Error running non-ASLR binaries

[uafio]

Hi,

I tested under Win 8, 8.1 and 10. CreateProcess fails to create a process for binaries compiled with /DYNAMICBASE:NO and I can't figure out what flag can fix this...

"..\Documents\Visual Studio 2015\Projects\AppJailLauncher-master\Debug\AppJailLauncher.exe" /outbound /key:flag.txt /port:4141 /timeout:1000000000000 simple_echo_x64_NO_ASLR.exe
<> Do_LaunchServer entered.
<> Assertion success!
(WSAStartup(MAKEWORD(2, 2), &wsaData) == 0) succeeded.
<> ChildFilePath: simple_echo_x64_NO_ASLR.exe
<> KeyFilePath: flag.txt
<> ServerPort: 4141
<> ChildTimeout: -1 seconds
<> NetworkEnabled: True
<> Trying to create a new AppContainer profile "simple_echo_x64_NO_ASLR.exe".
<> Profile "simple_echo_x64_NO_ASLR.exe" already exists. Retrieving SID from existing profile.
<> Assertion success!
(SUCCEEDED(DeriveAppContainerSidFromAppContainerName( pszAppContainerName, &pSid ))) succeeded.
<> AppContainer profile SID obtained.
<> Assertion success!
(GetFullPathName( pszKeyFilePath, cbFullKeyPath, pszFullKeyPath, &pszKeyFileSpec ) > 0) succeeded.
<> Assertion success!
(PathRemoveFileSpec(pszCurrentDirectory)) succeeded.
<> KeyFilePath: \Downloads\flag.txt
<> KeyCurrentDirectory: \Downloads
<> Entering Utils_AddOrRemoveAceOnFileAcl...IsRemoveOperation=0
<> Retrieving SECURITY_DESCRIPTOR for \Downloads...
<> Assertion success!
(GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, NULL, 0, &DescSize ) == 0) succeeded.
<> SECURITY_DESCRIPTOR size is 348
<> Allocating memory for new security descriptor
<> Assertion success!
(GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, pOldDesc, DescSize, &DescSize ) != 0) succeeded.
<> SECURITY_DESCRIPTOR is at 007BF120
<> Assertion success!
(InitializeSecurityDescriptor( &NewDesc, SECURITY_DESCRIPTOR_REVISION )) succeeded.
<> New SECURITY_DESCRIPTOR is initialized
<> Obtaining DACL from SECURITY_DESCRIPTOR...
<> Assertion success!
(GetSecurityDescriptorDacl( pOldDesc, &DaclPresent, &pOldDacl, &DaclDefaulted )) succeeded.
<> DACL at 007BF134 and is present.
<> Assertion success!
(GetAclInformation( pOldDacl, &AclInfo, sizeof(AclInfo), AclSizeInformation )) succeeded.
<> Allocating 376 bytes for new DACL
<> Assertion success!
(InitializeAcl( pNewDacl, cbNewDacl, ACL_REVISION )) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Adding ACE into key parent directory's ACL failed because ACE already exists.
<> Entering Utils_AddOrRemoveAceOnFileAcl...IsRemoveOperation=0
<> Retrieving SECURITY_DESCRIPTOR for \Downloads\flag.txt...
<> Assertion success!
(GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, NULL, 0, &DescSize ) == 0) succeeded.
<> SECURITY_DESCRIPTOR size is 348
<> Allocating memory for new security descriptor
<> Assertion success!
(GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, pOldDesc, DescSize, &DescSize ) != 0) succeeded.
<> SECURITY_DESCRIPTOR is at 007BF120
<> Assertion success!
(InitializeSecurityDescriptor( &NewDesc, SECURITY_DESCRIPTOR_REVISION )) succeeded.
<> New SECURITY_DESCRIPTOR is initialized
<> Obtaining DACL from SECURITY_DESCRIPTOR...
<> Assertion success!
(GetSecurityDescriptorDacl( pOldDesc, &DaclPresent, &pOldDacl, &DaclDefaulted )) succeeded.
<> DACL at 007BF134 and is present.
<> Assertion success!
(GetAclInformation( pOldDacl, &AclInfo, sizeof(AclInfo), AclSizeInformation )) succeeded.
<> Allocating 376 bytes for new DACL
<> Assertion success!
(InitializeAcl( pNewDacl, cbNewDacl, ACL_REVISION )) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Adding ACE into key's ACL failed because ACE already exists.
<> Network access is enabled in child process.
<> Creating job object for limiting processing time.
<> Trying to create a new job object with timeout of -1 seconds.
<> Assertion success!
(hJob != INVALID_HANDLE_VALUE) succeeded.
<> New job object created with handle 000002E0
