flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > Security cookie
Author
Thread Post new topic Reply to topic
ProMiNick



Joined: 24 Mar 2012
Posts: 817
Location: Russian Federation, Sochi
ProMiNick 25 Oct 2020, 23:44
Code:
DEFAULT_SECURITY_COOKIE = $BB40
__security_init_cookie:
        mov     eax, [___security_cookie]
        test    eax, eax
        jz      .go_init
        cmp     eax, DEFAULT_SECURITY_COOKIE
        jnz     .done
    .go_init:
        sub     esp, 8
        invoke  GetSystemTimeAsFileTime, esp
        pop     eax
        xor     [esp], eax
        invoke  GetCurrentProcessId
        xor     [esp], eax
        invoke  GetCurrentThreadId
        xor     [esp], eax
        invoke  GetTickCount
        xor     [esp], eax
        sub     esp, 8
        invoke  QueryPerformanceCounter, esp
        pop     eax
        xor     [esp], eax
        pop     eax
        xor     [esp], eax
        pop     eax
        and     eax, $FFFF
        jnz     .skip_default
        mov     eax, DEFAULT_SECURITY_COOKIE
    .skip_default:
        mov     [___security_cookie], eax
    .done:
        not     eax
        mov     [___security_cookie_complement], eax
        retn

__check_security_cookie:
        cmp     ecx, [___security_cookie]
        jnz     __report_gsfailure
        retn

__report_gsfailure:
        sub     esp, sizeof.X86_CONTEXT - X86_CONTEXT._Eip
        push    ebp
        push    eax
        push    ecx
        push    edx
        push    ebx
        push    esi
        push    edi
        push    ds
        push    es
        push    fs
        push    gs
        add     esp, X86_CONTEXT.ExtendedRegisters-X86_CONTEXT.SegGs
        push    ss
        lea     ebx, [esp+sizeof.X86_CONTEXT-X86_CONTEXT.SegSs]
        push    ebx
        pushfd
        push    cs
        mov     ebx, [ebx]
        push    ebx
        sub     esp, X86_CONTEXT._Eip-X86_CONTEXT._Dr0
        push    CONTEXT_CONTROL
        mov     ebp, esp
        push    [___security_cookie]
        push    [___security_cookie_complement]
        mov     ecx, sizeof.EXCEPTION_RECORD32/4
        lea     esp, [esp-sizeof.EXCEPTION_RECORD32]
        xor     eax, eax
        mov     edi, esp
        rep stosb
        mov     eax, esp
        mov     [esp+EXCEPTION_RECORD32.ExceptionAddress], ebx
        mov     [esp+EXCEPTION_RECORD32.ExceptionCode], STATUS_STACK_BUFFER_OVERRUN
        push    ebp
        push    eax
        invoke  SetUnhandledExceptionFilter, NULL
        invoke  UnhandledExceptionFilter, esp
        invoke  GetCurrentProcess
        invoke  TerminateProcess, eax, $502


use case:
Code:
; DialogBox example

format PE GUI 4.0
entry start

include 'win32a.inc'
include 'os_specs/windows/equates/exsup.inc'
include 'os_specs/windows/structs/x32/exsup.inc'
include 'os_specs/windows/structs/contexts.inc'
CONTEXT_CONTROL = $10001
STATUS_STACK_BUFFER_OVERRUN = $C0000409

ID_CAPTION         = 101
ID_MESSAGE         = 102
ID_ICONERROR       = 201
ID_ICONINFORMATION = 202
ID_ICONQUESTION    = 203
ID_ICONWARNING     = 204
ID_TOPMOST         = 301

section '.text' code readable executable

proc start
        call    __security_init_cookie
        invoke  DialogBoxParam,PE_IMAGE_BASE,37,HWND_DESKTOP,DialogProc,0
        ret
endp

proc DialogProc,hwnddlg,msg,wparam,lparam
        ;push    [___security_cookie]

