How is NX-bit protection turned off when the attacker gains control over the instruction pointer in Windows on x86-64, protected with both NX-bit and ASLR? I'm assuming that the system call to disable this feature is simply at a non-ASLRed address, and can be called directly?
It seems that heap spraying is frequently used to exploit modern Windows machines (e.g. with bugs in Javascript implementations), obviously this entails an executable heap, so how is the heap made executable prior to the heap spray? Is there some paper that clearly shows how this is done, on Windows?
Usually exploits involve a ROP attack. The ROP attack might directly invoke some system call (e.g., to spawn a shell), or might invoke
VirtualProtect()
to disable the NX bit.Often one step in the ROP attack is to find at least some code at a predictable location (say, a DLL that didn't opt into ASLR) or to find an information disclosure vulnerability that lets the attacker predict the location of some code, so the attacker can find gadgets at a predictable address. Once the attacker has the ability to execute arbitrary gadgets, usually it is game over: for instance, the exploit code can derandomize the address of all other functions, such as
VirtualProtect()
, and then call it.You ask how the heap is made executable. The answer is: the heap isn't made executable, as there is no need to make it executable when using a ROP attack. Indeed, this is one of the reasons why ROP attacks are commonly used.
See also https://security.stackexchange.com/q/20497/971.