The exception in the exception: by means of a system of exception handling exception achieve incredible exploit-vulnerability warning-the black bar safety net

2016-04-08T00:00:00
ID MYHACK58:62201673425
Type myhack58
Reporter 佚名
Modified 2016-04-08T00:00:00

Description

Memory read, write, execute attribute is system security the most important one of the mechanisms. Usually, if you want to overwrite the data in memory, you must first ensure that the block of memory having a write attribute, if you want to execute a piece of code in memory, you must first ensure that the block of memory having executable attribute, otherwise it will throw an exception. However, the Windows System exception handling process there are some small Exceptions, with these exceptions, it can be known which can not write and write, known for its non-execution and execution. 0×0 1 is directly rewritable read-only memory I'm at CanSecWest 2 0 1 4 the speech of the ROPs are for the 9 9% describes a fun IE browser exploit technique: by modifying the JavaScript object is in certain signs, thus closing the safe mode, so IE can load similar to WScript. The Shell of such a dangerous object, and thereby execute arbitrary code and completely without regard to the DEP. However, to modify the SafeMode flag is not so IE can load the dangerous object is the only method. IE some of the interface is actually with the HTML, which HTML is usually stored in the programming. dll resources, for example: print preview is res://programming. dll/preview. dlg, organize favorites is res://programming. dll/orgfav. dlg, the page attribute is res://programming. dll/docppg. ppg. IE browser to the HTML to create a separate rendering instances, as well as independent of the JavaScript engine instance. And for the HTML created by the JavaScript engine instance, the SafeMode itself is closed. So, just the JavaScript code is inserted into the programming. the dll's resources, and then trigger the IE of the corresponding functions, the inserted code will be treated as IE's own function code in SafeMode turn off the JavaScript instance under execution. However, the PE resource section is read-only, if you try to use a can for any address to be written into the vulnerability directly rewrite the programming. dll resource, it will trigger a write access violation to: ! At the top of the exception handling chain, the mshtml. dll in the exception handler will eventually call kernel32! RaiseFailFastException (a). If g_fFailFastHandlerDisabled flag is false, it will terminate the current process: ! However, if g_fFailFastHandlerDisabled flag is true, the exception handling chain will be executed to kernel32! The unhandledexceptionfilter (), and the final implementation of kernel32! CheckForReadOnlyResourceFilter (): a ! If BasepAllowResourceConversion also true, CheckForReadOnlyResource()function will attempt to write to that memory page attribute is set to writable, and then the normal return. That is, if the first g_fFailFastHandlerDisabled and BasepAllowResourceConversion the two flag is rewritten to true, after which you can directly modify the programming. the dll's resources, without having to worry about its read-only attribute of the problem, theoperating systemwill handle everything. In addition there is a small problem. If, like said above as to trigger a CheckForReadOnlyResource()modify the memory attributes, memory attributes of the RegionSize can also be turned into a memory page size, typically 0×1 0 0 0 it. And the the IE in to programming. dll in HTML resources to create a rendering example of the former, the mshtml! GetResource()function will check the resource where the memory of the RegionSize attribute, if the attribute is less than the size of the resource, it will return fail. However, simply going to rewrite the resource from start to finish the entire rewrite again, RegionSize will be correspondingly larger, thereby bypassing this check. Thus, the use of Windows write access exception of PE file resources section to open the green light, you can write very wonderful exploit code. 0×0 2 direct execution of non-execute memory I'm in the VARA 2 0 0 9 presentation of the vulnerability discovery in the time dimension describes one of the more rare of the module address after the release reuse vulnerability. For example, a program thread A calls a module a function of X, the module X calls module Y function. Module Y of the function for some reason takes longer to return. In it before returning, as will allow thread B to be module X release, then the module Y The function returns, the return address will be invalid. It was found in the Opera browser you can use the Flash module to trigger this vulnerability, a domestic download tools also have similar problems. !

In addition there are many other types of vulnerability, the final performance and the above issue, you can perform a fixed pointer, but can not control the pointer value. In the absence of the DEP environment, these vulnerabilities are not difficult to use, as long as the injected code to be executed address. While in the DEP environment, these vulnerabilities are usually considered to be impossible to use. But if the in anticipation will be executed to address the injection the following data: !

Even in the DEP environment, although the heap spray memory area is determined certainly not to perform, but you will be surprised to find that the system seems to be performed these instructions, Skip to the ecx for the set of address go to. As long as the ecx is set to the appropriate value, you can jump to any address, and then execute the ROP chain. This is because Windows System for compatibility with some old version of the program, achieve a set called ATL thunk emulation mechanism. The system kernel in the processing execution access exception, check the exception at the address of the code compliance with the ATL thunk characteristics. Meet the ATL thunk characteristics of the code, the kernel will use KiEmulateAtlThunk()function to simulate the execution of them. ATL thunk emulation mechanism will check to jump to the address in the PE file, in support of the CFG on the system will confirm that you want to jump to the address of the CAN through the CFG to check. At the same time, in Vista after the Windows default DEP policy, the ATL thunk emulation mechanism only is not set IMAGE_DLLCHARACTERISTICS_NX_COMPAT the program to take effect. If the program is compiled specifying the/NXCOMPAT parameters, it is no longer compatible with the ATL thunk emulation. But still there are many programs to support ATL thunk emulation, for example, many third-party applications, and 3 2-bit iexplore.exe the. So, similar to the Hacking Team leaks the message in the CVE-2 0 1 5-2 4 2 5, As can be to use some kind of heap spray successfully seize the memory, also can take the skills to achieve the exploit. Thus, the use of the system exception handling process in the ATL thunk emulation can directly execute non-execute memory feature, you can make some generally considered unable to take advantage of the vulnerability back to life. This article most of the content completed in 2 0 1 4 years 1 0 months, relates to the module address, the symbol information and the like based on the Windows Technical Preview 6.4.9841 x64 with Internet Explorer 1 1 in.