Fb1h2s aka Rahul Sasi's Blog

I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later. Interesting thing is we had this technique discussed on garage in november http://www.garage4hackers.com/f22/wi...innu-3080.html .

Yu Yang @tombkeeper did a demo of the technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .

And the exploit is scary, its a quick kaboom with out heap spray.
He calls this method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation and it's ptr.

Here are couple of quick notes on the bypass Technique :


Good news about the Technique:.

• Totally ASLR/DEP free
• Language/SP independent
• Work on almost all use-after-free/vtable-overflow
• Target on IE, firefox, pdf reader, flash, office …
• Even don’t need shellcode
• Sometimes don’t need heapspray
• Need a Windows file sharing server
• It is not a real problem
• Only work on 32-bit process in x64 Windows
• This situation is very common
• Can not work on Windows 8

The documents and presentation is from Yu Yang @tombkeeper
Download Slides from here:
https://docs.google.com/file/d/0B46U...it?usp=sharing

Cheers.