ED 303: Windows Stack Protection III: Limitations of ASLR (15 pts)

What You Need

• A Windows 10 or 2016 Server machine, real or virtual. You cannot use Windows Server 2008.
• You need to Visual C++ Build Tools and Immunity (which includes Python 2.7) installed, which you did in a previous project .

Purpose

Here's what Microsoft says about ASLR randomness:

It seems like there's a 1 in 256 chance of guessing correctly for many EXE files!

Task 1: Observing ASLR on Windows

Launching a Developer Command Prompt

Click the Start button, scroll to the V secton, expand "Visual Studion 2017", and click "Developer Command Prompt for VS 2017", as shown below.

Making the esp3 Program in C++

mkdir c:\127a
cd c:\127a
notepad esp3.cpp

Enter this code, as shown below:

#include <iostream>  
using namespace std;  

void main() {
	int data = 0;   
	__asm {
	    mov data, esp
	}
   cout << hex << data << endl;
}

In Notepad, click File, Save.

Compiling the Program Normally

cl /EHsc esp3.cpp
esp3.exe
esp3.exe

Compiling the Program Without ASLR

copy esp3.cpp esp4.cpp
cl /EHsc /c esp4.cpp
link /DYNAMICBASE:NO esp4.obj
esp4.exe
esp4.exe

Task 2: Testing the Randomness of ASLR

In the Developer Command Prompt window, execute these commands:

cd c:\127a
notepad test.py

Enter this code, as shown below. It will run the esp3.exe program 5 times and print out the results.

import os
for i in range(5):
  os.system("esp3.exe")

In Notepad, click File, Save.

Running the Program

c:\python27\python test.py

Running the Program 10000 Times

notepad test.py

In Notepad, click File, Save.

Running the Program

c:\python27\python test.py > 10k.txt

How Random Are They?

notepad 10k.txt

Finding Matching Lines

In the Developer Command Prompt window, execute this command:

notepad count.py

Enter this code, as shown below. It will print all the lines starting with 19ff.

import re
f = open("10k.txt", "r")
for line in f:
   if re.match("^19ff", line):
      print(line)

In Notepad, click File, Save.

Running the Program

c:\python27\python count.py

As you can see, when I did it, the chance was 2 in 10,000.

ED 303.1: Analyze My File (5 pts) In the Developer Command Prompt window, execute these commands: bitsadmin /transfer debjob /download /priority normal https://www.samsclass.info/127/proj/ED303_10k.txt c:\127a\10k.txt c:\python27\python count.py The flag is covered by a green rectangle in the image below.

Task 3: Viewing Memory Sections

Running esp4.exe in Immunity

From the Immunity menu bar, click File, Open. Navigate to C:\127a\esp4.exe and double-click it.

Immunity loads the program.

From the Immunity menu bar, click Debug, Run.

From the Immunity menu bar, click View, Memory.

Notice the Address of these items, as shown below:

• esp4 PE header is at 400000
• esp4 .text is at 401000
• esp4 .rdata is at 425000
• esp4 .text is at 433000

Reloading esp4.exe in Immunity

From the Immunity menu bar, click Debug, Run.

From the Immunity menu bar, click View, Memory.

Notice that the esp4 memory addresses remain the same, as shown above, because ASLR is disabled for esp4.exe.

Viewing Memory Sections from C++

cd c:\127a
notepad mem.cpp

Enter this code, as shown below.

#include <cstdio>  
#include <cstdlib>  
#include <iostream>  
using namespace std;  

int d;                        /* in .data section */

void main()
{
    int i=1, j;
    int * p;                 /* pointer */

    char buf[5];             /* Activate stack cookie protection */
    strcpy(buf, "HERE");     /* To help find code in IDA */	

    __asm {mov edx, LABEL
          mov d, edx
          LABEL: NOP};       /* in .text */

    char * heapbuf;
    heapbuf = (char*) malloc(1); 	/* on heap */

    printf("Address in .text: %08x\n", d);
    printf("Address in .data: %08p\n", (void *) &d);
    printf("Address in .heap: %08p\n", (void *) heapbuf);
    printf("Address in stack: %08p\n", (void *) &i);

    printf("\nStack:\n");
    p = &i;
    for (j=0; j<9; j++) {
        printf("%d %08p %08x\n", j, (void *) p, *p);
        p++;
    }
    __asm int 3
}

In Notepad, click File, Save.

