DEP¶
links: ED TOC - Exploit Mitigations - Index
Claim¶
DEP prevents the execution of uploaded code.
General¶
Data Execution Prevention (DEP) makes sure that certain memory regions are no longer executable by adding a permission model to them. DEP is a runtime exploit mitigation. Therefore each memory region has flags for reading (R), writing (W) and executing (X) data inside the specific region. The program will only run code, when it is located inside a memory region having the X
-flag enabled. In practice the code
segment having the X
-flag enabled, will have the W
-flag not set. Like this an attacker cannot write to the memory region where the executable code lies. Therefore they won't be able to inject shellcode. Generally it is a bad idea to have memory regions which have set the X
- and W
-flag for this reason.
(De-)Applying DEP¶
DEP is active by default in all modern platforms. If we for some reason want to disable the protections provided by DEP we must tell the compiler to not protect the stack and set the X
-flag for the memory region. Using GCC this works as following: gcc [..] -z execstack [..]
. Executing readelf -l [exec-name]
will show, that the X
-flag is set for the stack (probably the flag will be E
. It is the same as X
but they messed up the flag names).
Example:
# with DEP
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x10
#without DEP
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10
Breaking DEP¶
To break DEP, the attacker can use Return Oriented Programming (ROP) or Ret2PLT.
links: ED TOC - Exploit Mitigations - Index