Re: The sky's downward trajectory

[don bailey <don.bailey () gmail com>]

> If your goal is to find a specific instruction in memory to use a trampoline to
> your shellcode, the number of possible memory states of the entire address space
> doesn't matter. You know that the instruction you want is at offset foo.dll+x,
> and there are only 2^8 possible places where the dll can be loaded.
>
> The number of tries required to brute force the ASLR in this case is 2^8. If you
> have two DLLs that have a trampoline instruction at the same offset, the number
> goes down to 2^7, and so on.
>   
And the best part is, if you can coerce your return address into one or 
more registers, you
have a decent chance of landing at an address in the text segment 
(randomized or not) that
may bounce you to your shell code.

See how often you find the pattern 0xFF in the average library. 0xFF, 
0xRR where RR is
an x86 register (in opcode speak) is pretty prevalent. So while an 
attacker is trying to brute
force a trampoline address, they may end up just hitting another pattern 
in the text segment
that can bounce them "home", anyway.

For example:

(gdb) disassemble main
Dump of assembler code for function main:
...
0x080484ab <main+31>:   call   *%eax
...
End of assembler dump.

(gdb) x/1x main+31
0x80484ab <main+31>:    0xc3c9d0ff
(gdb)

Don Bailey

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave