Dailydave: Re: Vista SP1

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Dailydave mailing list archives

Re: Vista SP1

From: Alexander Sotirov <alex () sotirov net>
Date: Sat, 26 Apr 2008 12:18:25 -0700

On Fri, Apr 25, 2008 at 03:26:50PM -0400, Kostya Kortchinsky wrote:

Switching to DEP OptOut prevented the exploitation.

By carefully following Mark's steps, when restoring EIP from the saved
pointer to your bytecode, you end up with an access violation on executing
your marker byte (which at this point is followed by the call backwards)
since it's not in an executable page.

And bytecode is data, not actual x86 instructions to be executed.


I was confused because Dave was talking about something that changed in SP1, but
it looks like there's no difference in the exploitation on SP0 and SP1. In in
default configuration on both systems IE does not have DEP. If you switch to
OptOut DEP on both SP0 and SP1, the exploit won't work because it tries to
execute data.

Alex

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

By Date By Thread

Current thread:

Re: Vista SP1, (continued)
- Re: Vista SP1 Alexander Sotirov (Apr 24)
  - Re: Vista SP1 Dave Aitel (Apr 25)
    - Re: Vista SP1 Dave Aitel (Apr 25)
    - Re: Vista SP1 Robert Hensing (EL CONQUISTADOR) (Apr 25)
    - Re: Vista SP1 Kostya Kortchinsky (Apr 25)
    - Re: Vista SP1 Alexander Sotirov (Apr 26)