Shortly after Microsoft’s release of Windows 8 Developer Preview, I read an article mentioning the mechanism to prevent ROP (Return Oriented Programming) on Windows 8 and the way to bypass it. Accordingly, I have experimented and provided a ROP chain which could be used for any ROP exploit codes on Windows 8.
Let’s talk about the mechanism to prevent ROP exploitation of Windows 8. As what we have known, when writing ROP exploit code, it is common to sort out a series of commands to execute some functions such as Virtual Protect, Virtual Alloc or other ones which operate with Virtual Memory. Therefore, Windows 8 carries on testing stack by comparing ESP register before calling these functions. If ESP is between StackBase (FS:) and StackTop (FS:), the stack address is valid and functions will continue to be executed. Otherwise, stack is invalid and the program will be terminated. However, apart from the fact that this mechanism does not work with “stack buffer overflow” errors, it is not really difficult to be bypassed in case of other flaws. The solution here is to save the stack address (ESP register) and restore it before calling functions.
I have tested the above method with CVE-2011-0065 of Firefox. This error has already had exploit code on Windows 7, in which Corelan’s ROP chain for Windows 7 was used. Since new protection mechanism is added to Windows 8 (as mentioned above), this ROP chain (as well as other ROP chains previously written and popularly used on Windows 7) does not work on Windows 8.
As said at the beginning, I have built a new ROP chain which can bypass the protection mechanism on Windows 8 and will be convenient for use in later exploitations.
The piece of ROP chain is built:
- Using msvcr71.dll – v7.10.3052.4 module
- Integrated with: JRE (Java) 1.6
- Loading with browser
- Able to work on Windows XP/Vista/Win7/Win8/2003/2008
- Using kernel32.VirtualProtect function
- Base: 0x7c340000.
- Size 0x56000.
Of course, you just need to use this ROP chain instead of the old one when changing stack address is required for your ROP exploit code. My ROP chain starts with the condition that EAX is pointing to a valid stack area (i.e. between FS: and FS:). Therefore, to be able to use it, you should have a register or memory area that holds a valid stack address (usually the old stack address before the change) before entering ROP chain; then convert it into EAX and start ROP chain.
When being tested, the ROP chain runs smoothly on Windows 7, Windows 8 and some other operating systems.
Here is the demo code.
Nguyen Hong Son