Proj 15x: Windows Stack Protection III: Limitations of ASLR (15 pts extra)

What You Need

• A Windows 2016 Server machine, real or virtual. You cannot use Windows Server 2008.
• You need to Visual C++ Build Tools installed, which you did in the previous project .

Purpose

Here's what Microsoft says about ASLR randomness:

It seems like there's a 1 in 256 chance of guessing correctly for many EXE files!

Task 1: Observing ASLR on Windows

Launching a Developer Command Prompt

Click the Start button, scroll to the V secton, expand "Visual Studion 2017", and click "Developer Command Prompt for VS 2017", as shown below.

Making the esp3 Program in C++

mkdir c:\127a
cd c:\127a
notepad esp3.cpp

Enter this code, as shown below:

#include <iostream>  
using namespace std;  

void main() {
	int data = 0;   
	__asm {
	    mov data, esp
	}
   cout << hex << data << endl;
}

In Notepad, click File, Save.

Compiling the Program Normally

cl /EHsc esp3.cpp
esp3.exe
esp3.exe

Compiling the Program Without ASLR

copy esp3.cpp esp4.cpp
cl /EHsc /c esp4.cpp
link /DYNAMICBASE:NO esp4.obj
esp4.exe
esp4.exe

Task 2: Testing the Randomness of ASLR

In the Developer Command Prompt window, execute these commands:

cd c:\127a
notepad test.py

Enter this code, as shown below. It will run the esp3.exe program 5 times and print out the results.

import os
for i in range(5):
  os.system("esp3.exe")

In Notepad, click File, Save.

Running the Program

c:\python27\python test.py

Running the Program 10000 Times

notepad test.py

In Notepad, click File, Save.

Running the Program

c:\python27\python test.py > 10k.txt

How Random Are They?

notepad 10k.txt

Removing Duplicates

In the Developer Command Prompt window, execute this command:

notepad clean.py

Enter this code, as shown below. It will run the esp3.exe program 5 times and print out the results.

with open('10k.txt') as f:
   lines = f.read().splitlines()
n = len(lines)
u = len(set(lines))
print n, "values, but only ", u, "unique"

In Notepad, click File, Save.

Running the Program

c:\python27\python clean.py

Task 3: Viewing Memory Sections

Running esp3.exe in Immunity

From the Immunity menu bar, click File, Open. Navigate to C:\127\esp3.exe and double-click it.

Immunity loads the program.

From the Immunity menu bar, click Debug, Run.

Click Debug, Run again.

From the Immunity menu bar, click View, Memory.

Notice the Address of these items, as shown below:

• esp3 PE header is at 400000
• esp3 .text is at 401000
• esp3 .rdata is at 425000
• esp3 .text is at 435000
• "stack of thread..." is at 7EF000 in the image below (your address will be different)
• "data block of thread..." is at 3E7000 in the image below (your address will be different)

Reloading esp3.exe in Immunity

From the Immunity menu bar, click Debug, Run.

Click Debug, Run again.

From the Immunity menu bar, click View, Memory.

Notice that the "stack of thread..." address changes, and so does the "data block of thread..." address, but the other items are always at the same address, as shown below.

Viewing Memory Sections from C++

cd c:\127a
notepad mem.cpp

Enter this code, as shown below.

#include <cstdio>  
#include <cstdlib>  
#include <iostream>  
using namespace std;  

int d;                        /* in .data section */

void main()
{
    int i=1, j;
    int * p;                 /* pointer */

    char buf[5];             /* Activate stack cookie protection */
    strcpy(buf, "HERE");     /* To help find code in IDA */	

    __asm {mov edx, LABEL
          mov d, edx
          LABEL: NOP};       /* in .text */

    char * heapbuf;
    heapbuf = (char*) malloc(1); 	/* on heap */

    printf("Address in .text: %08x\n", d);
    printf("Address in .data: %08p\n", (void *) &d);
    printf("Address in .heap: %08p\n", (void *) heapbuf);
    printf("Address in stack: %08p\n", (void *) &i);

    printf("\nStack:\n");
    p = &i;
    for (j=0; j<9; j++) {
        printf("%d %08p %08x\n", j, (void *) p, *p);
        p++;
    }
    __asm int 3
}

In Notepad, click File, Save.

Compiling the Program with All Protections

cl /EHsc mem.cpp
mem.exe

Viewing Memory Usage for mem.exe in Immunity

From the Immunity menu bar, click File, Open. Navigate to C:\127a\mem.exe and double-click it.

Immunity loads the program.

From the Immunity menu bar, click Debug, Run.

Click Debug, Run again.

From the Immunity menu bar, click View, Memory.

Press Alt + Tar to make the Command Prompt running "mem.exe" visible, as shown below.

Notice these items:

• The "Address in .text" value is in the .text memory segment shown by Immunity
• The "Address in .data" value is in the .data memory segment shown by Immunity
• The "Address in .stack" value is in the memory segment labelled "stack of main thread" by Immunity
• The "Address in .heap" value is in a memory segment shown by Immunity, but with no label

Viewing the Stack

Press Alt + Tar to make the Command Prompt running "mem.exe" visible, as shown below.

Notice these items, referred to by the item number that count from 0 to 8 in the Command Prompt window:

• Item 3 in the stack frame is 00000002 in the Command Prompt window, but 00000009 in Immunity. This is the integer variable "i", which counted through the items in the stack. When it printed itself, it was 2, and when the loop was complete, it had the value 9.
• Item 4 in the stack frame is HERE -- the local string named "buf". It also uses item 5 to store the null byte that terminates the string.
• Item 6 in the stack frame is the stack cookie, which has a random value. It is highlighted in the image below.
• Item 7 in the stack frame is the saved EBP, used to restore the stack frame of the calling function.
• Item 8 in the stack frame is the return pointer, which will be placed into the stack when the function ends.

Close Immunity.

Removing the INT 3

    __asm int 3

In the Developer Command Prompt window, execute this command to compile the program again, with ASLR enabled, and with stack cookies.

cl /EHsc mem.cpp

Animating the Display

cls && mem

You should see the values outlined in yellow in the image below changing, while the other values stay the same.

Note these items:

• The stack and heap sections move because of ASLR
• The .text and .data sections never move--this is why Return-Oriented Programming attacks defeat ASLR
• Items 1 and 2 on the stack are variables, one on the heap and one on the stack, so they move along with the stack and heap changes.
• Item 6 on the stack changes randomly, because it's the stack cookie.
• Item 7 on the stack changes, but that's because it's the saved EBP so it has to move along with the stack.
• Item 8 in the stack frame is the return pointer, which points to an address in the .text section, and never changes.

Compiling the Program with No Protections

copy mem.cpp mem0.cpp
cl /EHsc /c /GS- mem0.cpp
link /DYNAMICBASE:NO mem0.obj
mem0.exe

Notice that the .text section is near the classical value of 400000, which we've seen before.

Animating the Display

cls && mem0

You should see the values outlined in yellow in the image below changing, while the other values stay the same.

Note these items:

• The .text, .data, and stack sections never move
• The heap moves
• Items 1 and 2 on the stack are variables, one on the heap and one on the stack, so item 1 moves along with the heap, and item 2 does not change
• Item 4 is the saved EBP.
• Item 5 is the return pointer.
• The string "HERE" is stored above this list on the stack, and is not visible.
• Items 6, 7, and 8 are in the calling function's stack frame.

14x. Recording Your Success (15 pts)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email: Value, including all 8 characters, like 00AABBCC:

References

Posted: 11-9-18
Typo in C code: i -> j 12-11-18