Page 1 of 2
Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-12, 14:09 UTC
by arko
Given how lucrative Total Commander looks as the target for an exploitation, perhaps it makes sense to release the binary with ASLR enabled? CFG would be great as well.
To help against those pesky ROP gadgets and such...
Image:
https://i.imgur.com/3Tev8yG.png
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-12, 14:44 UTC
by Hacker
I don't really think that's an option with Delphi 2. Perhaps with Lazarus?
Roman
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-12, 14:58 UTC
by arko
Embarcadero's website embarrassingly returns 504 all over, but quick Google search suggests that in case of Delphi, `{$DYNAMICBASE ON}` should be enough.
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-12, 15:41 UTC
by Hacker
arko,
Are you sure that's valid for Delphi 2 from 1996?
Roman
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-12, 16:57 UTC
by Dalai
Not even Delphi XE8 (from 2015) seems to support this directive (at least I couldn't find it). You'd need to do it a different way:
See also
https://community.embarcadero.com/blogs/entry/delphi-2007-supports-aslr-and-nx-33777. But that directive isn't supported in ancient Delphi versions either. Conclusion: Not possible for TC 32-bit. No idea about Lazarus' capabilities in this regard though.
Regards
Dalai
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-13, 01:34 UTC
by arko
Hacker wrote: ↑2020-04-12, 15:41 UTC
arko,
Are you sure that's valid for Delphi 2 from 1996?
Ok... Any insights as to how Total Commander is being built nowadays? I was thinking of reasonably recent Delphi 10.3.X in 2020.
This is probably the question for mr. Ghisler himself.
Dalai wrote: ↑2020-04-12, 16:57 UTC
But that directive isn't supported in ancient Delphi versions either. Conclusion: Not possible for TC 32-bit. No idea about Lazarus' capabilities in this regard though.
Lazarus?.. This brings us to the question above (please see my response to the user `Hacker`)
re. ASLR for 32bit app: https://security.stackexchange.com/a/50995
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-13, 03:18 UTC
by Usher
2arko
We know what compilers are in use. It's been explained many times, there's no need to ask again and again.
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-13, 04:35 UTC
by arko
Usher wrote: ↑2020-04-13, 03:18 UTC
2
arko
We know what compilers are in use. It's been explained many times, there's no need to ask again and again.
Yep, checking the binary
before asking the question is certainly the right idea...
Code: Select all
totalcmd.exe
Free Pascal 2.5.1 03.12.2011 x86_64
Lazarus 0.9.31
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-13, 11:32 UTC
by Hacker
arko,
Delphi 2 for 32-bit version, Lazarus for 64-bit version.
Roman
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-14, 09:43 UTC
by ghisler(Author)
The {$SETPEOPTFLAGS $40} probably means that it's just a flag in the PE header which needs to be set. Is this correct? I'm already patching the EXE after compilation to add a checksum, so it would be easy to add.
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-14, 10:25 UTC
by arko
ghisler(Author) wrote: ↑2020-04-14, 09:43 UTC
The {$SETPEOPTFLAGS $40} probably means that it's just a flag in the PE header which needs to be set. Is this correct? I'm already patching the EXE after compilation to add a checksum, so it would be easy to add.
No, not quite. In the current PE layout
.reloc is missing, here is an Image:
https://i.imgur.com/UcXKf8H.png
Please take a look at this article:
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-14, 16:49 UTC
by Dalai
arko wrote: ↑2020-04-14, 10:25 UTCNo, not quite. In the current PE layout
.reloc is missing [...]
This only applies to totalcmd64.exe, not totalcmd.exe.
Regards
Dalai
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-15, 13:43 UTC
by arko
ghisler(Author) wrote: ↑2020-04-14, 09:43 UTC
The {$SETPEOPTFLAGS $40} probably means that it's just a flag in the PE header which needs to be set. Is this correct? I'm already patching the EXE after compilation to add a checksum, so it would be easy to add.
Christian,
Could you please check the topic:
https://forum.lazarus.freepascal.org/index.php/topic,49328.0.html ? Perhaps this one would do:
Code: Select all
const
// these are the names used in the Windows headers
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = $0040;
IMAGE_DLLCHARACTERISTICS_NX_COMPAT = $0100;
// the directive does not support constant calculations :'(
IMAGE_DLLCHARACTERISTICS_FLAGS = IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE or IMAGE_DLLCHARACTERISTICS_NX_COMPAT;
// set this in the main program file
{$SetPEOptFlags IMAGE_DLLCHARACTERISTICS_FLAGS}
Happy to beta-test the build (fingers crossed it will actually compile
)
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-17, 07:58 UTC
by ghisler(Author)
I found the option to add the relocation section.
However, I get an error about an invalid compiler directive when adding $SetPEOptFlags. I will have to patch it.
Re: Compile totalcmd with /DYNAMICBASE /guard:cf
Posted: 2020-04-17, 11:34 UTC
by arko
ghisler(Author) wrote: ↑2020-04-17, 07:58 UTC
I found the option to add the relocation section.
However, I get an error about an invalid compiler directive when adding $SetPEOptFlags. I will have to patch it.
Good news
Would you be able to share your experience at Lazarus forum once the issue is resolved? Above-mentioned thread might do.
