- Return-to-libc attacks These attacks, while normally limited to simple system commands, will always evade DEP as code will never execute from non-executable memory.
- Resetting the NX bit on the protected page to allow execution Exploit code can accomplish this by calling the VirtualProtect API passing in the address of malicious code and specifying PAGE_READ_WRITE_EXECUTE.
- Disabling DEP for current process An attacker could call SetProcessDEPPolicy (supported on Windows XP SP3, Vista SP1 and Windows 2008) to disable DEP for the current process with the caveat that it can be accomplished only if the process has not called this function itself. Another way to accomplish this is by calling the NtSetInformationProcess API to disable DEP on the current process. A good article explaining this bypass can be found here.
- Allocating new writable and executable memory then copying the shellcode payload to it and jumping to it
- Copying the shellcode to an already existing writable memory area and jumping to it
- Risk Reality
Privileged Access Management Solutions
Gain visibility and control over all privileged accounts and users.See All Solutions
- Endpoint Privilege Management
- Remove excessive end user privileges on desktops and servers
- Password Management
- Discover, manage, audit, and monitor privileged accounts
- Privileged Remote Access
- Give vendors secure remote access without using VPN
- DevOps Secrets Safe
- Meet the dynamic security requirements of highly elastic DevOps environments
- Remote Support
- Securely access and support any device, anywhere
In this webinar, we will look at several different ways to more safely provide admins with SSH/RDP access to VMs in the cloud.Register now
On the Blog