Error running non-ASLR binaries

[uafio]

Hi,

I tested under Win 8, 8.1 and 10. CreateProcess fails to create a process for binaries compiled with /DYNAMICBASE:NO and I can't figure out what flag can fix this...

"..\Documents\Visual Studio 2015\Projects\AppJailLauncher-master\Debug\AppJailLauncher.exe" /outbound /key:flag.txt /port:4141 /timeout:1000000000000 simple_echo_x64_NO_ASLR.exe <> Do_LaunchServer entered. <> Assertion success! (WSAStartup(MAKEWORD(2, 2), &wsaData) == 0) succeeded. <> ChildFilePath: simple_echo_x64_NO_ASLR.exe <> KeyFilePath: flag.txt <> ServerPort: 4141 <> ChildTimeout: -1 seconds <> NetworkEnabled: True <> Trying to create a new AppContainer profile "simple_echo_x64_NO_ASLR.exe". <> Profile "simple_echo_x64_NO_ASLR.exe" already exists. Retrieving SID from existing profile. <> Assertion success! (SUCCEEDED(DeriveAppContainerSidFromAppContainerName( pszAppContainerName, &pSid ))) succeeded. <> AppContainer profile SID obtained. <> Assertion success! (GetFullPathName( pszKeyFilePath, cbFullKeyPath, pszFullKeyPath, &pszKeyFileSpec ) > 0) succeeded. <> Assertion success! (PathRemoveFileSpec(pszCurrentDirectory)) succeeded. <> KeyFilePath: \Downloads\flag.txt <> KeyCurrentDirectory: \Downloads <> Entering Utils_AddOrRemoveAceOnFileAcl...IsRemoveOperation=0 <> Retrieving SECURITY_DESCRIPTOR for \Downloads... <> Assertion success! (GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, NULL, 0, &DescSize ) == 0) succeeded. <> SECURITY_DESCRIPTOR size is 348 <> Allocating memory for new security descriptor <> Assertion success! (GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, pOldDesc, DescSize, &DescSize ) != 0) succeeded. <> SECURITY_DESCRIPTOR is at 007BF120 <> Assertion success! (InitializeSecurityDescriptor( &NewDesc, SECURITY_DESCRIPTOR_REVISION )) succeeded. <> New SECURITY_DESCRIPTOR is initialized <> Obtaining DACL from SECURITY_DESCRIPTOR... <> Assertion success! (GetSecurityDescriptorDacl( pOldDesc, &DaclPresent, &pOldDacl, &DaclDefaulted )) succeeded. <> DACL at 007BF134 and is present. <> Assertion success! (GetAclInformation( pOldDacl, &AclInfo, sizeof(AclInfo), AclSizeInformation )) succeeded. <> Allocating 376 bytes for new DACL <> Assertion success! (InitializeAcl( pNewDacl, cbNewDacl, ACL_REVISION )) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Adding ACE into key parent directory's ACL failed because ACE already exists. <> Entering Utils_AddOrRemoveAceOnFileAcl...IsRemoveOperation=0 <> Retrieving SECURITY_DESCRIPTOR for \Downloads\flag.txt... <> Assertion success! (GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, NULL, 0, &DescSize ) == 0) succeeded. <> SECURITY_DESCRIPTOR size is 348 <> Allocating memory for new security descriptor <> Assertion success! (GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, pOldDesc, DescSize, &DescSize ) != 0) succeeded. <> SECURITY_DESCRIPTOR is at 007BF120 <> Assertion success! (InitializeSecurityDescriptor( &NewDesc, SECURITY_DESCRIPTOR_REVISION )) succeeded. <> New SECURITY_DESCRIPTOR is initialized <> Obtaining DACL from SECURITY_DESCRIPTOR... <> Assertion success! (GetSecurityDescriptorDacl( pOldDesc, &DaclPresent, &pOldDacl, &DaclDefaulted )) succeeded. <> DACL at 007BF134 and is present. <> Assertion success! (GetAclInformation( pOldDacl, &AclInfo, sizeof(AclInfo), AclSizeInformation )) succeeded. <> Allocating 376 bytes for new DACL <> Assertion success! (InitializeAcl( pNewDacl, cbNewDacl, ACL_REVISION )) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Assertion success! (AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded. <> Assertion success! (GetAce(pOldDacl, i, &pTempAce)) succeeded. <> Adding ACE into key's ACL failed because ACE already exists. <> Network access is enabled in child process. <> Creating job object for limiting processing time. <> Trying to create a new job object with timeout of -1 seconds. <> Assertion success! (hJob != INVALID_HANDLE_VALUE) succeeded. <> New job object created with handle 000002E0 <> Setting job object information. <> Assertion success! (SetInformationJobObject( hJob, JobObjectBasicLimitInformation, &bli, sizeof(bli) )) succeeded. <> Job information set. <> Creating and listening on new socket on port 4141. <> Assertion success! (getaddrinfo(NULL, szPort, &hints, &servinfo) == 0) succeeded. <> Assertion success! (setsockopt( s, SOL_SOCKET, SO_REUSEADDR, (const char ) &yes, sizeof(yes) ) == 0) succeeded. <> Socket bound on 0.0.0.0:4141 <> Listening for new connections... <> Setting listening socket to not inheritable. <> Assertion success! (SetHandleInformation( (HANDLE)serverSocket, HANDLE_FLAG_INHERIT, 0)) succeeded. <> Creating WSA events. <> Assertion success! (hAcceptEvent != WSA_INVALID_EVENT) succeeded. <> Assertion success! (g_hQuitListenEvent != WSA_INVALID_EVENT) succeeded. <> Setting WSAEventSelect. <> Assertion success! (WSAEventSelect( serverSocket, hAcceptEvent, FD_ACCEPT ) != SOCKET_ERROR) succeeded. <> Installing Ctrl-C handler. <> Assertion success! (SetConsoleCtrlHandler(HandleCtrlCPress, TRUE)) succeeded. Listening for incoming connections on port 4141... <> Sensed new client connection. Client connection from 10.10.225.170 accepted. <> pszCapabilities is not NULL, counting items. <> Found 1 capabilities. <> Creating capabilities attribute list for 1 capabilities. <> Assertion success! (ConvertStringSidToSid(pszCapabilities[i], &pSid)) succeeded. <> Assertion success! (!InitializeProcThreadAttributeList( NULL, 1, 0, &dwAttributeListSize )) succeeded. <> Allocating memory for AttributeList (32 bytes) <> Initializing AttributeList at 0x 007A78B0 <> Assertion success! (InitializeProcThreadAttributeList( AttributeList, 1, 0, &dwAttributeListSize )) succeeded. <> Updating AttributeList with security capabilities. <> Assertion success! (UpdateProcThreadAttribute( AttributeList, 0, PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, &SecurityCapabilities, sizeof(SecurityCapabilities), NULL, NULL)) succeeded. <> si.StartupInfo.cb = 72 <> Redirecting STDIN/STDOUT/STDERR of the new application. <> Copying pszChildFilePath to pszCommandLine. <> Launching new process "simple_echo_x64_NO_ASLR.exe". [\documents\visual studio 2015\projects\appjaillauncher-master\appjaillauncher\utils.cpp:542] <!> Assertion failed. GetLastError() = 623 (CreateProcess( NULL, pszCommandLine, NULL, NULL, TRUE, dwCreationFlags, NULL, pszCurrentDirectory, (LPSTARTUPINFO) &si, &pi )) resolved to FALSE. <> Failed to launch jailed process. <> Sensed new client connection. Client connection from 127.0.0.1 accepted. <> pszCapabilities is not NULL, counting items. <> Found 1 capabilities. <> Creating capabilities attribute list for 1 capabilities. <> Assertion success! (ConvertStringSidToSid(pszCapabilities[i], &pSid)) succeeded. <> Assertion success! (!InitializeProcThreadAttributeList( NULL, 1, 0, &dwAttributeListSize )) succeeded. <> Allocating memory for AttributeList (32 bytes) <> Initializing AttributeList at 0x 007A78B0 <> Assertion success! (InitializeProcThreadAttributeList( AttributeList, 1, 0, &dwAttributeListSize )) succeeded. <> Updating AttributeList with security capabilities. <> Assertion success! (UpdateProcThreadAttribute( AttributeList, 0, PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, &SecurityCapabilities, sizeof(SecurityCapabilities), NULL, NULL)) succeeded. <> si.StartupInfo.cb = 72 <> Redirecting STDIN/STDOUT/STDERR of the new application. <> Copying pszChildFilePath to pszCommandLine. <> Launching new process "simple_echo_x64_NO_ASLR.exe". [\documents\visual studio 2015\projects\appjaillauncher-master\appjaillauncher\utils.cpp:542] <!> Assertion failed. GetLastError() = 623 (CreateProcess( NULL, pszCommandLine, NULL, NULL, TRUE, dwCreationFlags, NULL, pszCurrentDirectory, (LPSTARTUPINFO) &si, &pi )) resolved to FALSE. <> Failed to launch jailed process.

