[Dailydave] Usenix w00t (ddz)
Dave Aitel
dave at immunityinc.com
Mon Oct 1 11:38:52 EDT 2007
I was checking out Dino's Usenix paper a couple days ago, and a few
questions stuck in my head.
http://www.usenix.org/events/woot07/tech/full_papers/daizovi/daizovi_html/
1. It'd be good to see the code for this and get some description of how
they were compiled. Would it have been smaller to use built-in
cryptographic libraries from the host OS? Be good to compare.
\begin{figure}\begin{tabular}{\vert l\vert r\vert} \hline Function & x86
machine... ... s\_fp\_sub & 336 \\ \hline Total & 1283 \\ \hline
\end{tabular} \end{figure}
Maybe Dino will BSD-license it and we can throw it into CANVAS to see. :>
2. "For example, the exploit may have corrupted the heap metadata and
subsequent heap operations may cause the process to crash. In these
cases, the Stage 2 payload have to repair the heap before attempting to
execute more complex operations that require explicit or implicit heap
allocation. Under Windows XP and later Windows operating systems, the
default heap can be quickly switched to the low-fragmentation heap using
HeapSetInformation(), thus abandoning the use of a potentially corrupted
standard default heap."
I'd have to defer to Nico/Sinan/Kostya on this one, but I'm not sure
that technique would avoid the problem of a block of memory being freed
from the corrupted heap. In addition I think stage1 would most likely
have already crashed during the Connect() and Send() operations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071001/ce36de6d/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: img1.png
Type: image/png
Size: 4146 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071001/ce36de6d/attachment.png
More information about the Dailydave
mailing list