DEP is data execution prevent, it is some kind of windows protection. DEP was protecting with make the stack of windows application to be non executable, so if we put some payload in the stack then we don't allow to execute it. But we can bypass DEP protection with some method which available in Win32 APIs.
Some method to bypass DEP
VirtualProtect()
The VirtualProtect function changes the access protection of memory region become readable, writable, or executable in the calling process.
http://msdn.microsoft.com/en-us/library/aa366898(VS.85).aspx
VirtualAlloc()
This function will allocate new memory. One of the parameters to this function specifies the execution/access level of the newly allocated memory, so
the goal is to set that value to EXECUTE_READWRITE.
http://msdn.microsoft.com/en-us/library/aa366887(VS.85).aspx
Return-oriented programming
Now the question arises in our minds like as "How do we use some method above to bypass DEP protection while we only have an access to the stack and we knew that we can't execute anything there?"
Yes, it was true, but with RETN instruction we can pop 4byte data from the stack and push it to the EIP register. And what's happening if we insert the address of an instruction to the stack, and then we execute the RETN instruction? Properly the instruction of that address will be execute, in other word we make some functions by utilizing a chain of the offset from command+RETN instruction in some dll which loaded by application, and this technique usually call as ROP (Return Oriented Programming)
Identity Providers for RedTeamers
9 months ago
0 comments:
Post a Comment