Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Non executable memory pages with AMD64 + XP SP2

From: "Maynor, David (ISS Atlanta)" <dmaynor () iss net>
Date: Sun, 5 Dec 2004 16:35:39 -0500
I have looked at it in detail. At first I though I was just a super
duper shellcoder because all my payloads executed with no problem. After
more investigation I discovered that the SP2 implementation of the NX
technology covers only vital windows services by default. This means
that you hello world or basic stack overflow that you write will not
receive the protection until it is enabled system wide.

32 bit XP SP2 does use NX technology if running on a processor that
supports it. It has to run in PAE mode though.

I wrote a white paper for ISS on these shortcomings. It should be made
public pretty soon.

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Nicolas
RUFF
Sent: Sunday, December 05, 2004 4:10 PM
To: dailydave
Subject: [Dailydave] Non executable memory pages with AMD64 + XP SP2

        Hello everybody,

Did anyone out there have a chance to test non-executable memory
pages on AMD64 + XP SP2 ? I sent a mail on Bugtraq a few weeks ago but I
did not receive much support from the community.

It seems to me that non-executable pages are never enabled (at least for
basic user programs, such as "hello world" buffer overflow), unless you
manually specify /PAE, despite:
http://support.microsoft.com/kb/875352

If you read the small caps on AMD commercials in France, they say
something like: "you must manually enable the Enhanced Virus Protection
for each of your application to be fully protected". What is this 
supposed to mean ???

I suspect Microsoft went on a last-minute change, considering the number
of software failing with non-executable pages (at least on my computer -
e.g. nVidia userland interface).

To sum up :

1/ 64-bit OS are not ready for production - if you ever tried to get
drivers for the Windows XP 64-bit edition (available from MSDN) you know

what I mean.

2/ 64-bit OS are as fast as 32-bit OS (tested on Fedora 64 and XP
64). Applications will be running in 32-bit emulation mode for a long
time and will not benefit from 64-bit processors either.

3/ 32-bit XP SP2 does not use non-executable memory pages (AFAIK).

4/ Shellcoders will benefit from new RIP-relative addressing, as M.
Conover pointed out.

So, could someone figure out a good reason why I spent $300 on this s***
? (Not couting the motherboard and memory upgrade).

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: