My pre-Vegas question to Yuji, et. al.

[dave <dave () immunitysec com>]

BlackHat talk:
"Payloads intended to execute attacker-provided code typically require a 
static address of code already existing in the vulnerable process's 
address space, in order to redirect execution back into code 
accompanying the payload. Historically, exploit authors have resorted to 
finding the addresses of byte sequences that perform a call or jump to 
the address loaded in a register at the moment when execution can be 
hijacked. These "return addresses" are typically infrequent in an 
address space and may vary with the version of the program being 
attacked, making the discovery of version-independent or 
character-restricted addresses extremely rare. With the "EEREAP" (eEye 
Emulating Return Address Purveyor) project, we aim to revolutionize the 
practice of return address discovery by employing machine code emulation 
and exceptionally more finely-grained context awareness in order to 
exhaustively locate the addresses in an address space that are suitable 
to redirect execution into payload data. In this presentation, we will 
discuss how EEREAP works, how to use it as a tool for exploit coding, 
and what can be accomplished with this new generation of return address 
enumeration technology."

So, my question is this.
1. What's the actual gain over standard address corrolation methods? 
Immunity's doing fairly well with just that...done properly, it's pretty 
exhaustive since valid return addresses are sparce.

2. Why bother emulating? Why not use the CPU instead of emulating a CPU? 
Reverting state is fairly easy, especially the state you really need to 
revert...

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave