lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Feb 2007 18:13:09 +0100
From: KJKHyperion <hackbunny@...tpj.org>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Torpark breaks with DEP enabled,
 and how to break it further so that it works

I can't believe nobody has documented this yet. I can't believe nobody 
uses Torpark on a machine with hardware-enforced DEP. I mean, it's a 
basic security measure. Zero effort. Enabled by default by all operating 
systems that count on all recent CPUs that support it. Oh well.

Torpark, for the couple of people who don't know yet, is a bloated 
launcher for Portable Firefox and Tor, for all your roaming child porn 
needs. It's inexplicably written in NSIS, a scripting language 
originally designed for impressing your friends with your ignorance of 
Windows Installer.

NSIS includes impressive capabilities, such as the goto instruction and 
the ability to call bloated, buggy and poorly thought-out plugin DLLs, 
that make it somewhat usable as a general purpose programming language. 
A capability that, incidentally, grossly misguided individuals can 
mistake for the perfect opportunity to write a launcher front-end 
application that's 1.81 MB in size. Compressed. That dumps a half dozen 
DLLs in temporary directories. One of which a theme manager. To skin one 
window. With two buttons.

(to say it lyrically, Torpark embodies the KISS principle in the flesh - 
or rather, in the [mega]byte)

To get to the point, though. For several releases now, my child porn 
browsing has been severely impaired by a significant drawback: Torpark 
just did not start. No error message. The /debug command line switch - a 
sad, cruel joke, depending as it did on the programmer's skill and 
foresight - was of no help. A real debugger revealed the error: the 
plugin DLL (my heart feels pain from typing this) to display message 
boxes is incompatible with DEP. And of course, since you need a plugin 
to display message boxes, you can't display a message box about the 
failure to load the plugin that displays message boxes. In a way, that 
makes perfect sense. In _another_ way, one wonders just how could you 
mess up a 6 KB DLL (still pretty darn huge for a message box). The 
exercise is left to the reader (the answer may surprise you!)

How to unbreak Torpark before your pedo-boner wears off, though? HOW, 
you ask, trembling and panicked? Again, the answer may surprise you: we 
are going to break Torpark further so the system will detect its 
lameness early enough to disable DEP for the whole process (for a 
launcher, this normally wouldn't be a security issue, but all bets are 
off with a program coded in Visual Basic for Llamas).

For the uninitiated: binary executables (.EXE, .DLL) consist of a list 
of memory ranges to allocate ("sections"), the data to initialize them 
with, and the attributes (readable, writable, executable) of said 
memory. The code is typically (... typically!) emitted as the 
initialization data for a section with the "executable" attribute. 
Finally, a byte inside the executable is marked as the "entry point", 
i.e. the beginning of the program, the first instruction to execute.

Now, when Windows encounters a program so sadly broken its entry point 
lies into a non-executable section (something not even Borland tools 
manage to do, despite the incompatible binary format they use 
internally), it will take pity upon the user and disable DEP for the 
whole process. Again, for the benefit of the philistines in the crowd: 
DEP is a system policy that actually enforces the requirement for memory 
to be marked as executable; older x86 processors (read: all computers in 
the world, ever) did not actually support this, so developers felt 
justified to act damn fucking smart and break their code to brag their 
superior knowledge. The Opera browser is an example of such a broken 
application (it's the fault of the packer, though).

The easiest way to disable DEP for a program, therefore, is to break it 
on purpose.

Rather anticlimatically, this consists of opening the executable in a 
hex editor, looking for the byte pattern "60 00 00 20" near the 
beginning and replacing it with "40 00 00 40". Adventurous readers can 
have fun figuring out why. The answer will not surprise you at all!

That's all. Happy naked kids to all security-conscious Windows users!

PS: stop posting child porn on 4chan.org, faggots. You got almost all 
exit nodes banned. GTFO khtxbye, go gum up anonib.com instead

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