MS08_067 exploit analysis – part II defeating DEP

Written by  on December 30, 2015 

In the previous part of this case of study, we developed a valid exploit for the ms08_067 vulnerability. We used a windows xp sp2 box with the DEP feature disabled as the target. In this second part we will attack some more useful and realistic target, a windows server 2003 sp with DEP(hardware DEP NX) enabled. We will adapt our exploit to avoid the DEP feature and we’ll get a shell inside the box.

First of all, let’s check what happens when we use our previous exploit with a DEP enabled box:

2

DEP feature has marked that memory section as non executable, so we are not able to run code from there.

 

As DEP feature can be disabled in execution time with a function called LdrpCheckNXCompatibility. If we call NtSetInformationProcess(ntdll) with a few parameters we may be able to disable DEP in execution time for a specific memory region. We can use olly to search for a call to that function.

3

That function requieres 4 parameters to be pased NtCurrentProcess(handle), ProcessExecuteFlags(0x22), ExecuteFlags(pointer) and sizeof(executeFlags)(pointer size). mov dword ptr[ebp-4],2 needs a valid memory address it will disable dep from there.

4

As we have just seen we need that valid address to be on ebp.

At this time if we look closer to EIP register at the crash moment, we are able to see that EIP register is under our control

5

Also EDI register is under our control too, it points to an address containing our evil buffer.

6

From now, we can use memdump.exe from metasploit to dump the memory of svchost.exe process (server process) and we can search for custom instruction sequences using metasploit. We have to work with EBP register, so we can look for the right instructions using nasm shell and msfpescan

9

We we get our desired opcodes we can use msfpescan with the dumped memory.

10

After getting the candidate addresses from msfpescan, we have to check if they are valid!

11

If they are invalid, we’ll have to look for some other sequence.

12

So we select a valid address

13

We perform a quick check

14

And we add it to our exploit template

15

And we check that we land there after launching the template

17

And as the sequence ends with a RET instruction, after running that we get to the next instruction sequence to be ran

note that this time we are able to run the dep disable sequence as ebp contains a valid address

18

At this point EIP is still under control

19

After launching the sequence we also get to a RET instruction

20

And after checking the registers at that moment we note that ESP is writable and points at the end of a large buffer

25

We can place the egghunter inside that large buffer, and overwrite esp with a short jump backwards

26

After editing the exploit template and launching the exploit again, we run the sequence, get to the egghunter and use it to get to the shellcode.

27

And of course, we get a shell

gameover

I wont provide the exploit code, if you understood the post you must be able to write that by yourself

game over P-)

Category : exploiting

Leave a Reply

Your email address will not be published. Required fields are marked *