[Dailydave] Vista SP1
Alexander Sotirov
alex at sotirov.net
Sat Apr 26 15:18:25 EDT 2008
On Fri, Apr 25, 2008 at 03:26:50PM -0400, Kostya Kortchinsky wrote:
> Switching to DEP OptOut prevented the exploitation.
>
> By carefully following Mark's steps, when restoring EIP from the saved
> pointer to your bytecode, you end up with an access violation on executing
> your marker byte (which at this point is followed by the call backwards)
> since it's not in an executable page.
>
> And bytecode is data, not actual x86 instructions to be executed.
I was confused because Dave was talking about something that changed in SP1, but
it looks like there's no difference in the exploitation on SP0 and SP1. In in
default configuration on both systems IE does not have DEP. If you switch to
OptOut DEP on both SP0 and SP1, the exploit won't work because it tries to
execute data.
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080426/4b03c759/attachment.pgp
More information about the Dailydave
mailing list