Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Dailydave: Re: Vista SP1

Re: Vista SP1

From: Robert Hensing (EL CONQUISTADOR) <rhensing_at_microsoft.com>
Date: Fri, 25 Apr 2008 07:56:10 -0700

I think you are wrong. :)

As Alexander mentioned - IE on Vista SP1 does not opt-in to DEP by default still and I have verified that the Jscript heaps are still executable until you DO opt IE into DEP (and after doing so I have verified that standard heap spray techniques would fail). Incidentally I've emailed Mark Dowd to see if he could test his exploit with IE opted-in to DEP for me and he hasn't gotten back with me yet so it's not clear if DEP will prevent the bytecode from executing or not. I do know that Flash seems to work fine with DEP enabled in IE - so I'm assuming that Adobe is using VirtualProtect() to properly mark the pages that they need to be executable, as executable which would lead me to believe that Dowd's exploit would still work - even with DEP enabled (well - I'm assuming the AS bytecode would run - not sure about the x86 shellcode stage or where that could would be executing from - but if the x86 shellcode is also in pages marked executable by Adobe - then it's unlikely DEP wo
 uld be effective here). Incidentally - ASLR *would* have been effective in stopping his exploit - but Adobe doesn't opt-in to that with Flash yet . . . but that doesn't mean YOU can't. You can use link.exe to edit the flash9f.ocx and make it use ASLR. :)

-----Original Message-----
From: dailydave-bounces_at_lists.immunitysec.com [mailto:dailydave-bounces_at_lists.immunitysec.com] On Behalf Of Dave Aitel
Sent: Friday, April 25, 2008 8:41 AM
To: Alexander Sotirov; dailydave
Subject: Re: [Dailydave] Vista SP1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've been told (although I did not write that exploit, Kostya did) that
you end up using opcodes in your bytecode stream to get execution. This
would mean that the bytecode stream has to be executable, which SP1
breaks. Not that this breaks the many other ways you can write the
exploit, but it would make it slightly harder.

I could be wrong on this
- -dave

Alexander Sotirov wrote:
| On Thu, Apr 24, 2008 at 07:27:18AM -0400, Dave Aitel wrote:
|> Vista SP1 was released to Automatic Update. One thing about SP1 is
that it
|> breaks the Flash exploit Mark Dowd describes in his paper by making
certain
|> memory NX.
|
| What memory does SP1 make NX? The iexplore.exe process is not on the
OptIn DEP
| list in Vista SP1, so everything in memory is always executable.
|
| Alex

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIEdFztehAhL0gheoRAr/tAJ9MDoOPD4KLnmeaOglze/rvDCRq4QCfU+l/
R1DBA7fZM/p6bc4mXmAI77U=
=C+LF
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Apr 25 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]