ED 303: Windows Stack Protection III: Limitations of ASLR (15 pts)

What You Need

• A Windows 2016 Server machine, real or virtual. You cannot use Windows Server 2008.
• You need to Visual C++ Build Tools installed, which you did in a previous project.

Purpose

Here's what Microsoft says about ASLR randomness:

It seems like there's a 1 in 256 chance of guessing correctly for many EXE files!

Task 1: Observing ASLR on Windows

Launching a Developer Command Prompt

Click the Start button, scroll to the V secton, expand "Visual Studio 2019", and click "Developer Command Prompt for VS 2019", as shown below.

Making the esp3 Program in C++

mkdir c:\127a
cd c:\127a
notepad esp3.cpp

Enter this code, as shown below:

#include <iostream>  
using namespace std;  

void main() {
	int data = 0;   
	__asm {
	    mov data, esp
	}
   cout << hex << data << endl;
}

In Notepad, click File, Save.

Compiling the Program Normally

cl /EHsc esp3.cpp
esp3.exe
esp3.exe

Compiling the Program Without ASLR

copy esp3.cpp esp4.cpp
cl /EHsc /c esp4.cpp
link /DYNAMICBASE:NO esp4.obj
esp4.exe
esp4.exe

Task 2: Testing the Randomness of ASLR

In the Developer Command Prompt window, execute these commands:
Skip first command if you are still in that directory.

cd c:\127a 
notepad test.py

Enter this code, as shown below. It will run the esp3.exe program 5 times and print out the results.

import os
for i in range(5):
  os.system("esp3.exe")

In Notepad, click File, Save.

Running the Program

c:\python27\python test.py

Running the Program 10000 Times

notepad test.py

In Notepad, click File, Save.

Running the Program

c:\python27\python test.py > 10k.txt

How Random Are They?

notepad 10k.txt

Removing Duplicates

In the Developer Command Prompt window, execute this command:

notepad clean.py

Enter this code, as shown below. It will run the esp3.exe program 5 times and print out the results.

with open('10k.txt') as f:
   lines = f.read().splitlines()
n = len(lines)
u = len(set(lines))
print n, "values, but only ", u, "unique"

In Notepad, click File, Save.

Running the Program

c:\python27\python clean.py

Task 3: Viewing Memory Sections

Running esp3.exe in Immunity

From the Immunity menu bar, click File, Open. Navigate to C:\127\esp3.exe and double-click it.

Immunity loads the program.

From the Immunity menu bar, click Debug, Run.

Click Debug, Run again.

From the Immunity menu bar, click View, Memory.
Note: You may have to change the font to make it easier to read as we did in Project 302.

Notice the Address of these items, as shown below:

• esp3 PE header is at 00F20000
• esp3 .text is at 00F21000
• esp3 .rdata is at 00F45000
• esp3 .data is at 00F55000
• "stack of main thread..." is at 00B3E000 in the image below (your address will be different)
• "data block of main thread..." is at 00857000 in the image below (your address will be different)

Reloading esp3.exe in Immunity

From the Immunity menu bar, click Debug, Run.

Click Debug, Run again.

From the Immunity menu bar, click View, Memory.

Notice that the "stack of main thread..." address changes, and so does the "data block of main thread..." address, but the other items are always at the same address, as shown below.

Viewing Memory Sections from C++

cd c:\127a
notepad mem.cpp

Enter this code, as shown below.

#include <cstdio>  
#include <cstdlib>  
#include <iostream>  
using namespace std;  

int d;                        /* in .data section */

void main()
{
    int i=1, j;
    int * p;                 /* pointer */

    char buf[5];             /* Activate stack cookie protection */
    strcpy(buf, "HERE");     /* To help find code in IDA */	

    __asm {mov edx, LABEL
          mov d, edx
          LABEL: NOP};       /* in .text */

    char * heapbuf;
    heapbuf = (char*) malloc(1); 	/* on heap */

    printf("Address in .text: %08x\n", d);
    printf("Address in .data: %08p\n", (void *) &d);
    printf("Address in .heap: %08p\n", (void *) heapbuf);
    printf("Address in stack: %08p\n", (void *) &i);

    printf("\nStack:\n");
    p = &i;
    for (j=0; j<9; j++) {
        printf("%d %08p %08x\n", j, (void *) p, *p);
        p++;
    }
    __asm int 3
}

In Notepad, click File, Save.

