Dobin 0x60_WindowsExploiting.pdf

Windows stack canarys:

• Integrated in Visual Studio
• /gs
• Since Visual Studio 2002
• Deployed in: XP SP2

Version

• GS v1 (2002)
• GS v1.1 (2003)
• GS v2 (2005)
• GS v3 (2010)

SEH Overview:

• Structured Exception Handler
• Located on the stack
• To handle exceptions

Favorit target for Windows exploits for years

Mitigation: SafeSEH

• VS2003: /SafeSEH
• Whitelist of safe exception hanglers

Mitigation: Dynamic SafeSEH

• End of SEH list has a vidation frame
• The complete SEH list has to be valid (*next)

Mitigation: SEHOP

• Default active in Windows Server 2008, Vista SP2
• SEH Overwrite Protection

Call convetntion:

• "Stdcall" call convention
  • Caller pushes arguments
  • Callee pops arbuments (unlike linux!)

Can call Windows Library Functions

• E.g: VirtualProtect()
• Changes the permission of memory region
• Can make it executable again (removing DEP)

Possible to chain library calls

Like ROP, just for function calls

Can defeat DEP (or be used for other things)

Windows ASLR problems:

• Not all binaries are compiled with relocation
• Windows Vista: Relocation on Boot
  • Brut frocable
• "... if the same library is loaded in mutliple processes, it will be at the same base address; so any library loaded in the renderer will be loaded at a known address in the brwoser process."
• Not all libraries are compiled with relocation!
  • Adobe Flash
  • Adobe PDF
  • Java
  • Some Antivirus inject(ed) DLLs

• Heap protections:
  • 2004: Safe unlinking
  • 2006: Vista heap hardening
  • Win8:
    • Additional Heap metadata structure improvements
    • Guard pages
    • Allocation order randomization
      • Makes HEAP massaging more difficult

EMET = Enhanced Mitigation Experience Toolkit

• DEP
• SEHOP
• NullPage
• HeapSpray
• EAF, EAF+ (Export Address Filtering)
• ASLR
• ROP Caller check
• Stack Pivot
• ASR (Attack Surface Reduction)