Premium Partner

Dobin 0x60_WindowsExploiting.pdf

Dobin 0x60_WindowsExploiting.pdf

Dobin 0x60_WindowsExploiting.pdf


Set of flashcards Details

Flashcards 9
Language English
Category Religion/Ethics
Level University
Created / Updated 24.06.2019 / 24.06.2019
Licencing Not defined
Weblink
https://card2brain.ch/box/20190624_dobin_0x60windowsexploiting_pdf
Embed
<iframe src="https://card2brain.ch/box/20190624_dobin_0x60windowsexploiting_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>

Does windows have stack canaries?

Windows stack canarys:

  • Integrated in Visual Studio
  • /gs
  • Since Visual Studio 2002
  • Deployed in: XP SP2

Version

  • GS v1 (2002)
  • GS v1.1 (2003)
  • GS v2 (2005)
  • GS v3 (2010)

What is a windows SEH?

SEH Overview:

  • Structured Exception Handler
  • Located on the stack
  • To handle exceptions

Favorit target for Windows exploits for years

What mitigations against SEH exploits did windows put in place?

Mitigation: SafeSEH

  • VS2003: /SafeSEH
  • Whitelist of safe exception hanglers

Mitigation: Dynamic SafeSEH

  • End of SEH list has a vidation frame
  • The complete SEH list has to be valid (*next)

Mitigation: SEHOP

  • Default active in Windows Server 2008, Vista SP2
  • SEH Overwrite Protection

What is the the windows call convention?

Call convetntion:

  • "Stdcall" call convention
    • Caller pushes arguments
    • Callee pops arbuments (unlike linux!)

Can call Windows Library Functions

  • E.g: VirtualProtect()
  • Changes the permission of memory region
  • Can make it executable again (removing DEP)

Windows ret2libc

Possible to chain library calls

Like ROP, just for function calls

Can defeat DEP (or be used for other things)

What are the problems with windows ASLR?

Windows ASLR problems:

  • Not all binaries are compiled with relocation
  • Windows Vista: Relocation on Boot
    • Brut frocable
  • "... if the same library is loaded in mutliple processes, it will be at the same base address; so any library loaded in the renderer will be loaded at a known address in the brwoser process."
  • Not all libraries are compiled with relocation!
    • Adobe Flash
    • Adobe PDF
    • Java
    • Some Antivirus inject(ed) DLLs

What are the windows HEAP protections?

  • Heap protections:
    • 2004: Safe unlinking
    • 2006: Vista heap hardening
    • Win8:
      • Additional Heap metadata structure improvements
      • Guard pages
      • Allocation order randomization
        • Makes HEAP massaging more difficult

What is window EMET?

EMET = Enhanced Mitigation Experience Toolkit

  • DEP
  • SEHOP
  • NullPage
  • HeapSpray
  • EAF, EAF+ (Export Address Filtering)
  • ASLR
  • ROP Caller check
  • Stack Pivot
  • ASR (Attack Surface Reduction)