Compiling the Program with All Protections

cl /EHsc mem.cpp
mem.exe

Viewing Memory Usage for mem.exe in Immunity

From the Immunity menu bar, click File, Open. Navigate to C:\127a\mem.exe and double-click it.

Immunity loads the program.

From the Immunity menu bar, click Debug, Run.

Click Debug, Run again.

From the Immunity menu bar, click View, Memory.

Press Alt + Tab to make the Command Prompt running "mem.exe" visible, as shown below.
Note: Option + Tab on a Mac.
You can also click the Command Prompt icon in the bottom Windows tool bar.

Notice these items:

• The "Address in .text" value is in the .text memory segment shown by Immunity
• The "Address in .data" value is in the .data memory segment shown by Immunity
• The "Address in .stack" value is in the memory segment labelled "stack of main thread" by Immunity
• The "Address in .heap" value is in a memory segment shown by Immunity, but with no label

Viewing the Stack

Press Alt + Tab to make the Command Prompt running "mem.exe" visible, as shown below.
Note: Option + Tab on a Mac.
You can also click the Command Prompt icon in the bottom Windows tool bar.

To make the command prompt text bigger, click the icon in the top left corner, choose Properties, Font, and 20.

• Item 2 in the stack frame is 00000002 in the Command Prompt window, but 00000009 in Immunity. This is the integer variable "i", which counted through the items in the stack. When it printed itself, it was 2, and when the loop was complete, it had the value 9.
• Item 3 in the stack frame is HERE -- the local string named "buf". It also uses item 4 to store the null byte that terminates the string.
• Item 5 in the stack frame is the stack cookie, which has a random value. It is highlighted in the image below.
• Item 6 in the stack frame is the saved EBP, used to restore the stack frame of the calling function.
• Item 7 in the stack frame is the return pointer, which will be placed into the stack when the function ends.

Close Immunity.

Removing the INT 3

    __asm int 3

In the Developer Command Prompt window, execute this command to compile the program again, with ASLR enabled, and with stack cookies.

cl /EHsc mem.cpp

Animating the Display

cls && mem

You should see the values outlined in yellow in the image below changing, while the other values stay the same.

Note these items:
DOUBLE CHECK, UPDATED info from previous project

• The stack and heap sections move because of ASLR
• The .text and .data sections never move--this is why Return-Oriented Programming attacks defeat ASLR
• Item 1 on the stack is a variable, on the stack, so it moves along with the stack changes.
• Item 5 on the stack changes randomly, because it's the stack cookie.
• Item 6 on the stack changes, but that's because it's the saved EBP so it has to move along with the stack.
• Item 7 in the stack frame is the return pointer, which points to an address in the .text section, and never changes.

Compiling the Program with No Protections

copy mem.cpp mem0.cpp
cl /EHsc /c /GS- mem0.cpp
link /DYNAMICBASE:NO mem0.obj
mem0.exe

Notice that the .text section is near the classical value of 400000, which we've seen before.

Animating the Display

cls && mem0

You should see the values outlined in yellow in the image below changing, while the other values stay the same.

Note these items:
INCORRECT INFO, NEEDS UPDATE

• The .text, .data, and stack sections never move
• The heap moves
• Items 1 and 2 on the stack are variables, one on the heap and one on the stack, so item 1 moves along with the heap, and item 2 does not change
• Item 4 is the saved EBP.
• Item 5 is the return pointer.
• The string "HERE" is stored above this list on the stack, and is not visible.
• Items 6, 7, and 8 are in the calling function's stack frame.

ED 303.1 Item 6 (15 pts)

References

Updated: 7-20-19
Posted: 11-9-18
Typo in C code: i -> j 12-11-18
Ported to Google Cloud by Travis Knapp-Prasek
Minor edits 8-2-19