Tuesday, February 28, 2012

Reliable Windows 7 Exploitation

Introduction

Reliable exploitation of browser vulnerabilities has been made increasingly difficult by introducing protection mechanisms such as DEP and ASLR. While it can be shown that ASLR can easily be defeated without DEP (for example by heap spraying) and DEP can easily be defeated without ASLR (for example by return-oriented programming), the combination of the two makes reliable exploitation much harder. This is probably the reason why there hasn't been much work published about the exploiting vulnerabilities on Windows 7.

Two most common techniques for exploiting vulnerabilities on Windows 7 are: 

1. Using a secondary vulnerability to perform memory disclosure and reveal the address of an executable module in memory prior to using the "main" vulnerability to execute the payload. For example, Peter Vreugdenhil used this techniques in his Internet Explorer 8 on Windows 7 exploit in the Pwn2Own 2010 contest . 

2. Making the application load a non-ASLR-enabled module in the memory, for example msvcr71.dll . 

For full article check : http://ifsec.blogspot.com

No comments: