Problem

us-16-Weston-Windows-10-Mitigation-Improvements

ePAPER READ

DOWNLOAD ePAPER

hosselot

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

CVE-2003-0344

Trigger stack buffer overrun

Overwrite return address with

predictable address of a “JMP ESP”

Execute shellcode from the stack

Arbitrary native code execution

The Info leak era of

software exploitation

Place array length at a predictable

location (via heap spray/massage)

Modify array length via memory

corruption, enabling arbitrary read/write

Use arbitrary read/write to discover DLL

base address

Construct ROP payload by searching for

code sequences in the DLL

Corrupt C++ virtual table pointer and

trigger virtual method call to first gadget

Execute ROP payload (typically to make

shellcode executable)

Execute arbitrary native code

Escape the sandbox (or operate inside it)

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Windows 10 x64 Edge Browser 0day and exploit

A JOURNEY FROM JNDI/LDAP MANIPULATION TO REMOTE CODE EXECUTION DREAM LAND

ANALYSIS OF THE ATTACK SURFACE OF WINDOWS 10 VIRTUALIZATION-BASED SECURITY

CVE-2003-0344 Trigger stack buffer overrun Overwrite return address with predictable address of a “JMP ESP” Execute shellcode from the stack Arbitrary native code execution The Info leak era of software exploitation Place array length at a predictable location (via heap spray/massage) Modify array length via memory corruption, enabling arbitrary read/write Use arbitrary read/write to discover DLL base address Construct ROP payload by searching for code sequences in the DLL Corrupt C++ virtual table pointer and trigger virtual method call to first gadget Execute ROP payload (typically to make shellcode executable) Execute arbitrary native code Escape the sandbox (or operate inside it) 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Page 3 and 4: • S Problem: Preventative Securit
Page 5 and 6: Internal Data Sources External Data
Page 7 and 8: Percentage of Use Analysis: 90 80 7
Page 9 and 10: Assume Breach Prevent Breach Threat
Page 11 and 12: REDTEAM: Model real-world attacks
Page 15: Internet Explorer, Edge, & Chakra S
Page 18 and 19: 1. Allocate object p = new COptionE
Page 20: No legacy document modes No legacy
Page 25 and 26: Corrupt a C++ virtual table pointer
Page 27 and 28: Execute arbitrary native code Only
Page 30 and 31: Windows Hyper Guard • Prevents m
Page 32: Mitigation How to opt-in Control Fl
Page 36: Rapidly Respond • Mobilize engine
Page 39: The number of Microsoft vulnerabili

Problem

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?