ROP-SMEP-Win7Pwn

1.  
2. Supervisor Mode Execution Protection KERNEL_AREA_EXEC != USER_ARE_SHELLCODE
3.  
4.  
5. Intel manual
6. SMEP-Enable Bit (bit 20 of CR4) — Enables supervisor-mode execution prevention (SMEP) when set. See Section 4.6, “Access Rights”.
7.  
8. For accesses in supervisor mode (CPL < 3):
9. Instruction fetches.
10. • For 32-bit paging or if IA32_EFER.NXE = 0, access rights depend on the value of CR4.SMEP:
11. — If CR4.SMEP = 0, instructions may be fetched from any linear address with a valid translation.
12. — If CR4.SMEP = 1, instructions may be fetched from any linear address with a valid translation for which the U/S flag (bit 2) is 0 in at least one of the paging-structure entries controlling the translation.
13. • For PAE paging or IA-32e paging with IA32_EFER.NXE = 1, access rights depend on the value of CR4.SMEP:
14. — If CR4.SMEP = 0, instructions may be fetched from any linear address with a valid translation for which the XD flag (bit 63) is 0 in every paging-structure entry controlling the translation.
15. — If CR4.SMEP = 1, instructions may be fetched from any linear address with a valid translation for which (1) the U/S flag is 0 in at least one of the paging-structure entries controlling the translation; and (2) the XD flag is 0 in every paging-structure entry controlling the translation.
16.  
17. For accesses in user mode (CPL = 3):
18. Instruction fetches.
19. • For 32-bit paging or if IA32_EFER.NXE = 0, instructions may be fetched from any linear address with a valid translation for which the U/S flag is 1 in every paging-structure entry controlling the translation.
20. • For PAE paging or IA-32e paging with IA32_EFER.NXE = 1, instructions may be fetched from any linear address with a valid translation for which the U/S flag is 1 and the XD flag is 0 in every paging-structure entry controlling the translation.
21.  
22. PTE flags:
23.  
24. Bit 0 (P) is the Present flag.
25. Bit 1 (R/W) is the Read/Write flag.
26. Bit 2 (U/S) is the User/Supervisor flag.
27.  
28.  
29. #################first method(I'm not sure :P)###################
30. Nevertheless there are Intel Instruction set documentation, STAC instruction
31. Set AC Flag in EFLAGS Register
32.  
33. Description
34. Sets the AC flag bit in EFLAGS register. This may enable alignment checking of user-mode data accesses. This allows explicit supervisor-mode data accesses to user-mode pages even if the SMAP bit is set in the CR4 register. WTF????
35.  
36. ##secondary method
37. ROP (Return oriented programming)
38.  
39. nt!KiLoadMTRR+0x120:
40. 8312ebae 0f09 wbinvd
41. 8312ebb0 837c241400 cmp dword ptr [esp+14h],0
42. 8312ebb5 0f20d8 mov eax,cr3
43. 8312ebb8 0f22d8 mov cr3,eax
44. 8312ebbb 8b442418 mov eax,dword ptr [esp+18h]
45. 8312ebbf 0f22c0 mov cr0,eax
46. 8312ebc2 7407 je nt!KiLoadMTRR+0x13d (8312ebcb)
47.  
48. nt!KiLoadMTRR+0x136:
49. 8312ebc4 8b44241c mov eax,dword ptr [esp+1Ch] <===========
50. 8312ebc8 0f22e0 mov cr4,eax <===========
51.  
52. nt!KiLoadMTRR+0x13d:
53. 8312ebcb 853548e9f782 test dword ptr [nt!KeFeatureBits (82f7e948)],esi
54. 8312ebd1 7508 jne nt!KiLoadMTRR+0x14d (8312ebdb)
55.  
56. nt!KiLoadMTRR+0x145:
57. 8312ebd3 8d4738 lea eax,[edi+38h]
58. 8312ebd6 e815000000 call nt!KiLockStepExecution (8312ebf0)
59.  
60. nt!KiLoadMTRR+0x14d:
61. 8312ebdb 807c240b00 cmp byte ptr [esp+0Bh],0
62. 8312ebe0 7401 je nt!KiLoadMTRR+0x155 (8312ebe3)
63.  
64. nt!KiLoadMTRR+0x154:
65.  
66.  
67. 0: kd> !pte 0x8312ebc8
68. VA 8312ebc8
69. PDE at C06020C0 PTE at C0418970
70. contains 00000000030009E3 contains 0000000000000000
71. pfn 3000 -GLDA--KWEV <=== kernel space LARGE PAGE pfn 312e
72.  
73. #emingh