Problem

More documents

Recommendations

Info

Place array length at a predictable location (via heap spray/massage) var memory = new Array(); function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) { var index; var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16); var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16); while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; } while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; } var retSlide = unescape("%u" + heapSprayAddr_hi + "%u" + heapSprayAddr_lo); while (retSlide.length < heapBlockSize) { retSlide += retSlide; } retSlide = retSlide.substring(0, heapBlockSize - shellcode.length); } var heapBlockCnt = (heapSprayAddr - heapBlockSize) / heapBlockSize; for (index = 0; index < heapBlockCnt; index++) { memory[index] = retSlide + shellcode; } [1] https://github.com/rapid7/metasploit-framework/blob/master/data/js/memory/heap_spray.js Tactic Applies to First shipped Breaking exploitation techniques Edge on Windows 10 July, 2015 (Windows 10 RTM)
Corrupt a C++ virtual table pointer and trigger virtual method call to first gadget Compile time Runtime void Foo(...) { // SomeFunc is address-taken // and may be called indirectly Object->FuncPtr = SomeFunc; } Metadata is automatically added to the image which identifies functions that may be called indirectly void Bar(...) { // Compiler-inserted check to // verify call target is valid _guard_check_icall(Object->FuncPtr); Object->FuncPtr(xyz); } A lightweight check is inserted prior to indirect calls which will verify that the call target is valid at runtime Image Load Process Start Indirect Call •Update valid call target data with metadata from PE image •Map valid call target data •Perform O(1) validity check •Terminate process if invalid target Tactic Applies to First shipped Breaking exploitation techniques Edge on Windows 10 and IE11 on Windows 8.1+ November, 2014 (Windows 8.1 Update 3)
Page 3 and 4: • S Problem: Preventative Securit
Page 5 and 6: Internal Data Sources External Data
Page 7 and 8: Percentage of Use Analysis: 90 80 7
Page 9 and 10: Assume Breach Prevent Breach Threat
Page 11 and 12: REDTEAM: Model real-world attacks
Page 15: Internet Explorer, Edge, & Chakra S
Page 18 and 19: 1. Allocate object p = new COptionE
Page 20: No legacy document modes No legacy
Page 26 and 27: Return addresses are not protected
Page 28: Execute arbitrary native code Code
Page 31 and 32: Non-paged pool System Page tables c
Page 34: Win32 Process Store App AppContaine
Page 38 and 39: Legend 2/4/2014 CVE-2014-0497 Explo

Problem

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?