Attacking The Windows 7/8 Address Space Randomization

Author	All Replies
FF4m3 @rr.com	Attacking The Windows 7/8 Address Space Randomization Details at Kingcopes' Blag: The following text is what looks like an attempt to circumvent windows 7 and windows 8 memory protections in order to execute arbritrary assembly code. The presented methods are in particular useful for client-side attacks as used for example in browser exploits. Summary of exploitation stages: • Fill the heap with random bytes until all memory is used up. During the heap filling stage Windows might become unresponsive and will relax soon afterwards· • Free small heap blocks one by one and try adding a DLL (for example by using a new ActiveX Object that is loadable without a warning by Internet Explorer) This DLL (and the DLLs that are loaded from it) will be squeezed into the remaining memory region (the space that was freed by us through JavaScript). This address is fixed and predictable for us to jump to • Free the remaining memory blocks which were allocated before • Spray the heap using the well known method • Finally trigger the heap corruption and jump to this fixed DLL base to execute our code in a ROP manner.
	to forum · permalink · 2013-01-25 11:29:56 ·
Woody79_00 I run Linux am I still a PC? Premium join:2004-07-08 united state	Hmm...I wonder if this works against the new "Enhanced Protected mode" introduced with Internet Explorer 10? »blogs.msdn.com/b/ieinternals/arc···top.aspx Metro IE10 runs in it by default, but a simple check box enables it for Desktop IE 10 (I have it turned on) Of course I realize there is more ways then just the browser to get a chance to attempt something like this such as email, IM, various way. I would be curious though if the new Enhanced Protected Mode, which uses AppContainers, could migitate this to some degree? if this type of exploit would even work mind you.
	to forum · permalink · 2013-01-25 20:42:32 ·

Broadband Tech > Security > Security > Attacking The Windows 7/8 Address Space Randomization