Switching to DEP OptOut prevented the exploitation.
By carefully following Mark's steps, when restoring EIP from the saved
pointer to your bytecode, you end up with an access violation on executing
your marker byte (which at this point is followed by the call backwards)
since it's not in an executable page.
And bytecode is data, not actual x86 instructions to be executed.
Kostya
2008/4/25, Robert Hensing (EL CONQUISTADOR) <rhensing_at_microsoft.com>:
>
> I think you are wrong. :)
>
> As Alexander mentioned - IE on Vista SP1 does not opt-in to DEP by default
> still and I have verified that the Jscript heaps are still executable until
> you DO opt IE into DEP (and after doing so I have verified that standard
> heap spray techniques would fail). Incidentally I've emailed Mark Dowd to
> see if he could test his exploit with IE opted-in to DEP for me and he
> hasn't gotten back with me yet so it's not clear if DEP will prevent the
> bytecode from executing or not. I do know that Flash seems to work fine
> with DEP enabled in IE - so I'm assuming that Adobe is using
> VirtualProtect() to properly mark the pages that they need to be executable,
> as executable which would lead me to believe that Dowd's exploit would still
> work - even with DEP enabled (well - I'm assuming the AS bytecode would run
> - not sure about the x86 shellcode stage or where that could would be
> executing from - but if the x86 shellcode is also in pages marked executable
> by Adobe - then it's unlikely DEP wo
> uld be effective here). Incidentally - ASLR *would* have been effective
> in stopping his exploit - but Adobe doesn't opt-in to that with Flash yet .
> . . but that doesn't mean YOU can't. You can use link.exe to edit the
> flash9f.ocx and make it use ASLR. :)
>
>
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Apr 25 2008
Intro
