Bugtraq mailing list archives
Re: Preventing exploitation with rebasing
From: Dave Aitel <dave () immunitysec com>
Date: Mon, 3 Feb 2003 22:18:42 -0500
If only there was some way to get the addresses that a remote RPC program used for its variables, which would tell us what segments were valid. Perhaps page 49 of "DCE/RPC over SMB" by Luke Kenneth Casson Leighton (hi Luke!) will help us out. "Pointers. The best way to think of the NDS represntation of pointers is as tokens. They "represent" pointerse. There must be a monotonic (one-to-one) mappting between the pointer that the token represents and the token itself. Windows NT is primarily implemented on a 32-bit platform, the x86 architecture and the NDR pointer-tokens are also 32-bit. Microsoft therefor puts memory addresses (sometimes actual pointers to kernel memory [note: or process memory from the stack or various other segments]) over-the-wire which does the trick and is simple to implement, but not very secure. " This is generally what I'm seeing with Windows 2000 SP3 here in my lab. (I spent a while trying to track down what a particular field with the Locator traffic was, but it turned out to be just a part of my stack.) In practice, you would want to get the address of the data segment for RPCRT4, I imagine, rather than the all-too-fickle stack. :> Dave Aitel Immunity, Inc. http://www.immunitysec.com/CANVAS/ (P.S. There are many vulnerable interfaces in the locator service, it turns out. One of them is available by default.) On Mon, 3 Feb 2003 13:49:31 -0800 (PST) Michal Zalewski <lcamtuf () coredump cx> wrote:
On Mon, 3 Feb 2003, David Litchfield wrote:Use addresses such as 0x**000000 or 0x00**0000 for the new image base. With there being a NULL in much of the image's address space this will help. (This of course won't make a difference with unicode overflows)Just FYI, both techniques are somewhat old in the *nix world. NUL in the address is, among others, implemented by the Openwall kernel patch on Linux, and PaX randomizes stack and executable base mapping addresses. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-02-03 13:45 --
Current thread:
- RE: Preventing exploitation with rebasing, (continued)
- RE: Preventing exploitation with rebasing Riley Hassell (Feb 05)
- Re: [VulnDiscuss] Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
- Re: Preventing exploitation with rebasing Bugtraq User (Feb 05)
- Re: Preventing exploitation with rebasing D.C. van Moolenbroek (Feb 05)
- Re: Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing Todd Sabin (Feb 05)
- Re: Preventing exploitation with rebasing Seth Breidbart (Feb 06)
- Re: Preventing exploitation with rebasing Richard Moore (Feb 06)
- Re: Preventing exploitation with rebasing Carolyn Meinel (Feb 07)
- Re: Preventing exploitation with rebasing Dave Aitel (Feb 05)
- Preventing exploitation with rebasing Fred Cohen (Feb 06)
- RE: Preventing exploitation with rebasing Jason Coombs (Feb 07)
- RE: Preventing exploitation with rebasing Ilya Dubinsky (Feb 07)