – 16 million runs
Finding Addresses • Format string exploits reveal contents of RAM – Such as the memory map • Several RPC calls leak memory addresses in handles that are returned to the client • Multithreaded Windows applications – Address space must be the same for all the threads in a process – More chances to find an address
fork() • Unix processes often use fork() to clone themselves • But the fork() does not re-randomize the memory layout
Heap Protections
Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
Safe unlink() • Checks integrity of pointers before freeing a chunk • Makes sure that these two conditions are true before freeing chunk B
Implementations in Various OS's • Safe unlink() is implemented in – glibc since 2004 – Windows since Win XP SP2
Unprotected Heap Operations • Not all heap operations are protected by Safe unlink() • There are several complicated exploit techniques in Malloc Maleficarum – Exploiting code that adds a chunk, not free() – Link Ch 14b
Heap Exploits on Windows • Unsafe Unlinking – Overwrite back and forward pointers carefully – So that the check passes – But the pointers still do desirable things when the chunk is freed – Allows a write to arbitrary RAM
Heap Exploits on Windows • Chunk-on-lookaside overwrite – Windows lookaside list records free chunks – Singly-linked, no security checks – Allows a write to arbitrary RAM • Windows Vista and later no longer use lookaside lists – Instead they use a Low Fragmentation Heap
Heap Cookies in Win XP • Windows XP SP2 inserts an 8-bit random cookie into each heap chunk's header • When a chunk is freed, the cookie is checked, but if the check fails, RtlFreeHeap() just exits without doing anything – Instead of halting program execution • So just try 256 times, until you get lucky
Heap Cookies in Vista and Later • Eight random bytes are generated when a heap is created • Used with XOR to validate each chunk's header • Other integrity checks are also used • Some degree of ASLR for the heap • This is strong heap protection
Windows 8 • Even more protections (link Ch 14c)
Even More Defenses
And Even More • Cookies in the Kernel Pool – Also protects lookaside lists • Non-executable kernel pool – To thwart heap spraying • Much improved randomization – Especially with Ivy Bridge CPUs – RDRAND – Hardware Random Number Generator
RDRAND • Cannot audit the hardware random-number generator • FreeBSD refused to use it – Links Ch 14d, 14e
Windows 10 Defenses (Link Ch 14f)
Windows 10 Defenses
Windows 10 Defenses
OpenBSD and FreeBSD Heap • Used phkmalloc() in older versions – Doesn't use linked lists – Doesn't intermix control information with user data • OpenBSD v 3.8 and later – malloc() uses mmap() – Allocates randomly located chunks of RAM (using ASLR) – No two chunks can ever be adjacent
Heap Exploits • Overwriting control structures in the heap is becoming very difficult • But sometimes there may be something else stored after a heap chunk that's useful – Like a function pointer – In C++, the vtable contains pointers and may sometimes be overwritten
Windows SEH Protections
SEH Protections • Registers are zeroed before calling the handler – So no address information is available to it • Exception handler can't be placed in the stack – So attacker can't inject code on the stack and jump to it
SEH Protections • PE binaries (.exe and .dll files) compiled with /SafeSEH – Use a whitelist of permitted exception handlers – All the rest of the code in the PE file can't be used for exception handlers – Blocks POP, POP, RET trampoline attacks
SEH Protections • Memory sections not compiled with 
 /SafeSEH still have some protections – Handlers must be in executable RAM (enforced by either hardware or software) • But DEP isn't in effect for every executable
SEH Exploitation Tools • EEREAP – Reads a memory dump – Finds SEH trampoline code, like pop-pop-ret • pdest – Freezes a process and hunts through its RAM to find good trampoline code • SEHInspector – Inspects a DLL or EXE – Tells you if /SafeSEH or ASLR are in effect – Lists all valid exception handlers
CNIT 127 14: Protection Mechanisms

Recomendados

CNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NETCNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NET
Sam Bowne
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)
Sam Bowne
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
Sam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsCNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)
Sam Bowne
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 

