Introduction
Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.
In this paper we will discuss the limitations of all aforementioned protection mechanisms and will describe the cases in which they fail. We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers. This will be demonstrated with a variety of exploitation techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances.
Organization of this paper
This paper is divided into three parts. Part 1 describes the design and implementation of the protection mechanisms that will be the focus of the remainder of the paper. This section contains all the necessary background information about the available protection mechanisms on Windows XP and Vista. Part 2 discusses the limitations of these protections and presents the theory behind the techniques that we will employ to bypass them. Finally, in Part 3 of the paper we show how the theoretical techniques outlined in Part 2 can be utilized to produce robust and reliable exploits that work effectively in realistic environments. Since real-world exploitation requires bypassing multiple memory protections, we will present several ways in which these techniques can be combined to achieve remote code execution.