Translated error message: ***** ERROR ***** simple_echo_x64_NO_ASLR.exe failed with error 623: {Illegal System DLL Relocation} The system DLL %hs was relocated in memory. The application will not run properly. The relocation occurred because the DLL %hs occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

---

The sandboxed target binary is just a simple test that prints back input via fgets.

Thanks,

[yying]

@uafio What is the base address as specified via the PE headers of simple_echo_x64_NO_ASLR.exe? I suspect what is happening here is that by setting /DYNAMICBASE:NO, relocations are not included in the binary. Without relocations, the binary cannot be moved around in memory. It is possible that a library already occupies the binary's preferred address space and thus, causes the loader to error out.

I am unaware of any good solutions. My simple suggestion would be to find a base address that least conflicts with the commonly loaded DLLs.

[uafio]

Imagebase is located 0x000000140000000 I tried a couple different values all aligned on page boundary but any changes to the Imagebase cause the application to crash. (Windows 10)

[yying]

What are your compiler/linker arguments for simple_echo_x64_NO_ASLR.exe?

[uafio]

compiler: /GS /GL /W3 /Gy /Zc:wchar_t /Zi /Gm- /O2 /sdl /Fd"x64\Release\vc140.pdb" /Zc:inline /fp:precise /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oi /MD /Fa"x64\Release" /EHsc /nologo /Fo"x64\Release" /Fp"x64\Release\simple_echo.pch"

linker: /OUT:"C:\Users\documents\visual studio 2015\Projects\simple_echo\x64\Release\simple_echo.exe" /MANIFEST /LTCG:incremental /NXCOMPAT /PDB:"C:\Users\documents\visual studio 2015\Projects\simple_echo\x64\Release\simple_echo.pdb" /DYNAMICBASE:NO "kernel32.lib" "user32.lib" "gdi32.lib" "winspool.lib" "comdlg32.lib" "advapi32.lib" "shell32.lib" "ole32.lib" "oleaut32.lib" "uuid.lib" "odbc32.lib" "odbccp32.lib" /DEBUG /MACHINE:X64 /OPT:REF /INCREMENTAL:NO /PGD:"C:\Users\documents\visual studio 2015\Projects\simple_echo\x64\Release\simple_echo.pgd" /SUBSYSTEM:CONSOLE /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /ManifestFile:"x64\Release\simple_echo.exe.intermediate.manifest" /OPT:ICF /ERRORREPORT:PROMPT /NOLOGO /TLBID:1

[yying]

How did you change the image base value? Did you specify the /BASE: linker argument with the appropriate base address?

[uafio]

Oh, no... I used CFF Explorer :)

[yying]

Ahhh, ok, that would explain the crashes. Also, I think it is required that the base address is 64K aligned (as per https://msdn.microsoft.com/en-us/library/f7f5138s.aspx).

Can you give that a shot and let me know if it works?

[uafio]

Yes, you are right. They do have to be 64k aligned, however editing the imagebase from a PE editor is still crashing the binary. Changing the imagebase from the compiler AppJailLauncher returns the same error.