注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

tombkeeper的博客

 
 
 

日志

 
 

Dave Aitel:“ASLR+DEP = no problem”  

2010-02-04 10:21:28|  分类: 技术探索 researc |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
From: dave <dave () immunityinc com>
Date: Wed, 03 Feb 2010 11:52:34 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not so long ago, ASLR and DEP were gaining wide acceptance. Execshield was on almost all Linux systems, and the "golden age" of buffer overflow exploitation looked like it was coming to a close.

It is true that the code is getting better, and the mitigating protective mechanisms in Windows and Linux are getting better. But like in a ceramic, the physical properties of a system are defined by the interfaces between components, not the crystals themselves.

Today, Immunity released a working version of the Aurora exploit for Windows 7 and IE8 today to CANVAS Early Updates. It does this by playing some very odd tricks with Flash's JIT compiler. This technique is extendible to almost all similar vulnerabilities. In other words, ASLR and DEP are not longer the shield they once were.

I believe Dionysus Blazakis is going to release some details on a similar technique at BlackHat DC today. If you miss the rest of the talks, I'd recommend popping into that one. :>

Thanks,
Dave Aitel
Immunity, Inc.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktpqdIACgkQtehAhL0gheotCACfXVRvzHVKxVYWWYQigY7fKPi9
aL0AnjmW40zWTjtwitHJO3Fcv1z9F9QI
=l0KE
-----END PGP SIGNATURE-----



昨天我还在和Sowhat说,今年内你就能看到,会有人放出搞定ASLR+DEP的技术。没想到今天就兑现了。

Dave Aitel提到借助了Flash's JIT compiler,那么我猜测应该是这样的:

任何JIT技术,在指令翻译的过程中,总要生成机器码;这些机器码总要存在一块内存中的;这块内存必然是可执行的。

那么利用这一点,就可以构造一个会让JIT翻译产生大量代码数据的Flash,实际上很类似Heap Spray,只不过现在产生的这些内存是带有可执行属性的。

“铁甲依然在”,红旗还在飘。
  评论这张
 
阅读(380)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018