• DEP ASLR bypass without ROP JIT : CanSecWest2013 Slides and Analysis

    I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later. Interesting thing is we had this technique discussed on garage in november http://www.garage4hackers.com/f22/wi...innu-3080.html .

    Yu Yang @tombkeeper did a demo of his technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .

    And the exploit is scary, its a quick kaboom with out heap spray.
    He calls his method GIFT [ Got it form a table] .
    The simple technique is to change the VFT of wow64sharedinformation and it's pret

    Here are couple of quick notes on the bypass Technique :

    And the exploit is scary, its a quick kaboom with out heap spray.
    He calls his method GIFT [ Got it form a table] .
    The simple technique is to change the VFT of wow64sharedinformation , go check out the slide fellows.

    Good news about the Technique:.

    • Totally ASLR/DEP free
    • Language/SP independent
    • Work on almost all use-after-free/vtable-overflow
    • Target on IE, firefox, pdf reader, flash, office …
    • Even don’t need shellcode
    • Sometimes don’t need heapspray
    • Need a Windows file sharing server
    • It is not a real problem
    • Only work on 32-bit process in x64 Windows
    • This situation is very common
    • Can not work on Windows 8


    The documents and presentation is from Yu Yang @tombkeeper
    Download Slides from here:
    https://docs.google.com/file/d/0B46U...it?usp=sharing

    Cheers.
    This article was originally published in blog: DEP ASLR bypass without ROP JIT : CanSecWest2013 Slides and Analysis started by fb1h2s
  • G4H Facebook

  • G4H Twitter