Attacking Windows 7/8 ASLR

CloneRanger · Jan 25, 2013

The following text is what looks like an attempt to circumvent windows 7 and
windows 8 memory protections in order to execute arbritrary assembly code.
The presented methods are in particular useful for client-side attacks as used
for example in browser exploits.

The topic that is discussed is a very complex one. At the time I started the
research I thought the idea behind the attack will be applied to real-world
scenarios quick and easy. I had to be convinced by the opposite.
The research was done without knowing much about the real internals of the
windows memory space protection but rather using brute force, trial & failure
in order to achieve what will be presented in the upcoming text. Be warned -
the methods to attack the protection mechanisms hereby presented are not
failsafe and can be improved. Tough in many cases it is possible to
completely bypass Windows 7 and especially Windows 8 ASLR by using the
techniques.

*

The PoCs

There are two different PoCs, one for Windows 7 and one for Windows 8.

https://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization
Click to expand...

Be interesting to see if anyone here can test these !

Hungry Man · Jan 25, 2013

It's not really that fantastic. The attack is heap spray, and it turns out that if you spray the heap enough you can predict where the next address will be very accurately.

Naturally this type of attack is less effective on 64bit.

Kees1958 · Jan 27, 2013

But their find is that the system is helping to find a place to put arbitrary code in IE.

kingcope said:

When the memory is filled up the installed javascript exception handler will execute javascript code that frees small chunks of memory in several steps, each step the javascript code will try to load an ActiveX object. The result is that the DLL will be loaded at a predictable address. Now the exploit writer has a predictable address to jump to and the 'where do i jump when I have code execution' problem is solved.
Click to expand...

The PoC is based on filling up available memory (there is no more address space which can be randomised), not a brute force hunt on finding the planted egg, so I doubt whether the additional randomization advantage of 64 bits has much impact on this PoC.

Hungry Man · Jan 27, 2013

Yes. It only applies to 32bit. The same attack works on Linux, and there's already a patch for this in grsecurity.

Log in or Sign up

Attacking Windows 7/8 ASLR

CloneRanger Registered Member

Hungry Man Registered Member

Kees1958 Registered Member

Hungry Man Registered Member

Log in or Sign up

Attacking Windows 7/8 ASLR

CloneRanger Registered Member

Hungry Man Registered Member

Kees1958 Registered Member

Hungry Man Registered Member

Useful Searches