You make no mention of exploit mitigations like EMET or Windows Defender Exploit Guard. If your exploit requires that a "controlled address were jumped to", then even just mandatory ASLR (provided by both EMET and WDAG) would stop the exploit, no?
-
-
Replying to @wdormann
I was thinking the same thing :) Looking for a sample to test against Exploit Guard, but Mandatory ASLR should be effective here, No Child Process too.
1 reply 0 retweets 1 like -
No, ASLR only works if the binary was compiled with relocations. See the section ASLR->Weaknesses in my old report http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf …
3 replies 0 retweets 9 likes -
Replying to @0xdabbad00 @wdormann
That was EMET... Exploit Guard on Win 10 Fall Creators Update has you covered. OS will force rebase EXE and DLL dependencies when Mandatory ASLR is enabled (& you need to enable bottom-up ASLR)pic.twitter.com/OnPk7PQixN
1 reply 0 retweets 7 likes
If you're talking about application-specific mitigations, then either EMET or Exploit guard ASLR would appear to stop the exploit. It's the system-wide ASLR setting that doesn't seem to randomize properly (with either EMET or Exploit Guard).pic.twitter.com/lHYQ2iPtJE
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.