Dobin 0x60_WindowsExploiting.pdf
Dobin 0x60_WindowsExploiting.pdf
Dobin 0x60_WindowsExploiting.pdf
Fichier Détails
| Cartes-fiches | 9 |
|---|---|
| Langue | English |
| Catégorie | Religion / Ethique |
| Niveau | Université |
| Crée / Actualisé | 24.06.2019 / 24.06.2019 |
| Lien de web |
https://card2brain.ch/box/20190624_dobin_0x60windowsexploiting_pdf
|
| Intégrer |
<iframe src="https://card2brain.ch/box/20190624_dobin_0x60windowsexploiting_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Does windows have stack canaries?
Windows stack canarys:
- Integrated in Visual Studio
- /gs
- Since Visual Studio 2002
- Deployed in: XP SP2
Version
- GS v1 (2002)
- GS v1.1 (2003)
- GS v2 (2005)
- GS v3 (2010)
What is a windows SEH?
SEH Overview:
- Structured Exception Handler
- Located on the stack
- To handle exceptions
Favorit target for Windows exploits for years
What mitigations against SEH exploits did windows put in place?
Mitigation: SafeSEH
- VS2003: /SafeSEH
- Whitelist of safe exception hanglers
Mitigation: Dynamic SafeSEH
- End of SEH list has a vidation frame
- The complete SEH list has to be valid (*next)
Mitigation: SEHOP
- Default active in Windows Server 2008, Vista SP2
- SEH Overwrite Protection
What is the the windows call convention?
Call convetntion:
- "Stdcall" call convention
- Caller pushes arguments
- Callee pops arbuments (unlike linux!)
Can call Windows Library Functions
- E.g: VirtualProtect()
- Changes the permission of memory region
- Can make it executable again (removing DEP)
Windows ret2libc
Possible to chain library calls
Like ROP, just for function calls
Can defeat DEP (or be used for other things)
What are the problems with windows ASLR?
Windows ASLR problems:
- Not all binaries are compiled with relocation
- Windows Vista: Relocation on Boot
- Brut frocable
- "... if the same library is loaded in mutliple processes, it will be at the same base address; so any library loaded in the renderer will be loaded at a known address in the brwoser process."
- Not all libraries are compiled with relocation!
- Adobe Flash
- Adobe PDF
- Java
- Some Antivirus inject(ed) DLLs
What are the windows HEAP protections?
- Heap protections:
- 2004: Safe unlinking
- 2006: Vista heap hardening
- Win8:
- Additional Heap metadata structure improvements
- Guard pages
- Allocation order randomization
- Makes HEAP massaging more difficult
What is window EMET?
EMET = Enhanced Mitigation Experience Toolkit
- DEP
- SEHOP
- NullPage
- HeapSpray
- EAF, EAF+ (Export Address Filtering)
- ASLR
- ROP Caller check
- Stack Pivot
- ASR (Attack Surface Reduction)
What are the pros and cons of EMET?
Pros:
- 0-Day Protection
- Automatic configuration is OK
- Protect every program which is handling untrusted data
- All network services
- Tools like PDF readers, Chat programs, Photoshop etc...
Cons:
- Download manualy
- Not updated vie windows update
- Not localized
- Incompatiple programs will crash
- It may confuse users
-
- 1 / 9
-
