Dailydave mailing list archives
Re: Vista SP1
From: Alexander Sotirov <alex () sotirov net>
Date: Sat, 26 Apr 2008 12:18:25 -0700
On Fri, Apr 25, 2008 at 03:26:50PM -0400, Kostya Kortchinsky wrote:
Switching to DEP OptOut prevented the exploitation. By carefully following Mark's steps, when restoring EIP from the saved pointer to your bytecode, you end up with an access violation on executing your marker byte (which at this point is followed by the call backwards) since it's not in an executable page. And bytecode is data, not actual x86 instructions to be executed.
I was confused because Dave was talking about something that changed in SP1, but it looks like there's no difference in the exploitation on SP0 and SP1. In in default configuration on both systems IE does not have DEP. If you switch to OptOut DEP on both SP0 and SP1, the exploit won't work because it tries to execute data. Alex
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Vista SP1 Dave Aitel (Apr 24)
- Re: Vista SP1 Alexander Sotirov (Apr 24)
- Re: Vista SP1 Dave Aitel (Apr 25)
- Re: Vista SP1 Dave Aitel (Apr 25)
- Re: Vista SP1 Robert Hensing (EL CONQUISTADOR) (Apr 25)
- Re: Vista SP1 Kostya Kortchinsky (Apr 25)
- Re: Vista SP1 Alexander Sotirov (Apr 26)
- Re: Vista SP1 Dave Aitel (Apr 25)
- Re: Vista SP1 Alexander Sotirov (Apr 24)