<> Setting job object information.
<> Assertion success!
(SetInformationJobObject( hJob, JobObjectBasicLimitInformation, &bli, sizeof(bli) )) succeeded.
<> Job information set.
<> Creating and listening on new socket on port 4141.
<> Assertion success!
(getaddrinfo(NULL, szPort, &hints, &servinfo) == 0) succeeded.
<> Assertion success!
(setsockopt( s, SOL_SOCKET, SO_REUSEADDR, (const char ) &yes, sizeof(yes) ) == 0) succeeded.
<> Socket bound on 0.0.0.0:4141
<> Listening for new connections...
<> Setting listening socket to not inheritable.
<> Assertion success!
(SetHandleInformation( (HANDLE)serverSocket, HANDLE_FLAG_INHERIT, 0)) succeeded.
<> Creating WSA events.
<> Assertion success!
(hAcceptEvent != WSA_INVALID_EVENT) succeeded.
<> Assertion success!
(g_hQuitListenEvent != WSA_INVALID_EVENT) succeeded.
<> Setting WSAEventSelect.
<> Assertion success!
(WSAEventSelect( serverSocket, hAcceptEvent, FD_ACCEPT ) != SOCKET_ERROR) succeeded.
<> Installing Ctrl-C handler.
<> Assertion success!
(SetConsoleCtrlHandler(HandleCtrlCPress, TRUE)) succeeded.
Listening for incoming connections on port 4141...
<> Sensed new client connection.
Client connection from 10.10.225.170 accepted.
<> pszCapabilities is not NULL, counting items.
<> Found 1 capabilities.
<> Creating capabilities attribute list for 1 capabilities.
<> Assertion success!
(ConvertStringSidToSid(pszCapabilities[i], &pSid)) succeeded.
<> Assertion success!
(!InitializeProcThreadAttributeList( NULL, 1, 0, &dwAttributeListSize )) succeeded.
<> Allocating memory for AttributeList (32 bytes)
<> Initializing AttributeList at 0x 007A78B0
<> Assertion success!
(InitializeProcThreadAttributeList( AttributeList, 1, 0, &dwAttributeListSize )) succeeded.
<> Updating AttributeList with security capabilities.
<> Assertion success!
(UpdateProcThreadAttribute( AttributeList, 0, PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, &SecurityCapabilities, sizeof(SecurityCapabilities), NULL, NULL)) succeeded.
<> si.StartupInfo.cb = 72
<> Redirecting STDIN/STDOUT/STDERR of the new application.
<> Copying pszChildFilePath to pszCommandLine.
<> Launching new process "simple_echo_x64_NO_ASLR.exe".
[\documents\visual studio 2015\projects\appjaillauncher-master\appjaillauncher\utils.cpp:542] <!>
Assertion failed. GetLastError() = 623
(CreateProcess( NULL, pszCommandLine, NULL, NULL, TRUE, dwCreationFlags, NULL, pszCurrentDirectory, (LPSTARTUPINFO) &si, &pi )) resolved to FALSE.
<> Failed to launch jailed process.
<> Sensed new client connection.
Client connection from 127.0.0.1 accepted.
<> pszCapabilities is not NULL, counting items.
<> Found 1 capabilities.
<> Creating capabilities attribute list for 1 capabilities.
<> Assertion success!
(ConvertStringSidToSid(pszCapabilities[i], &pSid)) succeeded.
<> Assertion success!
(!InitializeProcThreadAttributeList( NULL, 1, 0, &dwAttributeListSize )) succeeded.
<> Allocating memory for AttributeList (32 bytes)
<> Initializing AttributeList at 0x 007A78B0
<> Assertion success!
(InitializeProcThreadAttributeList( AttributeList, 1, 0, &dwAttributeListSize )) succeeded.
<> Updating AttributeList with security capabilities.
<> Assertion success!
(UpdateProcThreadAttribute( AttributeList, 0, PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, &SecurityCapabilities, sizeof(SecurityCapabilities), NULL, NULL)) succeeded.
<> si.StartupInfo.cb = 72
<> Redirecting STDIN/STDOUT/STDERR of the new application.
<> Copying pszChildFilePath to pszCommandLine.
<> Launching new process "simple_echo_x64_NO_ASLR.exe".
[\documents\visual studio 2015\projects\appjaillauncher-master\appjaillauncher\utils.cpp:542] <!>
Assertion failed. GetLastError() = 623
(CreateProcess( NULL, pszCommandLine, NULL, NULL, TRUE, dwCreationFlags, NULL, pszCurrentDirectory, (LPSTARTUPINFO) &si, &pi )) resolved to FALSE.
<> Failed to launch jailed process.

