2. Slide subject structure
• Exploit: - popular exploitation technique
• Mitigation: - anti-exploit (mitigation) technique
• Bypass: - anti-anti-exploit (anti-mitigation) evasion technique
• Test : - test to check mitigation in action or to bypass it a
bypass
mitigation
exploit
32. Mitigation: DEP
• Hardware-enforced DEP NX /NXCOMPAT flag
• Software-enforced DEP
• Dynamic DEP (4)
• Stack Exec (2)
• DEP turnoff (1)
AlwaysON flag – MUST!!!
34. Bypass: Anti-DEP
• Return-into-libc attack
• Disable DEP for a process
• Mark memory area as
executable
• Allocate new executable area
and copy shellcode
• DLL load
• Code reuse (ROP)
35. Tests: generic DEP and DEP bypass
• Execute shellcode from PAGE_READWRITE heap memory area
• Marks the stack memory executable: PAGE_EXECUTE_READWRITE
via VirtualProtect()
A B
crash
C D
A B C D
51. HEAP layout
Process virtual memory
Heap 1 Base
(default heap)
Heap 2 Base Heap N Base
Segment 1 Header
(default segment)
Segment 2 Header
Segment N Header
chunk1
chunk N
chunk2
55. ASLR(HEAP) – HELL, where is my shellcode???
Base of default ProcessHeap is ASLR’ed (randomized)!!!
56. Windows Heap Manager predictable behavior
Low fragmentation heap – LFH (turned off by default),
memory chunks are the same size and at predictable locations
64. Test: Heap spraying in action
• Execute shellcode via single byte NOP sled
• Execute shellcode via multi-byte (polymorphic) NOP sled
• Fill heap with prepared Javascript ArrayBuffer objects
B CA
B CA
B
C
Caller
Check
A
D
Memory
Limit
HeapSpr
Check
TEST
FAILED
D
66. Bypass: Code Reuse concept
• Overflow using code injection is difficult nowadays!
• Let’s reuse code from victim process itself!!!
• Setup function arguments on the stack using instructions from
loaded modules. CALL <API function> and bypass DEP. Get
shellcode execution after function ends.
67. Bypass: ROP Chains
• ROP Gadget – a set of instructions
• ROP Chain – many ROP gadgets chained together
Gadget chaining types:
• RETN ROP gadget
• CALL/JMP ROP gadget
69. Tests: ROP tests VirtualProtect()
• Create memory page, copies shellcode, make executable using VirtualProtect() and jmp to
shellcode
• Create memory page, copies shellcode, make executable using CALL-ROP-gadget from DLLs to
use VirtualProtect() and jmp to shellcode
• Create memory page, copies shellcode, make executable using chain Jump to the legitimate
code where a call to VirtualProtect() is located and jmp to shellcode
B C
A
Caller
check
D
B
C
Caller
check
A
Caller
check
D
B
C
Caller
check
A D
70. Tests: ROP tests NtProtectVirtualMemory()
• Chain that create memory page, copies shellcode, make executable using
NtProtectVirtualMemory() and jmp to shellcode
• Wow64 bypass NtProtectVirtualMemory()
• Exploit Wow64 NtProtectVirtualMemory()
B C
A
Caller
check
D
B CA
B CA
D
D
71. Tests: Stack Pivot / Stack Unpivot
• Point stack pointer to heap new allocated memory with shellcode
• Executes ROP-chain on both pivoted and native stack
A B C D
ROP
A B C D