nezumi-lab
January 13th, 2009, 03:21
wandering over Windows kernel nezumi found very screwy code - another loophole to bypass DEP. W2K SP4 gives PEB/TEB r-w-x attributes, so, PEB and TEB are executable! easy to check it with OllyDbg (View -> Memory).
http://nezumi-lab.org/gif/FSrwx.gifW2K SP4 gives PEB/TEB r-w-x attributes
XP SP3 and S2K3 SP1 come without this bug, but what’s about other systems? let’s found out! please, download ("http://nezumi-lab.org/ffh/TEBRWE.zip") a simple system info collector (it comes with full sources), run it and send the result to info#re-lab.org or leave your comment here. it’s absolute safe for your system. no harm, no fault.
thanks in advance!
results:
W2K SP4: PEB/TEB are executable;
XP SP3: PEB/TEB are _not_ executable;
S2K3 SP1: PEB/TEB are _not_ executable;
http://nezumi-lab.org/blog/?p=65
http://nezumi-lab.org/gif/FSrwx.gifW2K SP4 gives PEB/TEB r-w-x attributes
XP SP3 and S2K3 SP1 come without this bug, but what’s about other systems? let’s found out! please, download ("http://nezumi-lab.org/ffh/TEBRWE.zip") a simple system info collector (it comes with full sources), run it and send the result to info#re-lab.org or leave your comment here. it’s absolute safe for your system. no harm, no fault.
thanks in advance!
results:
W2K SP4: PEB/TEB are executable;
XP SP3: PEB/TEB are _not_ executable;
S2K3 SP1: PEB/TEB are _not_ executable;
http://nezumi-lab.org/blog/?p=65