Recomendados

CNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NETCNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NET
Sam Bowne
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)
Sam Bowne
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
Sam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsCNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)
Sam Bowne
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
Ch 5: Introduction to heap overflows
Ch 5: Introduction to heap overflowsCh 5: Introduction to heap overflows
Ch 5: Introduction to heap overflows
Sam Bowne
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
Sam Bowne
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 
Embedded Systems: Lecture 11: Introduction to Git & GitHub (Part 2)
Embedded Systems: Lecture 11: Introduction to Git & GitHub (Part 2)Embedded Systems: Lecture 11: Introduction to Git & GitHub (Part 2)
Embedded Systems: Lecture 11: Introduction to Git & GitHub (Part 2)
Ahmed El-Arabawy
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
NEEVEE Technologies
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
What's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteWhat's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynote
MarkDowd13
 
Bloc for Pharo: Current State and Future Perspective
Bloc for Pharo: Current State and Future PerspectiveBloc for Pharo: Current State and Future Perspective
Bloc for Pharo: Current State and Future Perspective
ESUG
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
DefconRussia
 

Mais conteúdo relacionado

Mais procurados

Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 

Mais procurados (20)

Ch 5: Introduction to heap overflows
Ch 5: Introduction to heap overflowsCh 5: Introduction to heap overflows
Ch 5: Introduction to heap overflows
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
Embedded Systems: Lecture 11: Introduction to Git & GitHub (Part 2)
Embedded Systems: Lecture 11: Introduction to Git & GitHub (Part 2)Embedded Systems: Lecture 11: Introduction to Git & GitHub (Part 2)
Embedded Systems: Lecture 11: Introduction to Git & GitHub (Part 2)
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
What's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteWhat's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynote
 
Bloc for Pharo: Current State and Future Perspective
Bloc for Pharo: Current State and Future PerspectiveBloc for Pharo: Current State and Future Perspective
Bloc for Pharo: Current State and Future Perspective
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 

Semelhante a CNIT 127 14: Protection Mechanisms

chapter8.ppt clean code Boundary ppt Coding guide
chapter8.ppt clean code Boundary ppt Coding guidechapter8.ppt clean code Boundary ppt Coding guide
chapter8.ppt clean code Boundary ppt Coding guide
SanjeevSaharan5
 

Semelhante a CNIT 127 14: Protection Mechanisms (20)

CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
chapter8.ppt clean code Boundary ppt Coding guide
chapter8.ppt clean code Boundary ppt Coding guidechapter8.ppt clean code Boundary ppt Coding guide
chapter8.ppt clean code Boundary ppt Coding guide
 
Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCD
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)
 
Migration challenges and process
Migration challenges and processMigration challenges and process
Migration challenges and process
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
13 superscalar
13 superscalar13 superscalar
13 superscalar
 
Kafka overview v0.1
Kafka overview v0.1Kafka overview v0.1
Kafka overview v0.1
 
Chapter 6 os
Chapter 6 osChapter 6 os
Chapter 6 os
 
Ch04 threads
Ch04 threadsCh04 threads
Ch04 threads
 
13_Superscalar.ppt
13_Superscalar.ppt13_Superscalar.ppt
13_Superscalar.ppt
 
Advanced Windows Exploitation
Advanced Windows ExploitationAdvanced Windows Exploitation
Advanced Windows Exploitation
 
Nodes and Networks for HPC computing
Nodes and Networks for HPC computingNodes and Networks for HPC computing
Nodes and Networks for HPC computing
 
CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you Begin
 
Spil Storage Platform (Erlang) @ EUG-NL
Spil Storage Platform (Erlang) @ EUG-NLSpil Storage Platform (Erlang) @ EUG-NL
Spil Storage Platform (Erlang) @ EUG-NL
 
(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory
 
the windows opereting system
the windows opereting systemthe windows opereting system
the windows opereting system
 
Earhart
EarhartEarhart
Earhart
 

Mais de Sam Bowne

Mais de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Último

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 

Último (20)

Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 

CNIT 127 14: Protection Mechanisms

  • 1. CNIT 127: Exploit Development
 
 Ch 14: Protection Mechanisms Updated 11-3-18
  • 2. Topics • Non-Executable Stack • W^X (Either Writable or Executable Memory) • Stack Data Protection – Canaries – Ideal Stack Layout – AAAS: ASCII Armored Address Space – ASLR: Address Space Layout Randomization
  • 3. Topics (continued) • Heap Protections • Windows SEH Protections
  • 4. Protection Mechanisms • General protection mechanisms • Try to reduce the possibility of a successful exploit – Without making the vulnerability disappear • Protections have flaws and can be bypassed
  • 7. NX-Stack • Code injected onto the stack will not run • Now enabled by default in most Linux distributions, OpenBSD, Mac OS X, and Windows • Bypass techniques involve executing code elsewhere, not on the stack • The return address can still be over- written
  • 8. ret2data • Place shellcode in the data section – Using buffered I/O, which places data on the heap, or some other technique • Use the corrupted return value to jump to it
  • 9. ret2libc • Use return address to jump directly to code in libc – Such as system() on Unix or WinExec() on Windows • In a stack-based buffer overflow – Attacker controls entire stack frame – Including return address and arguments • Limitation: range of valid characters – Can't inject 'x00'
  • 10. ret2strcpy • Based on ret2libc • Place shellcode on the stack • Use strcpy() to copy NOP sled + shellcode to a writable and executable memory address – dest • Use the return address when strcpy() finishes to jump to somewhere in the NOP sled – dest_ret
  • 12. ret2gets • Needs only one argument: a writable and executable memory address – dest • Reads NOP sled and shellcode from stdin • Often controlled by attacker
  • 14. ret2code • Generic name for all ways of using code that already exists in the application • May be real code that performs function for the application • Or just fragments of existing code
  • 15. Chained ret2code • Also called chained ret2libc • Executes a series of calls to existing code • Three techniques – Move stack pointer to a user-controlled buffer – Fix the stack pointer after each return, with pop-pop-pop-pop-ret – Return into functions implemented using pascal or stdcall calling conventions, as used in Windows, which fix the stack upon return
  • 16. ret2syscall • For Linux, the arguments for syscall are in registers • Must find two code fragments and chain them together – First one pops all the needed arguments from stack into desired registers, then returns – Second one issues a syscall • Easier on Windows, BSD, or Mac OS X than on Linux – Syscall arguments on the stack
  • 17. ret2text • Jump into the .text section of the executable binary itself – Where the program's code lives • Increasingly important to overcome other protections – W^X and ASLR
  • 18. ret2plt • Jump to Procedure Linkage Table – A table of pointers to libc functions – Present in the memory space for every dynamically-linked ELF executable • Limited to the functions called by the program
  • 19. ret2dl-resolve • Jump to ELF's dynamic linker resolver (ld.so) – Can perform ret2plt attacks using library functions that are not used by the target binary
  • 20. Limitations of NX Stack • Still allows return address to be abused to divert execution flow • Does not prevent execution of – Code already present in a process's memory – Code in other data areas
  • 22. LABEL in .text Section
  • 24. Compile with Protections • .text and .data don't change
  • 27.
  • 28. W^X (Either Writable or Executable Memory)
  • 29. W^X Extends NX Stack • Memory is either – Writable but not executable • or – Non-writable and executable • So injected code won't run, no matter where it goes
  • 30. PaX • An early Linux implementation of W^X • Very secure, but never included in mainstream Linux distributions – To improve performance and maintainability
  • 31. NX Bit • Available in Windows starting with Win XP SP2 • Called "Data Execution Prevention" • Opt-in for client versions • Opt-out for server versions
  • 32. Limitations of W^X • Chained ret2code still works – Using code that's already present, without changing it • ret2code works – As long as there is code present that does what the attacker wants • Some memory may still allow W+X • Can use chained ret2code to write to disk and then execve() the disk file
  • 33. Limitations of W^X • Turning the protection off – Windows allows this with a single library call – ZwSetInformationProcess(-1. 22, 'x32x00x00x00", 4); – However, this requires injecting null bytes
  • 34. Limitations of W^X • Changing a specific memory region from W^X to W+X – In Windows • VirtualProtect(addr, size, 0x40, writable_address); • addr and size specify the region of memory to be made W+X –A similar function exists in OpenBSD
  • 35. Limitations of W^X • X after W – First write shellcode to writable, non- executable memory – Then change it to executable, non-writable • Create a new W+X region of memory – Possible in Windows, Linux, and OpenBSD – On Windows, use VirtualAlloc() – On Unix, use mmap()
  • 37. Canaries • StackGuard was first • ProPolice is improved version – Included in gcc – Also called SSP (Stack-Smashing Protector)
  • 38. StackGuard Only Protected the Return Address • Ineffective, because attacker can still change other variables and the saved EBP – (Frame pointer) • StackGuard was replaced by ProPolice and Visual Studio's /GS protection
  • 39. Canaries • First canary was NUL canary (0x00000000) • Replaced by Terminator canary (x000aff0d) – Includes four bad characters 
 to stop most injection • Null (0x00) • Line Feed (0x10) • Carriage Return (0x0d) • EOF (0xff) • Random canary
  • 40. Ideal Stack Layout • Used by ProPolice and Microsoft's /GS feature • Places local buffers at the end of the stack frame – After other local variables • Copies function arguments into local variables – And relocates them • Protects the saved EBP and return value with a canary
  • 42. Compromises for Performance • Both ProPolice and Visual Studio make compromises – They protect some functions, and leave others unprotected • Visual Studio only copies vulnerable arguments – Leaving the rest unprotected
  • 43. Vulnerabilities in Ideal Stack Layout • If a function contains several buffers – One buffer can overflow into the next one – Could turn a buffer overflow into a format string vulnerability • C structure members can't be rearranged – May have an unfavorable order • Functions with a variable number of arguments – Can't be placed in ideal layout
  • 44. Vulnerabilities in Ideal Stack Layout • Buffers dynamically allocated with alloca() on the stack are always on top of stack frame • There may be something valuable to the attacker located after the buffer – In Windows, Exception Registration Record is stored on the stack – Other variables can be overwritten, because cookie is only checked when the function returns
  • 45. AAAS: ASCII Armored Address Space
  • 46. Null Bytes in Addresses • Load all shared libraries in addresses starting with 0x00 – Blocks string-based stack overflows – Because null bytes terminate strings • More effective on big-endian architectures – Where the 0x00 is at the start of the address • You can inject one 0x00, at the end of the string
  • 47. Example • You want to execute this Linux command, which adds a new user account to the system – system(“echo gera::0:0::/:/bin/sh >>/etc/passwd“) • You can still make one call to system() by making the last injected byte x00
  • 48.
  • 49. AAAS Limitations • Main executable is not moved to the ASCII Armored Address Space – It contains lots of useful code – Function epilogues – Programs PLT
  • 50.
  • 51. ASLR: Address Space Layout Randomization
  • 52. Not All Code is Randomized • Performance suffers from ASLR – Because it means that a register is permanently occupied holding the code base – There aren't enough registers available in a 32-bit OS to do that without slowing the system
  • 53. Ways to Defeat ASLR • Use ret2gets – Specify location to put shellcode • Make the application supply the address for you – Useful addresses may be stored in registers or on the stack
  • 54. linux-gate.so • Found in modern Linux distributions • A table of pointers used for system calls • Sometimes placed at a fixed location – Link Ch 14a
  • 55. Insufficient Randomization • If there are only 8 bits of entropy, an attack has 1/256 chance of working just by luck • Heap cookies had only 8 bits in Windows XP SP2 and could be bypassed this way • In Win 7 and Server 2003, the cookie is still 8 bits, but there are other defenses, as we'll see later
  • 56. Insufficient Randomization • Memory sections may maintain a fixed distance from each other, moving together by a fixed displacement – So only one guess is needed
  • 57. Finding Addresses • Local privilege escalation – May be able to access "proc/<pid>/maps" – The memory map • Also, brute-forcing a 16-bit value is not impossible – 65,536 runs • Even a 24-bit value can be brute-forced – 16 million runs
  • 58. Finding Addresses • Format string exploits reveal contents of RAM – Such as the memory map • Several RPC calls leak memory addresses in handles that are returned to the client • Multithreaded Windows applications – Address space must be the same for all the threads in a process – More chances to find an address
  • 59. fork() • Unix processes often use fork() to clone themselves • But the fork() does not re-randomize the memory layout
  • 61. Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
  • 62. Safe unlink() • Checks integrity of pointers before freeing a chunk • Makes sure that these two conditions are true before freeing chunk B
  • 63. Implementations in Various OS's • Safe unlink() is implemented in – glibc since 2004 – Windows since Win XP SP2
  • 64. Unprotected Heap Operations • Not all heap operations are protected by Safe unlink() • There are several complicated exploit techniques in Malloc Maleficarum – Exploiting code that adds a chunk, not free() – Link Ch 14b
  • 65. Heap Exploits on Windows • Unsafe Unlinking – Overwrite back and forward pointers carefully – So that the check passes – But the pointers still do desirable things when the chunk is freed – Allows a write to arbitrary RAM
  • 66. Heap Exploits on Windows • Chunk-on-lookaside overwrite – Windows lookaside list records free chunks – Singly-linked, no security checks – Allows a write to arbitrary RAM • Windows Vista and later no longer use lookaside lists – Instead they use a Low Fragmentation Heap
  • 67. Heap Cookies in Win XP • Windows XP SP2 inserts an 8-bit random cookie into each heap chunk's header • When a chunk is freed, the cookie is checked, but if the check fails, RtlFreeHeap() just exits without doing anything – Instead of halting program execution • So just try 256 times, until you get lucky
  • 68. Heap Cookies in Vista and Later • Eight random bytes are generated when a heap is created • Used with XOR to validate each chunk's header • Other integrity checks are also used • Some degree of ASLR for the heap • This is strong heap protection
  • 69. Windows 8 • Even more protections (link Ch 14c)
  • 71. And Even More • Cookies in the Kernel Pool – Also protects lookaside lists • Non-executable kernel pool – To thwart heap spraying • Much improved randomization – Especially with Ivy Bridge CPUs – RDRAND – Hardware Random Number Generator
  • 72.
  • 73. RDRAND • Cannot audit the hardware random-number generator • FreeBSD refused to use it – Links Ch 14d, 14e
  • 77. OpenBSD and FreeBSD Heap • Used phkmalloc() in older versions – Doesn't use linked lists – Doesn't intermix control information with user data • OpenBSD v 3.8 and later – malloc() uses mmap() – Allocates randomly located chunks of RAM (using ASLR) – No two chunks can ever be adjacent
  • 78. Heap Exploits • Overwriting control structures in the heap is becoming very difficult • But sometimes there may be something else stored after a heap chunk that's useful – Like a function pointer – In C++, the vtable contains pointers and may sometimes be overwritten
  • 80. SEH Protections • Registers are zeroed before calling the handler – So no address information is available to it • Exception handler can't be placed in the stack – So attacker can't inject code on the stack and jump to it
  • 81. SEH Protections • PE binaries (.exe and .dll files) compiled with /SafeSEH – Use a whitelist of permitted exception handlers – All the rest of the code in the PE file can't be used for exception handlers – Blocks POP, POP, RET trampoline attacks
  • 82. SEH Protections • Memory sections not compiled with 
 /SafeSEH still have some protections – Handlers must be in executable RAM (enforced by either hardware or software) • But DEP isn't in effect for every executable
  • 83. SEH Exploitation Tools • EEREAP – Reads a memory dump – Finds SEH trampoline code, like pop-pop-ret • pdest – Freezes a process and hunts through its RAM to find good trampoline code • SEHInspector – Inspects a DLL or EXE – Tells you if /SafeSEH or ASLR are in effect – Lists all valid exception handlers