Sunday, January 30, 2011

ROP retn+offset and impact on stack setup.

Ok so in short, I was playing with ROP chained exploits, in particular I was making an exploit for WM Downloader.

I finally finished it and then asked corelanc0d3r from the Corelan team to test it. The exploits was good, but there were some ROP gadgets that differed so we tried to replace them and this came up: http://www.exploit-db.com/exploits/16072/

Everything seems ok ... but something was weird, as you can see we have a ROP gadget containing:
# INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4

I had some issues with padding RETN 4, so I asked corelanc0d3r for a general padding rule, and then we realized that no one actually has one. ( Or not one that we know about. ) So we started documenting it and finally this came up: Corelan Site

Friday, January 7, 2011

VBox DEP issue.

First of all here is a quick demo about the issue:

DEP Issue on VBox from sickness on Vimeo.



Ok now that you have seen the demo:

A lot of people Enable DEP on VirtualBox but did anyone test it to see if it works properly ? Well guess what it doesn't !

*How ?
Well I wanted to test some DEP bypass methods, and I just have this habit before actually trying to bypass DEP, I turn it off and test that app with a simple exploit (usually to launch calc.exe) but I forgot to turn DEP off, it remained on and when I launched the exploit I did not receive a DEP error and the calculator got executed, you can take a look at the quick video demo to check it out.

*What I did.
I started trying different things to make it work like upgrading to the latest VBox, made sure that my CPU supported NX, Enable PAE/NX from Vbox, reinstall the guest OS with PAE/NX enabled from the beginning, and others. Everything seemed ok but DEP was not working, I tried using tools like NXTEST which actually told me that DEP wasn't enabled so I tried the same configuration on Vmware and what do you know … it worked!
After saying that Vmware DEP works I asked a few people to help me confirm this Vbox issue. From the feedback of these tests I learned that only 32 bit CPU's are affected by this, DEP works on 64.

*Reason for this issue.
So after saying this issue I have reported it to the guys at Vbox who after a while told me that they have figured out what is causing the problem, it's normal but they have not documented it yet. (Great, because DEP not working is not such a big deal, what could happen !?)
QUOTE:
“For raw mode we do NOT enable NX protection by default. I'm currently not
aware of the exact reason but I believe this is to keep the code simpler
or there are some compatibility issues.”
(Yet this is not documented)

*Fix.
In order to fix this you need the following:
-NX and PAE support ( cat /proc/cpuinfo and check the flags for nx pae )
-A PAE enabled kernel ( which doesn't make much sense to me, Vmware DEP works without a PAE enabled kernel and NX and PAE are 2 different things from my point of view, but I might be wrong. )
-You also need to invoke a command from the terminal to enable NX because apparently the option “Enable PAE/NX” from Vbox doesn't work ( not sure why they included it in the first place)

Ok so in order to fix DEP in Vbox, your CPU must support NX and PAE, you must run a PAE enabled kernel and:
Open a terminal with the same privileges as your Virtual machines and type in:

"VBoxManage list vms"

You will get something like this: "Windows" {xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
Now issue the following command considering Windows as the name of your VM (Virtual Machines must be stopped ):

"VBoxManage setextradata “Windows” VBoxInternal/CPUM/EnableNX 1"

Now start the VM and DEP should work.

Author: sickness

Saturday, January 1, 2011

Blog status update.

Due to recent events I do not have enough time to keep my blog updated very frequently, I will maintain it for the people who seek information from it and will post as soon as I have time.