DEP/ASLR/ Bypass POC

CloneRanger · Jul 2, 2012

Own And You Shall Be Owned

While working on Poison Ivy’s communication, one of my students approached me and asked me if the fact that an infected computer can connect to the C&C server means that the compromised host can break into the server. Well folks, it appears that it’s possible. We will now present a fully working exploit for all Windows platforms (i.e., bypassing DEP and ASLR), allowing a computer infected by Poison Ivy (or any other computer, for that matter) to assume control of PI’s C&C server.

*

The exploit was tested on Windows XP Service Pack 3, but should work without any problem on all Windows versions, as it bypasses DEP (using ROP chains and VirtualProtect) and ASLR (using the fact that the executable doesn’t support rebasing, and utilizing only relative addresses).

-http://badishi.com/own-and-you-shall-be-owned-
Click to expand...

Poison Ivy Exploit Metasploit Module

After providing a detailed exploit for Poison Ivy’s C&C server, the natural course of things was to incorporate it into the Metasploit framework. So here is a fully functional Metasploit module that exploits a remote Poison Ivy C&C server, bypassing DEP and ASLR, for all Windows versions.

-http://badishi.com/poison-ivy-exploit-metasploit-module
Click to expand...

Not having MS i can't test it, but some of you could

Hungry Man · Jul 2, 2012

That's why you need PIE.

CloneRanger · Jul 2, 2012

Yeah i know that

Tarnak · Jul 2, 2012

Am I losing my marbles ? ...with the acronyms.

MS - Mail Server

PIE - Propagation, Infection, Execution

CloneRanger · Jul 2, 2012

@ Tarnak

Am I losing my marbles ? ...with the acronyms.
Click to expand...

No

In the context of the post.

MS = MetaSploit

PIE = Poison Ivy Exploit

Tarnak · Jul 2, 2012

CloneRanger said:

No

In the context of the post.

MS = MetaSploit

PIE = Poison Ivy Exploit
Click to expand...

Now, it is all clear ...I think it is time for me to exit from this thread, as this field is technically beyond my comprehension.

Hungry Man · Jul 2, 2012

PIE = Position Independent Executables

Sorry, that was unclear lol

Tarnak · Jul 2, 2012

... Now, I really know I am out of my depth.

Hungry Man · Jul 2, 2012

https://en.wikipedia.org/wiki/Position-independent_code

Position-independent executables (PIE) are executable binaries made entirely from position-independent code. While some systems only run PIC executables, there are other reasons they are used. PIE binaries are used in some security-focused Linux distributions to allow PaX or Exec Shield to use address space layout randomization to prevent attackers from knowing where existing executable code is during a security attack using exploits that rely on knowing the offset of the executable code in the binary, such as return-to-libc attacks.
Click to expand...

Tarnak · Jul 2, 2012

I guess one has to be a programmer/developer, to understand.

CloneRanger · Jul 3, 2012

PIE = Position Independent Executables

Sorry, that was unclear lol
Click to expand...

Because the arcticle is about PIE = Poison Ivy Exploit it's natural to assume you meant that !

PIE = Position Independent Executables Yeah, clear as MudPIE now

chronomatic · Jul 9, 2012

CloneRanger said:

Not having MS i can't test it, but some of you could
Click to expand...

Windows XP does not have ASLR.

Hungry Man · Jul 9, 2012

One would have to be infected to do this. It's pretty cool.

CloneRanger · Jul 9, 2012

Originally Posted by chronomatic

Windows XP does not have ASLR.
Click to expand...

Quite right But it does have DEP, up to a point

Log in or Sign up

DEP/ASLR/ Bypass POC

CloneRanger Registered Member

Hungry Man Registered Member

CloneRanger Registered Member

Tarnak Registered Member

CloneRanger Registered Member

Tarnak Registered Member

Hungry Man Registered Member

Tarnak Registered Member

Hungry Man Registered Member

Tarnak Registered Member

CloneRanger Registered Member

chronomatic Registered Member

Hungry Man Registered Member

CloneRanger Registered Member

Log in or Sign up

DEP/ASLR/ Bypass POC

CloneRanger Registered Member

Hungry Man Registered Member

CloneRanger Registered Member

Tarnak Registered Member

CloneRanger Registered Member

Tarnak Registered Member

Hungry Man Registered Member

Tarnak Registered Member

Hungry Man Registered Member

Tarnak Registered Member

CloneRanger Registered Member

chronomatic Registered Member

Hungry Man Registered Member

CloneRanger Registered Member

Useful Searches