Dailydave mailing list archives
My pre-Vegas question to Yuji, et. al.
From: dave <dave () immunitysec com>
Date: Mon, 26 Jul 2004 18:27:30 -0400
BlackHat talk:"Payloads intended to execute attacker-provided code typically require a static address of code already existing in the vulnerable process's address space, in order to redirect execution back into code accompanying the payload. Historically, exploit authors have resorted to finding the addresses of byte sequences that perform a call or jump to the address loaded in a register at the moment when execution can be hijacked. These "return addresses" are typically infrequent in an address space and may vary with the version of the program being attacked, making the discovery of version-independent or character-restricted addresses extremely rare. With the "EEREAP" (eEye Emulating Return Address Purveyor) project, we aim to revolutionize the practice of return address discovery by employing machine code emulation and exceptionally more finely-grained context awareness in order to exhaustively locate the addresses in an address space that are suitable to redirect execution into payload data. In this presentation, we will discuss how EEREAP works, how to use it as a tool for exploit coding, and what can be accomplished with this new generation of return address enumeration technology."
So, my question is this.1. What's the actual gain over standard address corrolation methods? Immunity's doing fairly well with just that...done properly, it's pretty exhaustive since valid return addresses are sparce.
2. Why bother emulating? Why not use the CPU instead of emulating a CPU? Reverting state is fairly easy, especially the state you really need to revert...
-dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- My pre-Vegas question to Yuji, et. al. dave (Jul 26)
- Re: My pre-Vegas question to Yuji, et. al. Matt Hargett (Jul 27)
- Re: My pre-Vegas question to Yuji, et. al. Dave Aitel (Jul 28)
- Re: My pre-Vegas question to Yuji, et. al. David Maynor (Jul 28)
- Re: My pre-Vegas question to Yuji, et. al. Matt Hargett (Jul 28)
- Re: My pre-Vegas question to Yuji, et. al. Dave Aitel (Jul 28)
- Re: My pre-Vegas question to Yuji, et. al. Dave Aitel (Jul 28)
- Re: My pre-Vegas question to Yuji, et. al. Matt Hargett (Jul 27)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: My pre-Vegas question to Yuji, et. al. Dave Aitel (Jul 28)
- Re: My pre-Vegas question to Yuji, et. al. Matt Hargett (Jul 28)