  locals
        message rb 100h
        caption rb 10h
        security_cookie dd ?
  endl
        push    ebx
        push    esi
        push    edi
        cmp     [msg],WM_INITDIALOG
        je      .wminitdialog
        cmp     [msg],WM_COMMAND
        je      .wmcommand
        cmp     [msg],WM_CLOSE
        je      .wmclose
        xor     eax,eax
        jmp     .finish
  .wminitdialog:
        invoke  CheckRadioButton,[hwnddlg],ID_ICONERROR,ID_ICONWARNING,ID_ICONINFORMATION
        jmp     .processed
  .wmcommand:
        cmp     [wparam],BN_CLICKED shl 16 + IDCANCEL
        je      .wmclose
        cmp     [wparam],BN_CLICKED shl 16 + IDOK
        jne     .processed
        mov     eax, [___security_cookie]
        mov     [security_cookie], eax
        invoke  GetDlgItemText,[hwnddlg],ID_CAPTION,addr caption,$40
        invoke  GetDlgItemText,[hwnddlg],ID_MESSAGE,addr message,$100
        mov     ecx, [security_cookie]
        ;mov     ecx,[esp-$100-$40]
        call    __check_security_cookie
        mov     [flags],MB_OK
        invoke  IsDlgButtonChecked,[hwnddlg],ID_ICONERROR
        cmp     eax,BST_CHECKED
        jne     .iconerror_ok
        or      [flags],MB_ICONERROR
      .iconerror_ok:
        invoke  IsDlgButtonChecked,[hwnddlg],ID_ICONINFORMATION
        cmp     eax,BST_CHECKED
        jne     .iconinformation_ok
        or      [flags],MB_ICONINFORMATION
      .iconinformation_ok:
        invoke  IsDlgButtonChecked,[hwnddlg],ID_ICONQUESTION
        cmp     eax,BST_CHECKED
        jne     .iconquestion_ok
        or      [flags],MB_ICONQUESTION
      .iconquestion_ok:
        invoke  IsDlgButtonChecked,[hwnddlg],ID_ICONWARNING
        cmp     eax,BST_CHECKED
        jne     .iconwarning_ok
        or      [flags],MB_ICONWARNING
      .iconwarning_ok:
        invoke  IsDlgButtonChecked,[hwnddlg],ID_TOPMOST
        cmp     eax,BST_CHECKED
        jne     .topmost_ok
        or      [flags],MB_TOPMOST
      .topmost_ok:
        invoke  MessageBox,HWND_DESKTOP,addr message,addr caption,[flags]
        invoke  EndDialog,[hwnddlg],1
        jmp     .processed
  .wmclose:
        invoke  EndDialog,[hwnddlg],0
  .processed:
        mov     eax,1
  .finish:
        pop     edi
        pop     esi
        pop     ebx
        ;add     esp,4
        ret
endp

include 'os_specs/windows/hllstuff/cpp/pattern/x86/cookie.inc'

section '.bss' readable writeable

  flags                         dd ?
  ___security_cookie            dd ?
  ___security_cookie_complement dd ?

section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL',\
          user,'USER32.DLL'

  import kernel,\
         GetCurrentProcess,'GetCurrentProcess',\
         GetCurrentProcessId,'GetCurrentProcessId',\
         GetCurrentThreadId,'GetCurrentThreadId',\
         GetSystemTimeAsFileTime,'GetSystemTimeAsFileTime',\
         GetTickCount,'GetTickCount',\
         QueryPerformanceCounter,'QueryPerformanceCounter',\
         SetUnhandledExceptionFilter,'SetUnhandledExceptionFilter',\
         TerminateProcess,'TerminateProcess',\
         UnhandledExceptionFilter,'UnhandledExceptionFilter'

  import user,\
         DialogBoxParam,'DialogBoxParamA',\
         CheckRadioButton,'CheckRadioButton',\
         GetDlgItemText,'GetDlgItemTextA',\
         IsDlgButtonChecked,'IsDlgButtonChecked',\
         MessageBox,'MessageBoxA',\
         EndDialog,'EndDialog'

section '.rsrc' resource data readable

  directory RT_DIALOG,dialogs

  resource dialogs,\
           37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration

  dialog demonstration,'Create message box',70,70,190,175,WS_CAPTION+WS_POPUP+WS_SYSMENU+DS_MODALFRAME
    dialogitem 'STATIC','&Caption:',-1,10,10,70,8,WS_VISIBLE
    dialogitem 'EDIT','',ID_CAPTION,10,20,170,13,WS_VISIBLE+WS_BORDER+WS_TABSTOP
    dialogitem 'STATIC','&Message:',-1,10,40,70,8,WS_VISIBLE
    dialogitem 'EDIT','',ID_MESSAGE,10,50,170,13,WS_VISIBLE+WS_BORDER+WS_TABSTOP+ES_AUTOHSCROLL
    dialogitem 'BUTTON','&Icon',-1,10,70,80,70,WS_VISIBLE+BS_GROUPBOX
    dialogitem 'BUTTON','&Error',ID_ICONERROR,20,82,60,13,WS_VISIBLE+BS_AUTORADIOBUTTON+WS_TABSTOP+WS_GROUP
    dialogitem 'BUTTON','I&nformation',ID_ICONINFORMATION,20,95,60,13,WS_VISIBLE+BS_AUTORADIOBUTTON
    dialogitem 'BUTTON','&Question',ID_ICONQUESTION,20,108,60,13,WS_VISIBLE+BS_AUTORADIOBUTTON
    dialogitem 'BUTTON','&Warning',ID_ICONWARNING,20,121,60,13,WS_VISIBLE+BS_AUTORADIOBUTTON
    dialogitem 'BUTTON','&Style',-1,100,70,80,70,WS_VISIBLE+BS_GROUPBOX
    dialogitem 'BUTTON','&Top most',ID_TOPMOST,110,82,60,13,WS_VISIBLE+WS_TABSTOP+BS_AUTOCHECKBOX
    dialogitem 'BUTTON','OK',IDOK,85,150,45,15,WS_VISIBLE+WS_TABSTOP+BS_DEFPUSHBUTTON
    dialogitem 'BUTTON','C&ancel',IDCANCEL,135,150,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
  enddialog


As we see caption is 10h in size, while from dialogitem it could became 40h string which will erase ret address & cookie.
So we will se:
The exeption unknown software exception (0xc0000409) occured in the application at location 0x004010b4.
...
when string from dialogitem will be less than 11h chars will be normal behavior from dialog demo.

_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 25 Oct 2020, 23:44
View user's profile Send private message Send e-mail Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4175
Location: vpcmpistri
bitRAKE 30 Oct 2020, 02:13
Is there a situation where cookie is needed? Why trash stack instead of detecting actual error condition? We can allocate dynamically or limit input? Maybe in very confined environments nothing else is possible, but it seems hacky to me.
Post 30 Oct 2020, 02:13
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 817
Location: Russian Federation, Sochi
ProMiNick 30 Oct 2020, 05:56
Most of winapies targeted to work with strings (not buffer) never checks will string fit to buffer or not. They expect that programmer left for it enough of space.
So placing in stack static sized rooms for string winapi results is dangerous by itself.
Posible solutions instead of cookies could be 2:
don`t use stack for that (use heap,..., etc.)
allocate in stack dynamic buffers. It is possible too, nothing hard, but there is no ready for use macros to support such behavior.
Post 30 Oct 2020, 05:56
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20526
Location: In your JS exploiting you and your system
revolution 30 Oct 2020, 06:41
ProMiNick wrote:
allocate in stack dynamic buffers. It is possible too, nothing hard, but there is no ready for use macros to support such behavior.
Code:
mov esi,[string_length]
add esi,3
and esi,not 3
sub esp,esi
;...
add esp,esi
No need for a macro really. Just make sure your string is fewer than 4kB. If longer then "touch" the stack accordingly.
Post 30 Oct 2020, 06:41
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 817
Location: Russian Federation, Sochi
ProMiNick 30 Oct 2020, 13:32
Ok, when such buffer is single for stack thou could use some reg to hold its size, but what if thou have to define couple of them?
thou have to place sizes of such buffer in stack: in case of esp based - base is variable shifted, so sizes of buffers should be relative to top of current stack, and for calculating other stack locals unwinding of stack will be needed. In case of ebp based stack sizes could be related via ebp.
Dynamic allocation of locals is one of cases were ebp frame is easier significantly than esp frame.
Post 30 Oct 2020, 13:32
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.