Knowledge is not an object, it’s a flow
Save the environment - don’t print this document !
If you want to show your respect for my work - donate : http://www.corelan.be:8800/index.php/donate/
http://www.corelan.be:8800 - Page 1 / 41
Peter Van Eeckhoutte's Blog
:: [Knowledge is not an object, it´s a flow] ::
Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP,
HW DEP and ASLR
Peter Van Eeckhoutte · Monday, September 21st, 2009
Introduction
In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server.
The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return
address or pop/pop/ret address must be found, making the application jump to your shellcode. In all of these cases, we were able to find a more or less reliable address
in one of the OS dll’s or application dll’s. Even after a reboot, this address stays the same, making the exploit work reliably.
Fortunately for the zillions Windows end-users out there, a number of protection mechanisms have been built-in into the Windows Operating systems.
- Stack cookies (/GS Switch cookie)
- Safeseh (/Safeseh compiler switch)
- Data Execution Prevention (DEP) (software and hardware based)
- Address Space Layout Randomization (ASLR)
Stack cookie /GS protection
The /GS switch is a compiler option that will add some code to function’s prologue and epilogue code in order to prevent successful abuse of typical stack based (string
buffer) overflows.
When an application starts, a program-wide master cookie (4 bytes (dword), unsigned int) is calculated (pseudo-random number) and saved in the .data section of the
loaded module. In the function prologue, this program-wide master cookie is copied to the stack, right before the saved EBP and EIP. (between the local variables and the
return addresses)
[buffer][cookie][saved EBP][saved EIP]
During the epilogue, this