Translated error message:
***** ERROR *****
simple_echo_x64_NO_ASLR.exe failed with error 623: {Illegal System DLL Relocation}
The system DLL %hs was relocated in memory. The application will not run properly.
The relocation occurred because the DLL %hs occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

---

The sandboxed target binary is just a simple test that prints back input via fgets.

Thanks,

[yying]

@uafio What is the base address as specified via the PE headers of simple_echo_x64_NO_ASLR.exe? I suspect what is happening here is that by setting /DYNAMICBASE:NO, relocations are not included in the binary. Without relocations, the binary cannot be moved around in memory. It is possible that a library already occupies the binary's preferred address space and thus, causes the loader to error out.

I am unaware of any good solutions. My simple suggestion would be to find a base address that least conflicts with the commonly loaded DLLs.

[uafio]

Imagebase is located 0x000000140000000 I tried a couple different values all aligned on page boundary but any changes to the Imagebase cause the application to crash. (Windows 10)

[yying]

What are your compiler/linker arguments for simple_echo_x64_NO_ASLR.exe?

[uafio]

compiler:
/GS /GL /W3 /Gy /Zc:wchar_t /Zi /Gm- /O2 /sdl /Fd"x64\Release\vc140.pdb" /Zc:inline /fp:precise /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oi /MD /Fa"x64\Release" /EHsc /nologo /Fo"x64\Release" /Fp"x64\Release\simple_echo.pch"

linker:
/OUT:"C:\Users\documents\visual studio 2015\Projects\simple_echo\x64\Release\simple_echo.exe" /MANIFEST /LTCG:incremental /NXCOMPAT /PDB:"C:\Users\documents\visual studio 2015\Projects\simple_echo\x64\Release\simple_echo.pdb" /DYNAMICBASE:NO "kernel32.lib" "user32.lib" "gdi32.lib" "winspool.lib" "comdlg32.lib" "advapi32.lib" "shell32.lib" "ole32.lib" "oleaut32.lib" "uuid.lib" "odbc32.lib" "odbccp32.lib" /DEBUG /MACHINE:X64 /OPT:REF /INCREMENTAL:NO /PGD:"C:\Users\documents\visual studio 2015\Projects\simple_echo\x64\Release\simple_echo.pgd" /SUBSYSTEM:CONSOLE /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /ManifestFile:"x64\Release\simple_echo.exe.intermediate.manifest" /OPT:ICF /ERRORREPORT:PROMPT /NOLOGO /TLBID:1

[yying]

How did you change the image base value? Did you specify the /BASE: linker argument with the appropriate base address?

[uafio]

Oh, no... I used CFF Explorer :)

[yying]

Ahhh, ok, that would explain the crashes. Also, I think it is required that the base address is 64K aligned (as per https://msdn.microsoft.com/en-us/library/f7f5138s.aspx).

Can you give that a shot and let me know if it works?

[uafio]

Yes, you are right. They do have to be 64k aligned, however editing the imagebase from a PE editor is still crashing the binary. Changing the imagebase from the compiler AppJailLauncher returns the same error.