"Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

In this paper we will discuss the limitations of all aforementioned protection mechanisms and will describe the cases in which they fail. We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers. This will be demonstrated with a variety of exploitation techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances."

<!--EndFragment-->

"This paper describes a technique that can be used to bypass Windows hardware-enforced Data Execution Prevention (DEP) on default installations of Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1. This technique makes it possible to execute code from regions that are typically non-executable when hardware support is present, such as thread stacks and process heaps. While other techniques have been used to accomplish similar feats, such as returning into NtProtectVirtualMemory, this approach requires no direct reprotecting of memory regions, no copying of arbitrary code to other locations, and does not have issues with NULL bytes. The result is a feasible approach that can be used to easily bypass the enhancements offered by hardware-enforced DEP on Windows in a way that requires very minimal modifications to existing exploits."

"The purpose of this document is to familiarize or refresh the reader with the
techniques used to write reliable shellcode for Windows. The reader is expected
to be familiar with IA32 assembly on at least a conceptual level. It is also
recommended that the reader take some time to review some of the items in the
bibliography. Aside from that, the only other requirement is the desire to learn.
Many portions of this document have been covered elsewhere before but, to
the author’s satisfaction, have not been compiled into an easily understandable
format for beginners and tinkerers alike. For this reason the author hopes that
the reader walks away with a more centralized point of reference with regards
to the topic of Windows shellcode.

This document will focus both on Windows 9x and Windows NT based versions
with more emphasis on the latter.

The tool used to compile the assembly displayed in this document is cl.exe
as distributed with Microsoft’s Visual Studio suite. With cl.exe, one should
make use of the inline assembler functionality when attempting to compile the
assembly. Also, one can likely use masm or other assemblers that support intelstyle
assembly as well if one does not have access to cl.exe.
Finally, all of the shellcode in this document can be found at http://www.hick.
org/code/skape/shellcode/win32."

Original Link: www.hick.org/code/skape/papers/win32-shellcode.pdf