Re: [VulnDiscuss] Re: Preventing exploitation with rebasing

[Halvar Flake <halvar () gmx net>]

Hey David,

DL> Assuming the server did stay up, though. You've got to go through 0x7FFFFFFF
DL> addresses looking for your code or something that will get you back to your
DL> code. There'll be maybe 50 addresses with "jmp esp" - or whatever
DL> instruction you're looking for - giving you a 1 in 42949672 chance or so.
DL> Brute forcing is not reliable therefore. With all those attempts - someone's
DL> going to notice something going on - or so one would hope, anyway.

Your math is broken :-) DLL's are (as you stated) based mod 64k, so
there's only 0x80000000 / 64k - 1 different addresses on which a DLL can
start. That's less than 32k, and your chance is 1 in 32768. On
average, you get a hit after 16384 tries. Oh, btw, this method could
be optimized as you can be pretty sure that large DLL's aren't mapped
closely underneath 0x80000000.

How do you deal with EXE's that have been stripped of relocation
information ? (simple answer, not at all)

Cheers,
Halvar