Bugtraq mailing list archives
Re: [VulnDiscuss] Re: Preventing exploitation with rebasing
From: Halvar Flake <halvar () gmx net>
Date: Wed, 5 Feb 2003 18:32:30 +0100
Hey David, DL> Assuming the server did stay up, though. You've got to go through 0x7FFFFFFF DL> addresses looking for your code or something that will get you back to your DL> code. There'll be maybe 50 addresses with "jmp esp" - or whatever DL> instruction you're looking for - giving you a 1 in 42949672 chance or so. DL> Brute forcing is not reliable therefore. With all those attempts - someone's DL> going to notice something going on - or so one would hope, anyway. Your math is broken :-) DLL's are (as you stated) based mod 64k, so there's only 0x80000000 / 64k - 1 different addresses on which a DLL can start. That's less than 32k, and your chance is 1 in 32768. On average, you get a hit after 16384 tries. Oh, btw, this method could be optimized as you can be pretty sure that large DLL's aren't mapped closely underneath 0x80000000. How do you deal with EXE's that have been stripped of relocation information ? (simple answer, not at all) Cheers, Halvar
Current thread:
- Re: Preventing exploitation with rebasing, (continued)
- Re: Preventing exploitation with rebasing sd (Feb 04)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 04)
- Re: Preventing exploitation with rebasing Eugene Tsyrklevich (Feb 04)
- Re: Preventing exploitation with rebasing Torbjörn Hovmark (Feb 04)
- Re: Preventing exploitation with rebasing dullien (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 04)
- Re[2]: Preventing exploitation with rebasing dullien (Feb 04)
- RE: Preventing exploitation with rebasing Jason Coombs (Feb 04)
- Re: Preventing exploitation with rebasing sd (Feb 04)
- Re: Preventing exploitation with rebasing Charlie Root (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
- Re: [VulnDiscuss] Re: Preventing exploitation with rebasing Halvar Flake (Feb 05)
- Re: Preventing exploitation with rebasing Brian Hatch (Feb 05)
- Re: Preventing exploitation with rebasing Alan DeKok (Feb 05)
- Re: Can't Preventing exploitation with rebasing bugtraq (Feb 05)
- Re[2]: Can't Preventing exploitation with rebasing dullien (Feb 05)
- Observation on randomization/rebiasing... Nicholas Weaver (Feb 05)
- RE: Observation on randomization/rebiasing... Jason Coombs (Feb 05)
- Re: Preventing exploitation with rebasing Crispin Cowan (Feb 05)
- Re: Preventing exploitation with rebasing David S Goldberg (Feb 05)
- Re: Preventing exploitation with rebasing Alun Jones (Feb 05)
- Re: Preventing exploitation with rebasing Deus, Attonbitus (Feb 06)