Compiling the Program with All Protections

cl /EHsc mem.cpp
mem.exe

In the box showing "mem.exe has stopped working", click the "Close program" button.

Viewing Memory Usage for mem.exe in Immunity

From the Immunity menu bar, click File, Open. Navigate to C:\127a\mem.exe and double-click it.

Immunity loads the program.

From the Immunity menu bar, click Debug, Run.

From the Immunity menu bar, click View, Memory.

Press Alt + Tab to make the Command Prompt running "mem.exe" visible, as shown below.

Notice these items:

• The "Address in .text" value is in the .text memory segment shown by Immunity
• The "Address in .data" value is in the .data memory segment shown by Immunity
• The "Address in .heap" value is in a memory segment shown by Immunity, but with no label
• The "Address in .stack" value is in the memory segment labelled "stack of main thread" by Immunity

Viewing the Stack

Press Alt + Tab to make the Command Prompt running "mem.exe" visible, as shown below.

Notice these items, referred to by the word number that count from 0 to 8 in the Command Prompt window:

• Word 2 in the stack frame is 00000002 in the Command Prompt window, but 00000009 in Immunity. This is the integer variable "i", which counted through the items in the stack. When it printed itself, it was 2, and when the loop was complete, it had the value 9.
• Word 3 in the stack frame is HERE -- the local string named "buf". It also uses item 4 to store the null byte that terminates the string.
• Word 5 in the stack frame is the stack cookie, which has a random value. It is outlined in yellow in the image below.
• Word 6 in the stack frame is the saved EBP, used to restore the stack frame of the calling function.
• Word 7 in the stack frame is the return pointer, which will be placed into the stack when the function ends.

Close Immunity.

Removing the INT 3

copy mem.cpp mem1.cpp
notepad mem1.cpp

Save the file and close Notepad.

Execute these commands to compile the mem1 program with ASLR enabled, and with stack cookies.

cl /EHsc mem1.cpp
mem1.exe

Animating the Display

cls && mem1.exe

You should see the values outlined in yellow in the image below changing, while the other values stay the same.

Note these items:

• The stack and heap sections move because of ASLR.
• The .text and .data sections never move--this is why Return-Oriented Programming attacks can defeat ASLR.
• Word 1 on the stack points to an address on the stack (itself), so it moves along with the stack changes.
• Word 5 on the stack changes randomly, because it's the stack cookie.
• Word 6 on the stack changes, but that's because it's the saved EBP so it has to move along with the stack.
• Word 7 in the stack frame is the return pointer, which points to an address in the .text section, and never changes.

Compiling the Program with No Protections

copy mem1.cpp mem0.cpp
cl /EHsc /c /GS- mem0.cpp
link /DYNAMICBASE:NO mem0.obj
mem0.exe

Notice that the .text section is near the classical value of 400000, which we've seen before.

Animating the Display

cls && mem0.exe

You should see the values outlined in yellow in the image below changing, while the other values stay the same.

Note these items:

• The .text, .data, and stack sections never move
• The heap moves
• Word 2 is the flag, covered by a green rectagle in the image below.
• Word 3 is the saved EBP.
• Word 4 is the return pointer.
• The string "HERE" is stored above this list on the stack, and is not visible.
• Items 6, 7, and 8 are in the calling function's stack frame.

ED 303.2 Word 2 (10 pts) Find the value of word 2 on the stack, covered by a green box in the image above. That's the flag.

References

Posted: 11-9-18
Typo in C code: i -> j 12-11-18
Updated extensively 4-25-2020
Updated for Windows 10 3-14-22