Worth Reading: ROP protection in Windows 8 bypassed
Windows 8 offers a range of new protection mechanisms that are designed to hamper the efforts of exploit authors. However, shortly after the release of the Windows 8 Developer Preview, a way to circumvent one of these new obstacles has already been found.
The standard technique to bypass the ever more widely used Data Execution Prevention (DEP) feature is to piece together small fragments of code which then use such memory management functions as
VirtualProtect to disable memory protection. Each of these fragments ends in a return command that will jump to the address that is stored in the stack (hence, Return-Oriented Programming, or ROP). Consequently, the exploit authors need a specially crafted stack. As it tends to be difficult to manipulate the stack itself, it is necessary to ensure that the required byte sequence is in the heap and redirect the ESP stack pointer to the heap.
This is where Windows 8 steps in: when calling memory management functions, it will check whether the stack pointer is still pointing to the area described by the Thread Environment Block (TEB). If it isn't, the process will be terminated. The exploit writers' new trick is simple: they give Windows what it wants and reset ESP temporarily when the critical functions are called.
- Defeating Windows 8 ROP Mitigation describes this concept in detail, and,
- ROP chain for Windows 8 provides the ROP code that is required for existing exploit code to be used under Windows 8.