Yu Yang @tombkeeper did a demo of his technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .
And the exploit is scary, its a quick kaboom with out heap spray.
He calls his method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation and it's pret
Here are couple of quick notes on the bypass Technique :
And the exploit is scary, its a quick kaboom with out heap spray.
He calls his method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation , go check out the slide fellows.
Good news about the Technique:.
- Totally ASLR/DEP free
- Language/SP independent
- Work on almost all use-after-free/vtable-overflow
- Target on IE, firefox, pdf reader, flash, office …
- Even don’t need shellcode
- Sometimes don’t need heapspray
- Need a Windows file sharing server
- It is not a real problem
- Only work on 32-bit process in x64 Windows
- This situation is very common
- Can not work on Windows 8
The documents and presentation is from Yu Yang @tombkeeper
Download Slides from here:
https://docs.google.com/file/d/0B46U...it?usp=sharing
Cheers.