You make no mention of exploit mitigations like EMET or Windows Defender Exploit Guard. If your exploit requires that a "controlled address were jumped to", then even just mandatory ASLR (provided by both EMET and WDAG) would stop the exploit, no?
-
-
Replying to @wdormann
I was thinking the same thing :) Looking for a sample to test against Exploit Guard, but Mandatory ASLR should be effective here, No Child Process too.
1 reply 0 retweets 1 like -
No, ASLR only works if the binary was compiled with relocations. See the section ASLR->Weaknesses in my old report http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf …
3 replies 0 retweets 9 likes -
Replying to @0xdabbad00 @markwo
Is eqnedt32.exe really lacking a relocation table? And if so, what are you using to come to this conclusion?
1 reply 0 retweets 1 like -
Ah, it does have a .reloc section (from dumpbin). I didn't expect a .exe from 2000 to have that. My apologies. ASLR will work.
1 reply 0 retweets 1 like -
Replying to @0xdabbad00 @markwo
What's confusing to me is why despite having a relocation section, system-wide ASLR does *NOT* randomize the loaded address. It's loaded at 0x10000 every time for me, even if mandatory ASLR is enabled system-wide using either EMET or WDEG.
@epakskape2 replies 1 retweet 2 likes -
The entropy for force relocated images comes from bottom-up ASLR which is only enabled by default if the EXE was built with /dynamicbase. Try turning on bottom-up ASLR as well.
1 reply 0 retweets 2 likes -
Thanks. I'm pretty sure that Bottom-up ASLR is enabled along with Mandatory ASLR. But eqnedt32.exe is always loaded at the same location.pic.twitter.com/zFgmbByCEP
1 reply 0 retweets 0 likes -
I believe "on by default" means "use the default system policy" which means bottom-up ASLR will only be enabled if the EXE was linked with /dynamicbase (which this one does not, I believe). Sound right,
@markwo?3 replies 0 retweets 1 like
The "On by default" wording struck me as a bit strange. If it truly isn't "always on", then it sort of defeats the purpose of having an option in the Exploit Guard GUI for Bottom-up ASLR, right? The whole point is to be able to force-enable options, I'd think.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.