Circumventing hardware DEP
Hardware DEP (or, Data Execution Prevention) is a method for preventing buffer overflows by marking certain pages in memory as “code” or “non-code”. The idea being that if a buffer overflow writes code into a page marked non-executable, then the overflow would not be successful in running the malicious code.
DEP promises to be the end of the buffer overflow attack.
Or is it…
Dave Aitel of Immunity has some interesting things to say about using his debugger to create code that circumvents hardware DEP.
Here’s a snip:
Yesterday, before most of Immunity went bowling (like all hackers, we’re
extremely athletic), Nico was showing me the “defeat dep” Immunity Debugger
script. You type “!defeatdep” and then it has a little wizard you go through
and then you’ve got a buffer that will do the return into libc trick to
defeat DEP. Simple and easy! It’s part of an “Advanced Windows Overflows”
class we’re teaching all next week. Nico’s Immunity Debugger !heap script
allows you to do do all sorts of tricks with heaps - and to defeat the next
generation of heap protection, you’re going to need all of it, plus some
luck. Kostya’s “!safeseh” script does various neat things around that as
well. None of the free debuggers allow you to do this stuff, but none of the
free debuggers are specifically for exploit development either.
Read the full thread for more lively discussion:
http://lists.immunitysec.com/pipermail/dailydave/2007-February/004094.html
Bill Gross