[framework] How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem]

Thomas Werth security at vahle.de
Fri Oct 26 01:06:25 CDT 2007 

thx for information.

So far i understand dep as a strong protection layer addon to windows
machines.  Whereas bypassing is possible, but more individual coding is
needed. So generic exploit should fail in most cases.

Good news so far :)

Pusscat schrieb:
> I'd say a good deal of security is added by each OS level security feature.  Not because any of them completely prevent exploitation in all scenarios, but because they all add further requirements to the exploitation of a vulnerability which may in some cases make certain vulns impossible to exploit.  When combined with other protection mechanisms with their own restraints, the probability of feasible exploitation of a given vuln can drop dramatically.
> 
> Sure, you can bypass them all in isolation, the difficulty is bypassing three protections in a vuln where the environment is highly variable, there's no info disclosure, and you have a very small payload to work with.
> 
> ~ Puss
> 
> 
> -----Original Message-----
> From: Thomas Werth [mailto:security at vahle.de] 
> Sent: Thursday, October 25, 2007 9:13 AM
> To: framework at metasploit.com
> Subject: [framework] How Secure is Windows Hardware-enforced Data Execution Prevention [was ani_loadimage_chunksize problem]
> 
> So Windows Hardware-enforced Data Execution Prevention stopped the
> exploit attemp.
> On http://www.uninformed.org/?v=2&a=4&t=txt skape wrote how to bypass this.
> Now i'd like to weight how much securtiy is added using this feature.
> Well it stopped the exploit very fine, but would it be possible to
> rewrite msf exploits/payloads so they would automaticly bypass windows
> protection ?
> I'd like to hear lists opinion to this protection.
> To me on one hand it stopped the exploit, but on other hand skape
> describes how to bypass and i won't doubt his findings.
> 
> regards
> Thomas
> 
> 
> Thomas Werth schrieb:
>> Ohh,
>> what an "easy" reason :)
>>
>> On Windows code execution protection is activated for all programs.
>> IDA doesn't show X Flag for stack segment, so exceution isn't allowed.
>> So it seems msf payload does nothing magic to circumvate code exectution
>> protection and ida properly prompts wrong message ...
>>
>>
>>
>> H D Moore schrieb:
>>> Could it be that the stack is non-executable on your platform and IDA is 
>>> misinterpreting the exception code?
>>>
>>> -HD
>>>
>>> On Wednesday 24 October 2007, Thomas Werth wrote:
>>>> Now the jmp esp is donw and lands in stack.
>>>>
>>>> But then the same exception is thrown.
>>>> "Memory could not be written The instruction at 0x12decc referenced
>>>> memory at 0x12decc. The memory could not be written (0x12decc ->
>>>> 12decc)" Strange is that Segment is marked as W & D public Stack.
>>>> So write access should be granted...
>>>> Altouhg why in generell is there a write access violation when
>>>> performing a nop or former a jmp esp ?
>>>>
>>>> Any help and clarification is welcome.
>

More information about the framework mailing list