Wednesday, July 27, 2011

ROP: some useful addresses

Return Oriented Programming is Turing complete which basically means you have every function you need to make your own program. This is true, but often very hard to realize. For such a reason attackers use to call specific functions to bypass DEP (NX bit) and then as soon as they can upload their own payload (for example a shellcode or meterpreter). Some of the most used function are addressed following.

VirtualAlloc() . On XP SP3 located in 0x7C809AF1 (kernel32.dll).
This function allocates new memory. One of the parameters to this function specifies the execution/access level of the newly allocated memory, so the goal is to set that value to EXECUTE_READWRITE. This function does not copy your payload into a new executable memory area, in order to copy yout payload you need to use memcpy() (ntdll.dll) – 0x7C901DB3 on XP SP3

HeapCreate() . On XP SP3, HeapCreate is located at 0x7C812C56 (kernel32.dll).
This function creates a private heap that can be used in our exploit. Space will be reserved in the virtual address space of the process. Then if you come from a stack based overflow you need to pivoting your memory (ESP and EBP lifting technique)

SetProcessDEPPolicy(). On XP SP3 is 0x7C8622A4 (kernel32.dll)
Works for : Windows XP SP3, Vista SP1 and Windows 2008. Bernardo Damele wrote a great blog post about exploiting through this function: here. This function sets on or off the DEP policy.

NtSetInformationProcess(). Works for : Windows XP, Vista SP0, Windows 2003. On XP SP3, NtSetInformationProcess() is located at 0x7C90DC9E (ntdll.dll). It sets executable a process.

VirtualProtect(). On XP SP3, VirtualProtect() is located at 0x7C801AD4 (kernel32.dll). More on Memory Protection here. This function changes the access protection of memory in the calling process.

WriteProcessMemory() On XP SP3, WriteProcessMemory() is located at 0x7C802213 (kernel32.dll). This function allows the attacker to copy his shellcode to another (executable) location so you can jump to it and execute it. During the copy, it makes sure the destination location is marked as writeable. How to use this function to bypass DEP protection is here.

This blog post wants to be an accessible spot in the Net where to find out those addresses within references on how to use them, it does not pretend to explain how to use them, for more explanation take a look to the this post . 

No comments: