Posted: Sat Dec 18, 2010 11:16 pm Post subject: Making an exploit for dep protected app
Recently I've been learning about vulnerability assessment and finding exploits on Windows systems (I'm very new and inexperienced in the subject). I've been working on small open-source application in which I found a buffer overflow. I've written an exploit which works great in a debugger, but when I executed it in the application outside of the debugger environment it shut down and informed me about the exception in the usual Windows way (no exploit execution). In this first attempt I was able to use EDI pointer to locate the beginning of my exploit so that I don't need to deal with ASLR. EDI pointed to a place in my buffer on a page marked private and non executable (the space was reserved with malloc). After this failed, I managed to influence my ESP pointer to point to the code on the stack (there were only a couple of useful bytes overflowing after the EIP) using return oriented programming. This time, the exploit worked well in the debugger (again) but outside, the application just shut down, no errors no nothing. So I'd like to ask if someone knows if this is actually a DEP behavior and why the thing works in a debugger and not outside it. The next thing I'll try is return-to-lib. Maybe that'll work.
There's one more interesting thing I saw happen for the first time in the debugger. While I was reversing and testing, I've set some breakpoints and ran the program to reach them. The interesting thing was that the program stopped a couple of times on an INT3 instruction (yeah, breakpoint) during the execution. So, does anyone know for what reason might the hardcoded breakpoints in the app be used?
Any and all info or reading material will be greatly appreciated. Thanks.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum