Dailydave mailing list archives
Re: The sky's downward trajectory
From: don bailey <don.bailey () gmail com>
Date: Wed, 21 Feb 2007 10:46:07 -0700
If your goal is to find a specific instruction in memory to use a trampoline to your shellcode, the number of possible memory states of the entire address space doesn't matter. You know that the instruction you want is at offset foo.dll+x, and there are only 2^8 possible places where the dll can be loaded. The number of tries required to brute force the ASLR in this case is 2^8. If you have two DLLs that have a trampoline instruction at the same offset, the number goes down to 2^7, and so on.
And the best part is, if you can coerce your return address into one or more registers, you have a decent chance of landing at an address in the text segment (randomized or not) that may bounce you to your shell code. See how often you find the pattern 0xFF in the average library. 0xFF, 0xRR where RR is an x86 register (in opcode speak) is pretty prevalent. So while an attacker is trying to brute force a trampoline address, they may end up just hitting another pattern in the text segment that can bounce them "home", anyway. For example: (gdb) disassemble main Dump of assembler code for function main: ... 0x080484ab <main+31>: call *%eax ... End of assembler dump. (gdb) x/1x main+31 0x80484ab <main+31>: 0xc3c9d0ff (gdb) Don Bailey _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: The sky's downward trajectory, (continued)
- Re: The sky's downward trajectory jf (Feb 19)
- Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
- Re: The sky's downward trajectory Dominique Brezinski (Feb 20)
- Re: The sky's downward trajectory ol (Feb 20)
- Re: The sky's downward trajectory ol (Mar 03)
- Re: The sky's downward trajectory jf (Feb 20)
- Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
- Re: The sky's downward trajectory Halvar Flake (Feb 20)
- Re: The sky's downward trajectory Halvar Flake (Feb 20)
- Re: The sky's downward trajectory Alexander Sotirov (Feb 20)
- Re: The sky's downward trajectory don bailey (Feb 21)
- Re: The sky's downward trajectory don bailey (Feb 22)
- Re: The sky's downward trajectory ol (Feb 23)
- Re: The sky's downward trajectory don bailey (Feb 26)
- Re: The sky's downward trajectory Dave Aitel (Feb 19)