Bugtraq mailing list archives

Re: Preventing exploitation with rebasing

From: Dave Aitel <dave () immunitysec com>
Date: Mon, 3 Feb 2003 22:18:42 -0500

If only there was some way to get the addresses that a remote RPC
program used for its variables, which would tell us what segments were
valid. Perhaps page 49 of "DCE/RPC over SMB" by Luke Kenneth Casson
Leighton (hi Luke!) will help us out. 

"Pointers. 

The best way to think of the NDS represntation of pointers is as tokens.
They "represent" pointerse. There must be a monotonic (one-to-one)
mappting between the pointer that the token represents and the token
itself. Windows NT is primarily implemented on a 32-bit platform, the
x86 architecture and the NDR pointer-tokens are also 32-bit. Microsoft
therefor puts memory addresses (sometimes actual pointers to kernel
memory [note: or process memory from the stack or various other
segments]) over-the-wire which does the trick and is simple to
implement, but not very secure. "

This is generally what I'm seeing with Windows 2000 SP3 here in my lab.
(I spent a while trying to track down what a particular field with the
Locator traffic was, but it turned out to be just a part of my stack.)
In practice, you would want to get the address of the data segment for
RPCRT4, I imagine, rather than the all-too-fickle stack. :>

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ 

(P.S. There are many vulnerable interfaces in the locator service, it
turns out. One of them is available by default.)


On Mon, 3 Feb 2003 13:49:31 -0800 (PST)
Michal Zalewski <lcamtuf () coredump cx> wrote:

On Mon, 3 Feb 2003, David Litchfield wrote:

Use addresses such as 0x**000000 or 0x00**0000 for the new image
base. With there being a NULL in much of the image's address space
this will help. (This of course won't make a difference with unicode
overflows)


Just FYI, both techniques are somewhat old in the *nix world. NUL in
the address is, among others, implemented by the Openwall kernel patch
on Linux, and PaX randomizes stack and executable base mapping
addresses.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-02-03 13:45 --

Current thread:

RE: Preventing exploitation with rebasing, (continued)
- - RE: Preventing exploitation with rebasing Riley Hassell (Feb 05)
  - Re: [VulnDiscuss] Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
  - Re: Preventing exploitation with rebasing Bugtraq User (Feb 05)
  - Re: Preventing exploitation with rebasing D.C. van Moolenbroek (Feb 05)
  - Re: Preventing exploitation with rebasing Michal Zalewski (Feb 05)
  - Re: Preventing exploitation with rebasing Todd Sabin (Feb 05)
    - Re: Preventing exploitation with rebasing Seth Breidbart (Feb 06)
    - Re: Preventing exploitation with rebasing Richard Moore (Feb 06)
    - Re: Preventing exploitation with rebasing Carolyn Meinel (Feb 07)
- Re: Preventing exploitation with rebasing Dave Aitel (Feb 05)
- Preventing exploitation with rebasing Fred Cohen (Feb 06)
  - RE: Preventing exploitation with rebasing Jason Coombs (Feb 07)
- RE: Preventing exploitation with rebasing Ilya Dubinsky (Feb 07)