Bugtraq mailing list archives
Re: Preventing exploitation with rebasing
From: "D.C. van Moolenbroek" <dc.van.moolenbroek () chello nl>
Date: Wed, 5 Feb 2003 21:48:08 +0100
First, your "push 0x0042001C" instruction might also happen to push a number, instead of an offset. How do you distinguish between offsets and numbers? Second, what about jumptables? How are you going to relocate code like this? Sure, the offset to the jumptable is easy, but what about the jumptable itself? cmp ebx,256 jae <my_error_handler> call [0x004200C0 + ebx*4] It might even get much more tricky than that. As an example, suppose the first line ended with "eax" instead of "256"... suppose the jumptable was followed by a unicode-string... and then suppose that eax was filled with a value just read from a file/socket/etc. Unrealistic? I don't think so. Try to find the end of the jumptable in this case! Remember, relocation has to be perfect in order to work. No mistakes are allowed. And without .reloc data, your relocator will have to start guessing, which *will* result in mistakes. Regards, David (yes another one) "David Litchfield" wrote:
Going back to exe image files and rebasing. Surely they can be rebased
even
without a .reloc section? All I need to do is edit the image base in the
PE
header then parse the assembly looking for absolute addresses such as function addresses, static variables etc and modify these addresses, too. For example assume an image base for an exe is 0x00400000 and the c code does printf("hello"); This will generate something like push 0x0042001C // push pointer to hello call 0x00401060 // call printf If I then make the image base 0x00410000 and I also change push 0x0042001C call 0x00401060 to become push 0x0043001C call 0x00411060 then the exe should still run (as long as you get all the absolute addresses) and it has been rebased. ? David
-- class sig{static void main(String[]s){for// D.C. van Moolenbroek (int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL) "Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-
Current thread:
- Observation on randomization/rebiasing..., (continued)
- Observation on randomization/rebiasing... Nicholas Weaver (Feb 05)
- RE: Observation on randomization/rebiasing... Jason Coombs (Feb 05)
- Re: Preventing exploitation with rebasing Crispin Cowan (Feb 05)
- Re: Preventing exploitation with rebasing David S Goldberg (Feb 05)
- Re: Preventing exploitation with rebasing Alun Jones (Feb 05)
- Re: Preventing exploitation with rebasing Deus, Attonbitus (Feb 06)
- RE: Preventing exploitation with rebasing Riley Hassell (Feb 05)
- Re: [VulnDiscuss] Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
- Re: Preventing exploitation with rebasing Bugtraq User (Feb 05)
- Re: Preventing exploitation with rebasing D.C. van Moolenbroek (Feb 05)
- Re: Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing Todd Sabin (Feb 05)
- Re: Preventing exploitation with rebasing Seth Breidbart (Feb 06)
- Re: Preventing exploitation with rebasing Richard Moore (Feb 06)
- Re: Preventing exploitation with rebasing Carolyn Meinel (Feb 07)
- RE: Preventing exploitation with rebasing Jason Coombs (Feb 07)