Not that ASLR is a brand new thing, but this was the first time that I’ve had to go head on against a defensive mechanism like this and it almost gave me a heart attack. Bad news for the real bad-guys, good news for the rest of us. Bravo, nice work Microsoft! Here’s what happened …
My presentation yesterday at Microsoft TechEd 2009 included a discussion about buffer overflows attack (essentially one of the most common ways malicious hackers compromise systems). So a couple hours before the presentation I decided to kick the presentation up a notch and write some shell code to demonstrate some pointer jumping. Mistake #1. Below is a snippet of the shellcode that I wrote against my Windows 2008 demo machine and therein was Mistake #2. Read on.
It’s simple shellcode that uses a series of calls to LoadLibraryA and WinExec to add an unauthorized user onto the exploited machine. Great, so I get it working in enough time to go and eat lunch, then come back to the speakers room to go through the presentation one more time about 45 minutes before the actual presentation. When I get to the buffer overflow demo part *fizzle* … my shellcode crashes! Try it again, same thing. When I loaded the exploit in a the debugger, turns out the after every restart of my demo box my offsets to kernel32!LoadLibraryA and kernel32!WinExec were bouncing all over the place.
- kernel32!LoadLibraryA: 0x77C39491
- kernel32!LoadLibraryA: 0x73C59491
- kernel32!LoadLibraryA: 0x73E49491
- And more random addresses …
At this point I am starting to panick a little and about ready to kick over the table in frustration when (not kidding here) I see Mark Russinovich (of SysInternals fame) sitting across the table from me and it dawned on me that it was Microsoft’s Address Space Layout Randomization (ASLR) which is a protection feature in Vista and Windows 2008 that was preventing my attack code from working! I eventually got the shellcode stable, the presentation went really well, without a hitch and the crowd was very happy. I guess here’s the message that Microsoft is sending to the bad guys with ASLR: ”Oh, so you want to exploit a Windows 2008 machine? Forget about it.” Again, nice work Microsoft!
–Kevin
