[Dailydave] The sky's downward trajectory
don bailey
don.bailey at gmail.com
Wed Feb 21 12:46:07 EST 2007
> If your goal is to find a specific instruction in memory to use a trampoline to
> your shellcode, the number of possible memory states of the entire address space
> doesn't matter. You know that the instruction you want is at offset foo.dll+x,
> and there are only 2^8 possible places where the dll can be loaded.
>
> The number of tries required to brute force the ASLR in this case is 2^8. If you
> have two DLLs that have a trampoline instruction at the same offset, the number
> goes down to 2^7, and so on.
>
And the best part is, if you can coerce your return address into one or
more registers, you
have a decent chance of landing at an address in the text segment
(randomized or not) that
may bounce you to your shell code.
See how often you find the pattern 0xFF in the average library. 0xFF,
0xRR where RR is
an x86 register (in opcode speak) is pretty prevalent. So while an
attacker is trying to brute
force a trampoline address, they may end up just hitting another pattern
in the text segment
that can bounce them "home", anyway.
For example:
(gdb) disassemble main
Dump of assembler code for function main:
...
0x080484ab <main+31>: call *%eax
...
End of assembler dump.
(gdb) x/1x main+31
0x80484ab <main+31>: 0xc3c9d0ff
(gdb)
Don Bailey
More information about the Dailydave
mailing list