Lernkarten


Religion/Ethik

Dobin 0x60_WindowsExploiting.pdf

Dobin 0x60_WindowsExploiting.pdf

9    0
Karten 9 Karten
Lernende 0 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 24.06.2019 / 24.06.2019
Lizenzierung Keine Angabe
Weblink
Einbinden
0 Exakte Antworten 9 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

Does windows have stack canaries?

Windows stack canarys:

  • Integrated in Visual Studio
  • /gs
  • Since Visual Studio 2002
  • Deployed in: XP SP2

Version

  • GS v1 (2002)
  • GS v1.1 (2003)
  • GS v2 (2005)
  • GS v3 (2010)
Fenster schliessen
Lizenzierung: Keine Angabe

What is a windows SEH?

SEH Overview:

  • Structured Exception Handler
  • Located on the stack
  • To handle exceptions

Favorit target for Windows exploits for years

Fenster schliessen

What mitigations against SEH exploits did windows put in place?

Mitigation: SafeSEH

  • VS2003: /SafeSEH
  • Whitelist of safe exception hanglers

Mitigation: Dynamic SafeSEH

  • End of SEH list has a vidation frame
  • The complete SEH list has to be valid (*next)

Mitigation: SEHOP

  • Default active in Windows Server 2008, Vista SP2
  • SEH Overwrite Protection
Fenster schliessen

What is the the windows call convention?

Call convetntion:

  • "Stdcall" call convention
    • Caller pushes arguments
    • Callee pops arbuments (unlike linux!)

Can call Windows Library Functions

  • E.g: VirtualProtect()
  • Changes the permission of memory region
  • Can make it executable again (removing DEP)
Fenster schliessen

Windows ret2libc

Possible to chain library calls

Like ROP, just for function calls

Can defeat DEP (or be used for other things)

Fenster schliessen

What are the problems with windows ASLR?

Windows ASLR problems:

  • Not all binaries are compiled with relocation
  • Windows Vista: Relocation on Boot
    • Brut frocable
  • "... if the same library is loaded in mutliple processes, it will be at the same base address; so any library loaded in the renderer will be loaded at a known address in the brwoser process."
  • Not all libraries are compiled with relocation!
    • Adobe Flash
    • Adobe PDF
    • Java
    • Some Antivirus inject(ed) DLLs
Fenster schliessen

What are the windows HEAP protections?

  • Heap protections:
    • 2004: Safe unlinking
    • 2006: Vista heap hardening
    • Win8:
      • Additional Heap metadata structure improvements
      • Guard pages
      • Allocation order randomization
        • Makes HEAP massaging more difficult
Fenster schliessen

What is window EMET?

EMET = Enhanced Mitigation Experience Toolkit

  • DEP
  • SEHOP
  • NullPage
  • HeapSpray
  • EAF, EAF+ (Export Address Filtering)
  • ASLR
  • ROP Caller check
  • Stack Pivot
  • ASR (Attack Surface Reduction)
Fenster schliessen

What are the pros and cons of EMET?

Pros:

  • 0-Day Protection
  • Automatic configuration is OK
  • Protect every program which is handling untrusted data
    • All network services
    • Tools like PDF readers, Chat programs, Photoshop etc...

Cons:

  • Download manualy
  • Not updated vie windows update
  • Not localized
  • Incompatiple programs will crash
  • It may confuse users