Dailydave mailing list archives
Re: Re: On the Effectiveness of Address Space Randomization
From: Sinan Eren <sinan.eren () immunitysec com>
Date: Mon, 1 Nov 2004 15:12:49 -0500 (EST)
while we're at it, i would like tell a story of a HIPS vendor who were much proud about their product being immune to the phrack 62 article "Bypassing Win BO protection" http://www.phrack.org/show.php?p=62&a=5 giving happy demos at blackhat and feeling all so superior ... so what is it they do that made them immune to proxied ret or the fake stack frames ? answer is: they implement a much limited/crippled address space randomization without any sort of PAGE_EXEC, so you can still execute code but you can not do tricks like "jmp reg/call reg" cause dll base addresses are randomized or you cant do direct jumps either. (although the executable base is at a fixed addr and you can always return to it but lets just not count that ...) so actually address space randomization without PAGE_EXEC is completely useless and this vendor is trying to hide this fact by not offering any demo products to the research community. although i cant set my hands on this product, i would like to offer a theoretical way to own it; doing an off-by-one or off-by-two on the saved eip and directing execution to a "close by" "ret", "pop reg; ret" or "pop reg, pop reg ... ret" depending on which incoming argument the user controls and can store shellcode, this will give you execution with the downside of mostly being per Service Pack. (you could be lucky enough to find a code block which might be across SPs but highly unlikely...) so yeah we have a sweet win32 exploit in VSC using this technique and i can bet it will go unnoticed by this "immune" system ;P i hope, this rather stupid text could provide enough entropy for the 6 Stanford geniuses to write another 60 page research paper about returing to a ret ;) Cheers, Sinan On Sat, 30 Oct 2004 pageexec () freemail hu wrote:
clearly it takes 6 acedemic brains to figure out the usleep trick which is merely a trick in the exploiter's world for the last 4 years now!imagine when they discover that you can return to printf() and turn a stack overflow into a format string exploit, now that will be a big paper ;-).
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- On the Effectiveness of Address Space Randomization pageexec (Oct 28)
- Re: On the Effectiveness of Address Space Randomization Dave Aitel (Oct 29)
- <Possible follow-ups>
- Re: On the Effectiveness of Address Space Randomization spender (Oct 29)
- Re: Re: On the Effectiveness of Address Space Randomization Sinan Eren (Oct 29)
- Re: Re: On the Effectiveness of Address Space Randomization pageexec (Oct 29)
- Re: Re: On the Effectiveness of Address Space Randomization Sinan Eren (Nov 01)
- Re: Re: On the Effectiveness of Address Space Randomization Sinan Eren (Oct 29)